Confirmed (albeit temporary) expansion in data retention powers to add new cyber-clue pieces to identity-profile ‘jigsaws’

The Counter-Terrorism and Security Act 2015 was enacted on 12 February 2015, following agreement by both Houses of Parliament on the text of the Bill (discussed on this blog here and here).

The Act contains a number of tough powers to strengthen counter-terrorism capabilities in the UK, including provisions to enable improved monitoring and detection of terrorists. One such new provision can be found in section 21 (Part 3) of the Act on data retention, which aims to enhance the ability of governmental agencies in identifying devices responsible for sending a communication using the Internet, or accessing an internet communications service.

Section 21 amends section 2(1) of the Data Retention and Investigatory Powers Act 2014 (DRIPA) which includes definitions relating to the retention of relevant communications data under that Act. (In general, communications data, in that context of telecoms services and systems, is everything to do with communication, except its content – see the definition of “communications” in section 81 of the Regulation of Investigatory Powers Act 2000 (RIPA).

Section 21 expands the types of communications data public telecomms operators must retain under a notice served on them by the Secretary of State, in providing that – in addition to the existing communications data requirement under DRIPA – operators would have to retain an additional category of “relevant communications data”. This additional category – termed “relevant internet data” – is defined as data which:

• “relates to an internet access service or an internet communications service” – these include mobile internet and services such as instant messaging, email and telephone that takes place via the Internet; and that

• “may be used to identify, or assist in identifying, which internet protocol address, or other identifier, belongs to the sender or recipient of a communication (whether or not a person)”.

In other words, it encompasses data that will allow relevant authorities to link (i.e. reliability attribute) the unique attributes of an Internet Protocol (IP) address to the device (and potentially, person using that device) at any given time.

The underlying challenge for law and intelligence communities is the fact that an IP address, which is automatically allocated by a network provider to a customer’s internet connection, can often be shared by hundreds of people at once. In order to resolve an IP address to an individual and establish the originator of a particular communication with greater precision, other “identifiers” are often required. Identifier is defined under the new Act (s.21(4)) as any “identifier used to facilitate the transmission of a communication”. In light of this broad definition, it could include the type, method or pattern of a communication – such as port numbers (the protocol used to send an email). The retention of data about the MAC (media access control) addresses of devices may also be required, as well as the time or duration of a communication, the telecoms system used or its location.

There are some exclusions as section 21 (c) specifically excludes the retention of data that explicitly identifies the internet communications service or website URLs a user of the service has accessed. For more discussion on the scope of what might be included under the term “identifier’ in practice and implications, see Sophie’s post here.

Finally, the Act provides that these provisions are to be repealed on 31 December 2016 as anticipated (and previously promised by the government).

Alison Knight