EXCL: Wall of silence surrounds plan for nationwide collection of citizens’ internet records
Online notice reveals controversial trials are to be expanded into a national service – about which government, law enforcement, watchdogs and all the UK’s major ISPs declined to answer questions from PublicTechnology
The government plans to create a national service through which authorities can search for and obtain citizens’ internet connection records from communications firms.
The rollout of the nationwide platform follows trials that came to light last year and involved two – unnamed – internet service providers.
There has been no announcement from the government or other public authority of the decision to expand these explorations into a full national programme – one which could allow law enforcement agencies to access information on all websites visited by any individual in the UK.
The creation of a nationwide platform was, rather, revealed in a recently published online procurement notice, inviting bids from tech firms to provide support with the migration of IT systems – as well as the development of a tool allowing authorities to search for information and filter results.
After discovering the notice, PublicTechnology contacted the Home Office and the National Crime Agency – the organisations which jointly conducted the earlier trials – as well as the watchdog responsible for overseeing communications surveillance. We also contacted the UK’s 16 leading broadband providers and mobile network operators, and the primary trade industry body for ISPs.
“Following the completion of some initial trial activities, work is now underway to provision a national ICR service. As part of this national service, a central filtering arrangement and results platform is required.”
Home Office procurement specification
None of these organisations answered any of our questions or provided any comment or additional information on what the service will entail, their organisation’s role or participation in its operation, whether police will need a court order to search databases of internet connection records (ICRs), or the implications for citizens’ privacy and data security.
Barring an initial phone call to the Home Office, all further calls and emails to the department, the NCA and the Investigatory Powers Commissioner’s Office – a statutory body whose role is to “oversee the use of covert investigatory powers by… public authorities” – went unanswered.
On the issue of how and which telecoms firms will support the service, and how customer data might be provided to authorities, trade body the Internet Service Providers Association declined to comment, as did Tesco Mobile and Glide, a specialist broadband provider for students, while Hyperoptic indicated it was looking into our enquiry.
We received no response from: BT; Sky; Virgin Media; TalkTalk; Vodafone; Shell Energy; Zen; KCOM; Plusnet; EE; Three; O2; and Giffgaff.
The procurement document does provide some details of the technical specifications of the national ICR service, and how law-enforcement agencies will be able to use it.
It notes that the provisions of the 2016 Investigatory Powers Act - often referred to by critics as the Snoopers Charter – have made it “possible for the law-enforcement agency community to lawfully obtain internet connection records in support of their investigations”.
While an internet connection record does not constitute a full browsing history, it contains information on all websites visited or apps accessed by a user, as well as details of the device used and the time of the visit – although it lacks the detail of what individual pages were visited. Customer account information with the telecoms provided in question is also embedded in the records, as is the user’s IP address.
Since the introduction of the Investigatory Powers Act, communications firms can be compelled to keep this data for a year – although this requires an order approved by one of the UK’s judicial commissioners.
Length of time for which ISPs can be compelled to retain customer ICR data
‘End of 2022’
Date by which Home Office hopes to have a tool allowing search of ICR data ready for private beta testing
Number of ISPs and mobile operators that were contacted for this story – and also the number that declined to comment
Amount budgeted for the development of a tool for filtering results and the migration of systems into an AWS environment
30 December 2016
Date on which the Investigatory Powers Act – nicknamed the Snoopers’ Charter – came into effect
Previous documents filed by the IPCO reveal that the first two such approvals were granted in 2019 – seemingly in order to pave the way for the trial of the ICR service. The telecoms firms that were subject to the orders were not named in the filings.
The national service to allow law enforcement to access ICR information across a broader range of providers is being overseen by the National Communications Data Service, a little-publicised unit that sits within the Home Office’s counter-terror operations and whose remit – as described in another procurement notice – is “providing the nominated representatives of law enforcement agencies and wider public authorities with access to retained communications data in accordance with legislation”.
In its recent tender for a tech supplier, the NCDS revealed that the trials of an ICR service last year included the creation of a “filtering arrangement and results platform that… will be the basis for at least part of the national service, and work is in progress to determine exactly which elements from the trial will be used and how; we expect this analysis to conclude imminently”.
“To ensure maximum reuse of the trial capabilities, work to evaluate which elements can be migrated to NCDS and which elements need to be rebuilt is ongoing,” it added.
Once such evaluation has been concluded, work will commence on building out the filtering tool which, once complete, will be migrated into a datacentre storage provided to NCDS by Amazon Web Services.
“We are working in line with the expectation that a private beta version of the filtering arrangement and results platform capability will be available for use against telecom operator data by the end of 2022,” it added.
Requests and access
Once the full ICR service is live, the aim of the NCDS is to provide law-enforcement agencies a digital platform that offers the “ability to request ICR data… [and] access to ICR data, so that I can use it to support criminal investigations and identify where I may need to send requests for other data on other systems”.
Suppliers interested in bidding to provide an eight-strong “technical migration” team to support the unit’s work have until midnight today to do so, with the Home Office hoping to sign a contract with the winning bidder by 6 July.
The chosen firm is expected to be appointed to fulfil an initial six-month statement of work, but the department may choose to extend its contract with the company for a further 18 months beyond that. A budget of up to £2m has been allotted for the work that will take place during that time.
At time of writing, 15 firms have begun submitting a bid, with five potential providers – all of which are SMEs – having completed the process.
“Law enforcement agencies need access to ICR data, so that they can use it to support criminal investigations and identify where I may need to send requests for other data on other systems”
Home Office procurement specification
Supplier staff will require security check (SC) clearance before joining an existing project team comprised of both civil servants and contractors.
“Given current timescales for receiving clearance, please consider proposing individuals with existing SC wherever possible,” the contract notice said. “Please note, if individuals do not possess Home Office SC, they will have to go through a confirmation of clearance process before they can start work.”
In a factsheet about the published ahead of the introduction of the Investigatory Powers Act, the government claimed that “ICRs are vital to law enforcement investigations in a number of ways”.
Specified use cases for ICR data included “to assist in identifying who has sent a known communication online”, “to establish what services a known suspect or victim has used to communicate online”, “to establish whether a known suspect has been involved in online criminality,” and “to identify services a suspect has accessed which could help in an investigation”.
“There is no current requirement in law for CSPs to keep ICRs and this information may therefore be unavailable to law enforcement agencies, meaning that often they can only paint a fragmented intelligence picture of a known suspect,” the document added.
“Communication service providers can [now] be required to keep ICRs for a maximum period of 12 months. This will be invaluable to law enforcement for the prevention and detection of crime and protecting national security.”
Public sector hosting provider has suspended itself from frameworks after being placed in compulsory liquidation
Research will consider potential impact of system failure on the country’s finances and way of life
Specialist supplier will support in searching – and then attempting to take advantage of – ‘vulnerabilities and exploitable information’
New system will enable agency and online platforms to fulfil respective obligations outlined in Online Safety Bill