Investigatory Powers Bill

Written evidence on the Investigatory Powers Bill to the House of Commons Public Bill Committee submitted by IT-Political Association of Denmark

Introduction

1. IT-Political Association of Denmark (IT-Pol) is a Danish civil society organisation that works to promote privacy and freedom in the information society. [1] The activities of IT-Pol are funded entirely by membership contributions. IT-Pol is regularly consulted by Danish news media and politicians about the technical and privacy aspects of data retention.

2. The proposal for internet connection records (ICRs) in the Investigatory Powers Bill is very similar to the session logging data retention scheme which was used in Denmark from 2007 until 2014 when it was repealed for lack of effectiveness.

3. IT-Pol has previously submitted written evidence on ICRs to the Science and Technology Committee [2] and the Joint Committee on the Draft Investigatory Powers Bill. [3] The chairman of IT-Pol has given oral evidence to the Joint Committee on 6 January 2016. The evidence from IT-Pol on ICRs is cited several times in the report from the Joint Committee on the Draft Investigatory Powers Bill published on 11 February 2016.

4. This written evidence will address two issues related to ICRs: the Home Office comparison of ICRs in the Investigatory Powers Bill with Danish session logging legislation [4] and the recent developments on ICRs (session logging) in Denmark, where plans for new ICR legislation have been put on hold due to concerns about the costs of ICR collection.

Summary of our written evidence

5. The Home Office comparison of ICRs in the Investigatory Powers Bill with the Danish session logging legislation accurately identifies the problems with the previous Danish implementation. However, the Home Office comparison is much less clear in describing what the UK ICR implementation will do differently and why it will work (unlike the Danish implementation which was abandoned in 2014, after seven years where the Danish Police had been essentially unable to use the collected data).

6. In January 2016, the Danish government outlined a new ICR proposal which according to the Danish Police and the Danish Ministry of Justice would solve the problems with the previous ICR (session logging) implementation and allow effective use in police investigations.

7. This new proposal was abandoned again on 17 March 2016 (without being formally proposed to the Danish Parliament) due to the economic burden that it would put on the Danish Internet Service Provider (ISP) industry. The Danish Telecom Industry Association has estimated that the initial investment cost of the new ICR proposal would be 1 billion Danish kroner, a number that has subsequently been confirmed by an Ernst & Young report commissioned by the Danish Ministry of Justice.

8. The Home Office budget for ICRs is about 175 million pounds over a 10-year period. Based on the new cost information from Denmark, it seems unlikely that the Home Office budget can cover a sufficiently effective ICR implementation, unless only a (very) small part of the British population is subjected to ICR retention notices.

9. Because of the likely very high costs of ICR collection, the particularly serious interference with the right to privacy of British citizens, and the still unresolved doubts about the effectiveness in police investigations (circumvention is very easy, for example), IT-Pol strongly recommends that ICRs should not be part the Investigatory Powers Bill.

Session logging in Denmark 2007-2014

10. In December 2012, the Danish Ministry of Justice published an evaluation report about session logging. [5] According to the report, communication data from session logging had only been used in a limited number of cases. The Danish Security and Intelligence Service (PET), which is responsible for domestic counter-terrorism in Denmark, stated in the report that it had only been relevant to request session logging information in a very limited number of investigations by the service.

11. On 2 June 2014, the Danish government decided to repeal session logging. [6] The Ministry of Justice emphasised that session logging was repealed because it had been unable to achieve the stated objective (investigation and prosecution of crime).

12. The Ministry of Justice pointed to the specific implementation of session logging by the internet service providers (ISPs) as the main reason for the failure. These limitations were by and large the result of a technical compromise from 2006 between the Danish Ministry and Justice and the ISP industry which deliberately sought to reduce cost.

Home Office comparison of ICRs with Danish session logging legislation

13. The Danish experience with session logging was raised by several witnesses before the Joint Committee. Recommendation 8 from the Joint Committee asked the Government to publish a full assessment of the differences between the ICR proposal and the Danish system alongside the Bill.

14. The Home Office analysis identifies the two main problems with the Danish ICR implementation. For customers with shared IP addresses through Network Address Translation (NAT), commonly used for internet access on mobile phones, the individual customers could not always be separately identified. The possibility of collecting ICRs through sampling every 500th packet also limited the usefulness.

15. The Home Office also points to the ISP cost recovery as a difference between Denmark and the UK. However, it should be noted that all Danish ISPs have implemented ICRs according to the legal requirements, and some Danish ISPs have even implemented additional data retention voluntarily to address the NAT-related limitations.

16. In paragraph 29 of the Home Office analysis ("Collecting adequate information"), it is mentioned that the Danish legislation did not require the retention of any additional information that could help in identifying the actual internet service being used. It is quite common to host multiple websites on the same IP address, and if only the destination IP address is retained, it is not possible to know which website was accessed.

17. In the Investigatory Powers Bill, an ICR retention notice can include the domain (server) name. However, this will make ICR retention much more costly for the ISPs since Deep Packet Inspection (DPI) techniques will have to be used. The server name is part of the packet content, whereas the IP address is directly available to the ISP in the packet header as it is used for transmitting (routing) the internet packet. [7]

18. The Home Office emphasises that the Investigatory Powers Bill does not specify how ICRs should be implemented, and that the individual ICR retention notices can be tailored to each ISP in close consultation with the ISPs. In this connection, it should be noted that the Danish session logging rules were developed in close consultation between the Danish Ministry of Justice and the Danish ISP industry. From an operational point of view, there are clearly advantages of tailored retention notices. However, there are also disadvantages, in particular that it will be less transparent to British citizens what information is retained through ICRs.

19. In our assessment, the Home Office analysis accurately identifies the limitations of the Danish session logging, as it was used between 2007 and 2014. However, the Home Office is much less clear in explaining what will be done differently with the UK ICR implementation under the Investigatory Powers Bill.

Current status of the new Danish ICR plans in 2016

20. In June 2014, when session logging was repealed, the Danish Ministry of Justice indicated that session logging could be re-introduced in Danish data retention legislation if the technical limitations could be properly addressed.

21. On 29 January 2016, in a pre-consultation meeting, the Danish Ministry of Justice informed the Telecom Industry Association and a number of civil society organisations that there would be a new ICR (session logging) proposal by March 2016, and that the consultation process for this proposal could be expected to start within a couple of weeks.

22. Although the full details of the new ICR proposal were not presented at the meeting, the Ministry of Justice outlined the differences between the new and the previous ICR implementation: ICRs should be collected so that the individual customer can always be identified, ICRs should be recorded as sessions instead of sampling every 500th packet, and ICRs should include the data volume transferred in each session.

23. The new Danish ICR proposal seems to be very close to what the Home Office has presented to the Science and Technology Committee (Commons) as "What is an Internet Connection Record?" in Annex B of the Home Office supplementary written evidence IPB0065 published on 12 January 2016. [8] The server name is not included in the new Danish ICR proposal, so there is no need for DPI (see paragraphs 16-17 above).

24. Based on the material presented at the meeting, the Danish Telecom Industry Association initiated an assessment of the cost for its members of the new proposal. The Ministry of Justice also commissioned a cost assessment report from Ernst & Young.

25. After consulting with its members (which include most ISPs in Denmark), the Danish Telecom Industry Association  projects that the new ICR proposal will require an initial investment in data retention equipment of 1 billion Danish kroner (105 million pounds). Denmark has a population of 5.7 million citizens.

26. The projections for the annual operating and depreciation costs have not been published for the entire ISP industry. According to an article in the newspaper Berlingske, Sydenergi/SE, which is the second largest provider of internet access via cable-TV in Denmark, has put its own initial investment at 150-200 million kroner with annual costs for data collection and systems maintenance of 50-60 million kroner. [9]

27. By comparison, the annual cost of the previous Danish ICR implementation between 2007 and 2014 was about 12 million kroner per year (2010 estimate). [10] This means that the total annual cost of ICR collection has increased by a factor of 15-20 in order to develop an ICR implementation which can satisfy the requirements of the Danish Police and the Ministry of Justice.

28. The cost assessment report from Ernst & Young has not been published by the Ministry of Justice, but according to a statement from the Danish Minister of Justice on 17 March 2016, the Ernst & Young report also puts the initial investment cost at 1 billion kroner, thus confirming the assessment by the Danish Telecom Industry Association.

29. On 17 March 2016, the Danish Minister of Justice Søren Pind informed the Legal Affairs Committee of the Danish Parliament that the plans for a new ICR scheme have been put on hold. The reason given for this policy change was the substantial costs of ICR collection and that the economic burden for the Danish telecom industry would be too high. [11]

30. Instead, the Ministry of Justice will start technical consultations with the Danish Telecom Industry Association in order to explore whether a simpler and cheaper ICR implementation can be developed. It is unclear whether such a compromise can be found, as it must be both cheaper and sufficiently distinct from the failed ICR implementation used in Denmark between 2007 and 2014.

Recommendations for the British Parliament

31. The Danish experience with ICR data retention casts serious doubts on whether it is possible to develop an ICR implementation which keeps costs at a reasonable level and, at the same time, is sufficiently effective for law enforcement. The new, very expensive Danish ICR proposal does not even include the server name and hence the need for DPI.

32. The Home Office expects that the cost of ICR data retention will be 175 million pounds over a 10-year period. This is unlikely to be sufficient (given the Danish cost projections) unless ICR retention notices are only used for a small part of British internet access services.

33. Therefore, the ICR plans will either be very expensive or have limited coverage. Moreover, the purpose of ICR collection is very easily defeated. Using a VPN connection or the Tor network will effectively hide the final destination of the internet traffic and make the collected ICR data useless from the viewpoint of law enforcement.

34. In many cases, the collected ICR data will be very revealing about sensitive personal information, such as political and religious preferences and health conditions of British citizens. Since retention notices are always secret, British citizens will not know whether their ISP collects this detailed information about their internet traffic. Even if only a relatively minor part of the population is subjected to ICR retention notices (due to cost), the ICR provisions are likely to generate in the minds of all British citizens the feeling that their private lives are the subject of constant surveillance.

35. For these reasons, and in particular the lack of proportionality for ICR data retention, IT-Pol recommends that the Investigatory Powers Bill is amended so that retention notices cannot include internet connection records.

March 2016


[1] Website of IT-Pol Denmark: https://itpol.dk/

[2] Written evidence to the Science and Technology Committee http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/science-and-technology-committee/investigatory-powers-bill-technology-issues/written/25190.html

[3] Written evidence to the Joint Committee on the Investigatory Powers Bill http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/draft-investigatory-powers-bill-committee/draft-investigatory-powers-bill/written/26354.html

[4] Comparison of internet connection records in the Investigatory Powers Bill with Danish Internet Session Logging legislation, United Kingdom Home Office, published 29 February 2016 https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/504189/Comparison_of_ICRs_with_Danish_Session_Logging.pdf

[5] The evaluation report about session logging from the Ministry of Justice is available at http://www.ft.dk/samling/20121/almdel/reu/bilag/125/1200765.pdf (in Danish)

[6] Press release: The Ministry of Justice repeals the rules about session logging, 2 June 2014 http://www.justitsministeriet.dk/nyt-og-presse/pressemeddelelser/2014/justitsministeren-oph%C3%A6ver-reglerne-om-sessionslogning (in Danish)

[7] Since packet routing is based solely on IP addresses, the server name is really third party data from the viewpoint of the ISP (using the definition of third party data in paragraph 2.69 of the Draft Code of Practice for Communication Data). According to paragraph 2.71 of the Code of Practice, an ICR retention notice cannot include third party data.

[8] Home Office – written evidence (IPB0065), Annex B, What is an Internet Connection Record? http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/science-and-technology-committee/investigatory-powers-bill-technology-issues/written/26486.pdf

[9] These figures are mentioned in the article "Pind i samråd om massiv overvågning", Berlingske 9 March 2016, http://www.business.dk/digital/pind-i-samraad-om-massiv-overvaagning (in Danish)

[10] Table 4.8 in this report on the financial burden for Danish companies of legislation (AMVAB measurement) http://www.ft.dk/samling/20111/lovforslag/l53/spm/12/svar/855179/1075342.pdf (in Danish)

[11] "Søren Pind om skrottet sessionslogning: Man støver ikke bare en milliard kroner op", DR Nyheder, 17 March 2016 http://www.dr.dk/nyheder/politik/soeren-pind-om-skrottet-sessionslogning-man-stoever-ikke-bare-en-milliard-kroner-op (in Danish). Some media reports in Denmark have put the ICR cost at 1 billion kroner per year, but this seems to be mistake, as the number refers to the initial investment.

 

Prepared 24th March 2016