The government plans to create a national service through which authorities can search for and obtain the internet connection records of citizens of communications companies.
The launch of the nationwide platform follows tests that appeared last year and involved two – unnamed – internet providers.
There has been no announcement from the government or any other public authority of the decision to expand this research into a full national program – one that could allow law enforcement agencies to access information on all websites visited by any individual in the UK.
The creation of a nationwide platform was, rather, revealed in a recently published online purchase notice, inviting bids from tech firms to provide support with the migration of IT systems – as well as the development of a tool allowing authorities to search and filter information. result.
After discovery of the notice, CSW sister title Public Technology contacted the Home Office and the National Criminal Agency – the organizations that jointly conducted the earlier attempts – as well as the watchdog responsible for monitoring communications surveillance. It has also contacted the UK’s 16 leading broadband providers and mobile network operators, and the primary business industry body for ISPs.
None of these organizations answered any of our questions or provided any comments or additional information as to what the service would entail, the role of their organization, or their involvement in the operation, whether the police would require a court order to search Internet Connection Archives (ICR) databases. , or the implications for the privacy and data security of citizens.
“After the completion of some initial testing activities, work is now underway to provide a national ICR service. As part of this national service, a central filtering arrangement and results platform is needed” – Home Office procurement specification
In addition to an initial phone call to the Home Office, all further calls and emails to the department, the NCA and the Office of the Commissioner of Investigative Powers – a legal body whose role is to “monitor the use of secret investigative powers by … public authorities” – iris. unanswered.
On the subject of how and which telecommunications companies will support the service, and how customer data could be provided to authorities, a business body the Internet Service Providers Association declined to comment on, as did Tesco Mobile and Glide, a specialist broadband provider for students, while Hyperoptic indicated that it is investigating our survey.
We received no response from BT, Sky, Virgin Media, TalkTalk, Vodafone, Shell Energy, Zen, KCOM, Plusnet, EE, Three, O2 or Giffgaff.
The purchase document does provide some details on the technical specifications of the national ICR service, and how police agencies will be able to use it.
It notes that the provisions of the 2016 Investigatory Powers Act – often referred to by critics as the Snoopers Charter – made it “possible for the police agency community to legally obtain internet connection records in support of its investigations”.
While an internet connection record is not a full browsing history, it contains information about all websites visited or apps accessed by a user, as well as details of the device used and the time of the visit – although it lacks the details of which individual. pages were visited. Customer account information with the relevant telecommunications is also entered in the logs, as well as the user’s IP address.
Since the introduction of the Investigatory Powers Act, communications companies may be required to retain this data for one year – although this requires an order approved by one of the UK’s legal commissioners.
Duration for which ISPs may be required to retain customer ICR data
“End of 2022”
Date before which Home Office hopes to have tool to search ICR data ready for private beta testing
Number of ISPs and mobile phone operators who were contacted for this story – as well as the number who declined to comment
£ 2 million
Amount budgeted for the development of a tool for filtering results and the migration of systems into the AWS environment
December 30, 2016
Date on which the Inquiry Powers Act – nicknamed the Snoopers’ Charter – came into effect
Previous documents submitted by the IPCO reveal that the first two such approvals were given in 2019 – apparently to pave the way for the ICR service’s trial. The telecommunications companies that were subject to the orders were not named in the filings.
The national service to allow police to access ICR information through a wider range of providers is controlled by the National Communications Data Service, a low-profile unit that sits within the counter-terrorism operations of the Home Office and whose task – as described in another . purchase notice – “provides the appointed representatives of police agencies and wider public authorities with access to retained communication data in accordance with legislation”.
In its recent bid for a technical provider, the NCDS revealed that the tests of ICR service last year included the creation of a “filtering layout and results platform, which … will be the basis for at least part of the national service, and work is. progress to determine exactly which elements of the test will be used and how; we expect this analysis to be completed soon. ”
“To ensure maximum reuse of the testing capabilities, work to assess which elements may be migrated to NCDS and which elements need to be rebuilt last,” it added.
Once such an assessment is completed, work will begin on building the filtering tool which, once complete, will be migrated to data center storage provided to NCDS by Amazon Web Services.
“We are working in line with the expectation that a private beta version of the filter setup and the capabilities of the results platform will be available for use against data from telecom operators by the end of 2022,” it added.
Requests and access
Once the full ICR service is live, the goal of the NCDS is to provide police agencies with a digital platform that offers the “ability to request ICR data … [and] access to ICR data so that I can use it to support criminal investigations and identify where I may need to send requests for other data on other systems. “
Suppliers interested in bidding to provide an eight-strong “technical migration” team to support the unit’s work have until midnight today to do so, and the Home Office hopes to sign a contract with the winning bidder by July 6th.
The selected company is expected to be appointed to fulfill an initial six-month work statement, but the department may choose to extend its contract with the company for a further 18 months thereafter. A budget of up to £ 2 million has been allocated for the work that will take place during that time.
At the time of writing, 15 companies have started bidding, with five potential suppliers – all of them SMEs – having completed the process.
“Police agencies need access to ICR data so that they can use it to support criminal investigations and identify where I may need to send requests for other data on other systems.” Home Office procurement specification
Provider personnel will require a security audit (SC) permit before joining an existing project team consisting of both civil servants and contractors.
“Considering the current time scales for obtaining permission, please consider proposing individuals with an existing SC whenever possible,” the contract notice said. “Please note that if individuals do not own a SC Home Office, they will have to go through a confirmation of dismissal before they can begin work.”
In a fact sheet on what was published before the introduction of the Investigative Powers Act, the government stated that “ICRs are essential for police investigations in a number of ways”.
Specified use cases for ICR data included “to assist in identifying who sent a known communication online,” “to establish what services a known suspect or victim used to communicate online,” “to establish whether a known suspect was involved in an online crime,” and ” identify services that a suspect has accessed that could assist in an investigation “.
“There is no current legal requirement for CSPs to maintain ICRs and this information may therefore be inaccessible to law enforcement agencies, meaning that often they can only paint a fragmentary spy image of a known suspect,” the document added.
“Communication service providers can [now] may be required to maintain ICRs for a maximum period of 12 months. This will be invaluable to the police in preventing and detecting crime and protecting national security. “
Sam Trendall is the editor of CSW PublicTechnology’s sister title, where this story first appeared