Someone has asked me today to be careful what I promise customers, and he is right to be cautious, so I thought I would explain what we can and cannot do as an ISP.
For a start, private communications will always be possible. There are ways to send messages that nobody else can read - such systems exist, and can even be done using pen and paper.
But what if even that is made illegal, and nobody can even send encrypted data - well, there are systems called steganography where the "noise" in something like an image or video is used to carry an encrypted message, and no way to prove that there is a message. There are even "plausible deniability" systems where you can provide a key to produce the innocent message that was encoded and again no way to prove that there was another message hidden.
So, in short, normal people, and criminals, and terrorists, will always be able to communicate privately. That is a fact of life and mathematics. This also makes all of this surveillance crap a bit pointless.
But what about the Draft IP Bill? At this stage it is a tad hard to say for sure - as the exact details of what the "Internet Connection Records" will be are unclear. Here I am talking about the mass surveillance by ISPs part of the bill - there are also mass surveillance by GCHQ, etc, and targeted surveillance. However, at this stage encryption is not actually banned.
Up to now the logs could be from email servers, telephony, text, but not a lot else. Now they could be more - including logs from web sites, and maybe even logs from DNS servers. What is not clear is if an ISP would be required to deep packet inspect data as it passes and make logs of activity where there is no server involved in the ISP. We hope not, not least because that is hard and expensive.
However, the good news is encryption is not banned as such - what is clear that you have to be doing the encryption yourself! If you rely on any third party to do it, perhaps even Apple, then the bill (as it stands now) could expect the third party to break or undo the encryption they are offering. There are apps for some phones, and of course a whole load of packages for PCs of all sorts based on PGP which allow end to end encryption which you do control yourself. Bear in mind that the bill would allow hacking of your computer though, so make sure you have good firewalls and trust nobody as anyone could be conscripted to get your data and do so secretly. My guess is that the safest O/S for this will be linux as there is no provider that can be ordered to put in back doors or break it "legitimately" and as such the hacks would have to be via vulnerabilities.
But back to what we can do as an ISP.
Let's be clear here - we do expect people to abide by the law - but also, it is none of our business what you do with your Internet connection. We are not your mum, or the police, and though we are not trying to actively impede them in any way, but we just want to get on and do our job and that is all. We value your privacy and see no reason to compromise that unless someone comes along with a proper targeted warrant backed by a proper judicial process.
Obviously, with a suitable order, we can disclose subscriber details for an IP address, but we always stress the this does not identify a person or user, or even that the source of any IP traffic is in the premises and not spoofed, relayed, Tor, or the result of a virus, just in case the police officer in question is not aware of that! Indeed, a request for "user" details is always rejected saying we have no details of "users" - they have to resubmit asking for "subscriber" details to make this point really clear.
As for RIPA requests we have had? We have had a couple to find subscriber details of an IP, one of which was plainly a waste of everyone's time and not in any way criminal and just showed how stupid the whole process was. We have had a few for phone numbers to identify subscriber, but pretty much all of these are spoofed CLI so one of our numbers but not in use, or numbers that are not even ours, or numbers used by another telco from our blocks. It seems our customers are pretty good at not being targets of RIPA requests, and we'd like to keep it that way.
You can tell we are not keen on the mass surveillance aspects. So we want to find ways of avoid them.
The biggest thing is that we have never been subject to a retention order, so no legal requirement to retain anything routinely for all customers. We also don't have any government "black boxes" to allow covert monitoring of anything in our network. Thankfully we are too small.
We do provide itemised phone bills, and those hang around - we are not sure of a tidy way to not keep them as they are needed if any billing dispute. One thought was to send digitally signed call records on the bill, and then delete them - that way, if there is a dispute, you have to provide the call records, but we can validate that they are genuinely from us and unchanged. That may be a way forward for call records.
We do have logs for things like email, but they are for diagnostics and support, and not kept for long. We don't log DNS. We'd like to not have any logs for any significant time other than necessary to help support technical issues.
What if we get a retention order? That is tricky. Assuming for a moment it does not mean deep packet inspection and creating new logs for Internet Connection Records, what of DNS logs, email logs, and the like. Well, we could move the key services we offer off-shore. Most things, like an email server or even a voice server, do not have to be in the UK to work. If done right, we could move all things that need logging to a jurisdiction that does not require logging. It would be tricky - we'd have to set things up as hands-off as possible, but this are services we could be paying a foreign company to run for us. We did wonder what the rules are for Isle of Man, for example, or maybe we keep it in the EU. We could even have the third party send digitally signed call records to our customer directly so we never have them, just sending us the totals for billing purposes.
The irony here is that at present, within a short time, a RIPA request could get some data out of us, especially itemised phone bills. But force us to record all data for a year and it may be that we have zero data to report. Whilst this will stop any fishing expeditions, or automated collection and collation of records on the public, it will impede some legitimate investigations - so maybe it is better to keep us on-side here and helpful rather than forcing our hand?
That said, you don't know what the law will end up doing, and it could be that we are expected to record data from deep packet inspection, or worse, that BT wholesale and TT wholesale are forced to. If that happens, then there is little we can do except repeat the tips on encryption, end to end, and in your own control.
We hope we don't ever get a retention order, and one aspect of the bill is that we can challenge it. The gagging order part is going to be tricky as it could try to force us to commit fraud, and that may be a stumbling block. I doubt the government want warrant canaries tested in UK law, so I would hope that alone means they avoid giving us an order ever. If they were tested and deemed valid, that could undermine gagging orders in many laws.
So, good luck to all in preserving your basic human right to privacy. We'll try and do our part on that.