#IPBill implications

So, it is Christmas, and my son is having some fun knocking up an on-line game. Occasionally he needs my help but to be honest he is not doing badly with some javascript, mysql back-end, and a few of my tools I knocked up many years ago, and he is learning something about designing the software and making it work.

We knocked up an on-line poker game some years ago whilst on holiday, it can indeed be fun.

One of the first, and essential, features of the game was a simple in-game chat. This is a feature of most games.

There are a couple of other features which are likely to be part of this game or any game in future - one is running the game on a cheap VM (Virtual Machine) from some VM provider which are typically not in the UK. The other is the availability of free https certificates from someone like https://letsencrypt.org. Indeed some VM providers are working with Let's Encrypt to make it simple.

But hang on! The second you make a game like this, with an on-line chat like this, you have just created a secure communications platform with encryption that ends outside the UK.

James is not making permanent logs of the in-game chat. He has no intercept capability or any resources to make one. He has not published any contact details (he does not have to - not taking money, not a company, not trading) so nowhere to send a RIPA request.

The on-line secure chat is simply a side effect of a simple free on-line game a kid has knocked up (OK not so much a kid any more, but this could be done by a kid).

Where does the Draft Investigatory Powers Bill fit in with this?

Who tracks the creation of such things - he is not advertising it - it is for him and some mates to play a game, but it could be used by terrorists. It could be created by terrorists in the first place.

Who ensures that such platforms have intercept capabilities, and data retention of communications data? Who pays for it all?

It is just one more example of how the IP Bill is just broken, and not fit for purpose, even though it seeks to reach way beyond normal privacy and human rights.


  1. I presume their argument would be:
    "if the service is known to be frequented by terrorists then at least the ISPs would have a log of every customer who connected to the service and who else was connected at the same time they were. This would lead to one terrorist leading the authorities to the others in the cell or group."


  2. Is the service processing any personal information (IP addresses, possibly)? If so, one route to contact details might be via his ICO registration?

    1. I don't think the data controller has a way to track an IP address to a person. But he may be asking a name. It is for his personal use. But I did wonder if he may be expected to register. I don't DPA was really ever intended to cover something like this.

    2. Given the current approach to interpreting the "domestic purposes" exception - very narrowly - I suspect that, strictly speaking, it probably does require a registration of personal data are being processed.

      Whether an IP address is personal data is an age-old point, but asking for a name may remove any doubt.

      (Reality check, of course: very low risk!)

    3. ISTR Adrian trying quite hard to argue that an IP address *was* personal data at one time.

      > then at least the ISPs would have a log of
      > every customer who connected to the service

      but this information would be spread over many ISPs, at best. Not impossible to retrieve but it makes the job harder and likely to produce an incomplete picture if VPNs or TOR are used.

  3. Also -- if terrorists *did* create it, how can you ensure that it has intercept capabilities? This part of the law appears to be predicated on the assumption that ultra-evil people who are so evil that you need the ability to spy on them even if there is not enough evidence to arrest are *also* so law-abiding that you can trust them to provide reliable intercept logs of their own evil actions.

    This appears somewhat unlikely to me.


Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.


There are lots of ways to debug stuff, but at the end of the day it is all a bit of a detective story. Looking for clues, testing an hypothe...