IP Bill yesterday.
It was interesting, and I was not at all nervous. I think the number of live TV interviews I have done, where I have random questions fired at me, have helped a lot. Being politics I actually had a list of likely questions in advance, which helped me rehearse some answers.
In fact, most of the answers were much more on-the-spot than my prepared notes.
I was lucky to be on with only one person, James Blessing, who is very clued up. I am not sure which of us is more guilty of talking for too long when answering a question. I think we both did very well and I hope we helped the committee understand the issues.
[Somewhat edited from this point]
"Internet Connection Record" is not a defined thing - in the bill or in industry!
One thing that was a concern, and predicted by one of the ISPs at our Home Office meeting, was that one of the members (David Hanson MP) was adamant that an "Internet Connection Record" was "defined in the bill". He referred to page 25 and asked us to work out costs based on that definition. Page 25 is in the "explanatory notes" and not the bill, and itself is massively unclear. It basically says "It is a record of the services that they have connected to".
To try and explain this a little more, as I plan to tweet to David Hanson MP and ask him to take a look here if he can. I fully understand that to someone not technical, saying "It is a record of the services that they have connected to" seems reasonably clear. Sadly it really is not, and if you look at the actual wording of the bill, and not just the explanatory notes, it is less clear still.
Unlike a telephone call, or even just sending an email, even the definition of the term "connected" is complicated, as is defining the term "service". Actually what happens is packets of data are sent between devices, and as an ISP we send those packets on towards their destination. We don't "see" any sort of "connection" or "service", all was see is "packets".
One possible meaning could be that we log the destination IP address of each packet. Sadly this is not either easy or cheap as there are literally billions of such packets whizzing through our network every minute, and we are a small ISP.
There is a protocol for a type of "connection" used in the Internet, called TCP. This is only one of many types of connection that can be made but is the most common. So the meaning could be to log each such logical connection. This would mean making something of a jigsaw puzzle of the meta data (the destination and source addresses) in each of those billions of packets as they pass and tracking millions of simultaneous logical "connections" that are happening at any one time, then logging these. Again, this is neither easy nor cheap, and even more work than above. There are also many types of "connection" - an "Internet phone call" using a protocol calls SIP does not normally even use TCP but a "connectionless" protocol called UDP, so somehow that would need to be tracked and logged too.
Of course, it could be that what is meant is we must log is more a matter of logging each "web page" accessed with the name of the web site, and similarly for other "services". Indeed, some comments made by the Secretary of State suggested this may be what was meant. This means not only the jigsaw puzzle to construct those TCP connections, but actually looking in to the data that passes on those connections, connecting the data from many packets together, and looking for a part of the information sent called a Host: header. This is yet more complexity and work and cost. Again, web pages are just one type of communication that uses a "connection". There are many other types of "connection" that could be made, and new types will come along every day or even every few hours as new applications are developed and new innovations made. Each of these is not published - we know how "web pages" work because they follow a published standard, but mobile phone apps do not have to follow any such standard, they do not even have to use TCP to communicate. So we'd have to constantly research each and every new application and protocol that people invent anywhere in the world, work out what part of that data counts as "Relevant Communications Data" and record it in some format that the police know to ask for and understand. We would not have the help of the developers in this. Indeed, we'd have to buy and test every app ever published and reverse engineer it to work out what to log. That would be a huge on-going undertaking at huge cost, made massively worse by the fact that each ISP is on their own not allowed to tell anyone else what they are doing with data retention.
So the meaning of recording "what services you connect to" is really very very unclear, and the cost involved in making such logs is not something one can sensibly estimate without actual details.
I am considering another written submission to basically explain how this all works and the issues.