On 23/12/2013 17:24, Bobby Brewster wrote: > Hello, > > I have read the "DIRECTIVE 2006/24/EC OF THE EUROPEAN PARLIAMENT AND OF THE > COUNCIL > of 15 March 2006 on the retention of data generated or processed in > connection with the provision of publicly > available electronic communications services or of public communications > networks and amending > Directive 2002/58/EC" > (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:0063:EN:PDF) > and have a few questions. > > I want to focus on the way that the implementation occurs. I realise that > everyone is talking about the proposed Communications Data Bill and DPI but I > first wished to look at what the current situation is rather than what will > hopefully not happen.
IANAL, but I have concerns over the UK implementation of this. http://www.legislation.gov.uk/uksi/2009/859/contents/made As an ISP, as per 10.(1): These Regulations do not apply to a public communications provider unless the provider is given a notice in writing by the Secretary of State in accordance with this regulation. We are not retaining data under the DPA at present as we have not received a notice. > One: > > Let's say that I visit www.yahoo.com. Then I visit mail.yahoo.com. Then > dating.yahoo.com. > > What information is retained? Is it yahoo.com or the subdomain (e.g. mail) > and the domain (yahoo.com)? > > What if I visit www.yahoo.com/name_of_page.html. Am I right that only > www.yahoo.com or yahoo.com is recorded? My understanding is that as an ISP we would not log any of this as we don't process the URL. This would be data logged on the web server itself, and typically a web server logs the whole URL. The regs talk of logging internet access, and email, not URLs. This may be different if the ISP operated a proxy I suppose. Does anyone know for sure? To log URLs, as a simple packet passing ISP, we would have to do deep packet inspection Section 3: These Regulations apply to communications data if, or to the extent that, the data are generated or processed in the United Kingdom by public communications providers in the process of supplying the communications services concerned. We don't generate or process the URL at all - indeed, our routers do not even load the URL in to the processor cache even, we just look at the headers for IP routing. So I think that means we do not have to log URLs at all. > Two: > > What about the retention of e-mail metadata (from, to, subject, time, IP > address)? If I go to mail.yahoo.com and send or receive an e-mail then I > bypass POP, IMAP, and SMTP as I am using HTTP(S). How can e-mail metadata be > retained if one is not using a client like Thunderbird or Outlook? It > appears to me that e-mail metadata retention can be defeated by using > webmail. Again, this would, AFAIK, only apply where we operate a mail server. Anyone that uses SMTP/IMAP/POP3/etc traversing our network would not be logged by us. Especially as those service can routinely be accessed encrypted. The requirements are in the schedule http://www.legislation.gov.uk/uksi/2009/859/schedule/made But I would argue, for example, that an email address is not a "User ID", as we have email addresses for multiple users (group mailboxes), and multiple email addresses for a user, and email addresses that are not even valid. There is no actual requirement saying "log the email address" that I can see, just "User ID" which is defined: “user ID” means a unique identifier allocated to persons when they subscribe to or register with an internet access service or internet communications service. It does however ask for logging of the name and address associated with the IP address, but that only applies if we process/generate that data. At present we would have that, but we can easily set up email as a separate service (as a separate company) where we don't know the name/address for the IP, if ever asked to log data. Ironically I cannot see a requirement to actually log the IP, just the name and address associated with it - so if required to log, we would not log the IP. No requirement to log subject lines, size of email, etc. Also, I would agree, using yahoo, gmail, etc, should bypass any logging requirement at the ISP. We would certainly not log anything as (like URLs) we do not look at that part of the packet. > Third: > > How do ISPs record the metadata? For example, if I visit www.yahoo.com I > would assume that, since this request goes via my ISP, that they record it. I > don't suppose retention is done via DNS requests since, in many cases, one > can use a third-party DNS provider e.g. Google. No requirement to log DNS as far as I can see. > Fourth: > > How does the retention process work with non-ISPs? For example, universities > provide Internet access but they are not commercial ISPs although individuals > are identified with a username and password. The British Library provides > free internet access. So does Starbucks. I can understand that coffee shops > - even those that are part of massive chains like Starbucks - are clearly not > ISPs, but what about university networks (to take one example). If data > retention only applies to ISPs then it strikes me that there are numerous > ways to avoid it whether deliberately (going to Cafe Nero to browse the web) > or as part of one's normal work day (using university network where you work > or study). Only public providers are required to log anyway, and then subject to 10(1) above. AFAIK a uni is not considered a public provider, as confirmed by ICO who consider email addresses not afforded protection of the PECR because they are not a public provider! I was wondering if I could make a "January Internet Ltd" which only offered services to persons born in January or companies registered in January. That means an arbitrary member of the public prepared to pay and agree terms could not take our service, they would have to meet the "January" requirement. Would "January Internet Ltd" be considered a "public provider". If not, that would be a good way around it. Obviously 11 other very similar companies would exist and buy access / etc from the same wholesale provider. Comments? -- Director, Andrews & Arnold Ltd www.aa.net.uk -- Please support ORG's work - join and help fund our future: https://www.openrightsgroup.org/join To unsubscribe, send a blank email to [email protected] or use https://lists.openrightsgroup.org/listinfo/org-discuss
