As some of you know, The Regulation of Investigatory Powers Act 2000 provides a formalised process for authorities (e.g. police) to request information from the likes of telcos and ISPs. It also covers a load of other stuff including interception of communications.
Note: AAISP do not have any equipment connected to our network or in our network to intercept communications under RIPA or other such legislations. I.e. we have no "black boxes". Feel free to ask me on irc if you want to double check.
This process involves the police sending a form, usually by email, to the telco/ISP. The form does have details of a police officer that we can contact to check the form is valid. The whole process is, as I understand it, confidential, and could relate to investigations in progress, so naturally I cannot go in to any details on any RIPA requests we have had.
Being a relatively small ISP and telco we get very few of these. Maybe a couple a year. But we recently had the opportunity to see how the process works from the other side, i.e. as the victim of a crime.
As an ISP we have always suspected the whole thing is a mess of bureaucracy and delay. Most RIPA requests we get are not sensible (and as I say, we get very few). Some are plain wrong, e.g. one recently where it says "Communications provider: Talk Talk" and indeed was asking about a TalkTalk retail IP address, but was emailed to us not TalkTalk!
The requests we have had are either about a phone number or an IP address. I am not sure we have seen one for an IPv6 address yet. For a phone number, we could potentially have billing records for calls to/from the number, but we try not to hold any more than we need for billing and diagnostics, and we have not been required to hold data under The Data Retention (EC Directive) Regulations 2009. So, in general, we rarely have more than just billing name and address details. For an IP, it is much the same as IPs are fixed to one customer and we don't log what web sites people visit, etc. In most cases this is all the police need anyway.
Obviously we always stress that the billing contact may not be the user at the time, and that the installation address may not be the address the number or IP was used. We allow L2TP login for all DSL line IPs from anywhere in the world, and people can (and do) run relays, VPNs and TOR nodes.
When it comes to phone numbers we usually find the number is not in use, and often never been allocated. Spoofed CLI is very common in crime, it seems, and the police have a really hard time understanding that you cannot trust a CLI.
Now, when it comes to the other side, just after we were robbed (next day I think), one of the stolen machines did a bit of a phone home, logging in to dropbox. This was a staff member's windows machine. The apple boxes that are supposed to have tracking and so on, not a peep. Sad. This meant we know a Virgin IP address and told the police right away.
From what we can tell this was an address in Slough where someone "fixes" the machines - presumably wiping and re-installing and so on. An essential process in the resale of stolen goods, I am sure. If the police had gone there right away they may have found the stolen machines there.
Unfortunately it was a much much slower process. The police officer handling it had to talk to another department about tracing the IP. It was a process that involved some days before the came back asking the time zone. We said UTC. Many more days later they came back with "what do you mean UTC? Is that a time zone?". It was shocking. The time stamp was only to the minute, which caused an issue, even though Virgin IP addresses are sticky enough for that to be one address only. It was very frustrating.
I ended up contacting Virgin via my contacts saying "Please can you help this police officer fill out a RIPA form that you can process?". I don't know if that helped or not.
It was weeks before the process finally gave up an address, and an arrest was made, but the kit had all gone.
Whilst I am massively in favour of due process, I am not in favour of broken bureaucracy. I don't know why there is not an internal police web portal where the investigating office completes details, maybe it is flagged immediately to a superior officer to approve, and then sent electronically to the ISP, with an electronic reply. Large ISPs could even have some digitally signed XML interface to handle the RIPA requests and reply in seconds, but will all the approval process, authentication and paper trail that is needed. If that had existed we would have probably got our stolen stuff back and they may even have been able to catch the actual thieves when they tried to collect the stuff.