Thank you for these answers. I found them informative and have read the UK interpretation of the EU legislation (http://www.legislation.gov.uk/uksi/2009/859/contents/made).
It is not at all clear to me how useful the current retention policy can be to the British government and its various organs. If it is not obligatory for ISPs to record URLs nor e-mail headers (to, from, subject) then it's hard for me to see what the benefits are. If my ISP (assuming it is one of the 90% that has been ordered to retain records) knows that on Tuesday 24 December at 19:05 I connected to IP 11.22.33.44 then what is the big deal (unless that IP on its own represents something suspicious / nasty / illegal)? How many VPS' have their own unique IP these days anyway? If I e-mail my friend Billy to chat about the naughty website I've just seen then whether our correspondence occurs by webmail or SMTP doesn't seem to matter as the header information is apparently not retained (and "user ID" does not mean e-mail address). I'm not sure how Paragraph 12 (2) can be adhered to as it states that in terms of the detination of a communication, "In the case of internet e-mail or internet telephony, the name and address of the subscriber or registered user and the user ID of the intended recipient of the communication." How would they known the user ID of the recipient if user ID is not the same as e-mail address? The other issue is whether ISPs record URLs and/or SMTP/POP/IMAP for their own purposes rather than because they are ordered to do so. Does this possibility seem likely? Finally, has their been any UK cases where the UK implementation of 2006/24/EC has actually led to a successful or unsuccessful criminal prosecution? Thanks again. -------------------------------------------- On Mon, 12/23/13, Adrian Kennard <[email protected]> wrote: Subject: Re: [ORG-discuss] EU Data Retention - Some Questions. To: "Open Rights Group open discussion list" <[email protected]> Date: Monday, December 23, 2013, 10:00 AM On 23/12/2013 17:24, Bobby Brewster wrote: > Hello, > > I have read the "DIRECTIVE 2006/24/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL > of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly > available electronic communications services or of public communications networks and amending > Directive 2002/58/EC" > (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:0063:EN:PDF) and have a few questions. > > I want to focus on the way that the implementation occurs. I realise that everyone is talking about the proposed Communications Data Bill and DPI but I first wished to look at what the current situation is rather than what will hopefully not happen. IANAL, but I have concerns over the UK implementation of this. http://www.legislation.gov.uk/uksi/2009/859/contents/made As an ISP, as per 10.(1): These Regulations do not apply to a public communications provider unless the provider is given a notice in writing by the Secretary of State in accordance with this regulation. We are not retaining data under the DPA at present as we have not received a notice. > One: > > Let's say that I visit www.yahoo.com. Then I visit mail.yahoo.com. Then dating.yahoo.com. > > What information is retained? Is it yahoo.com or the subdomain (e.g. mail) and the domain (yahoo.com)? > > What if I visit www.yahoo.com/name_of_page.html. Am I right that only www.yahoo.com or yahoo.com is recorded? My understanding is that as an ISP we would not log any of this as we don't process the URL. This would be data logged on the web server itself, and typically a web server logs the whole URL. The regs talk of logging internet access, and email, not URLs. This may be different if the ISP operated a proxy I suppose. Does anyone know for sure? To log URLs, as a simple packet passing ISP, we would have to do deep packet inspection Section 3: These Regulations apply to communications data if, or to the extent that, the data are generated or processed in the United Kingdom by public communications providers in the process of supplying the communications services concerned. We don't generate or process the URL at all - indeed, our routers do not even load the URL in to the processor cache even, we just look at the headers for IP routing. So I think that means we do not have to log URLs at all. > Two: > > What about the retention of e-mail metadata (from, to, subject, time, IP address)? If I go to mail.yahoo.com and send or receive an e-mail then I bypass POP, IMAP, and SMTP as I am using HTTP(S). How can e-mail metadata be retained if one is not using a client like Thunderbird or Outlook? It appears to me that e-mail metadata retention can be defeated by using webmail. Again, this would, AFAIK, only apply where we operate a mail server. Anyone that uses SMTP/IMAP/POP3/etc traversing our network would not be logged by us. Especially as those service can routinely be accessed encrypted. The requirements are in the schedule http://www.legislation.gov.uk/uksi/2009/859/schedule/made But I would argue, for example, that an email address is not a "User ID", as we have email addresses for multiple users (group mailboxes), and multiple email addresses for a user, and email addresses that are not even valid. There is no actual requirement saying "log the email address" that I can see, just "User ID" which is defined: “user ID” means a unique identifier allocated to persons when they subscribe to or register with an internet access service or internet communications service. It does however ask for logging of the name and address associated with the IP address, but that only applies if we process/generate that data. At present we would have that, but we can easily set up email as a separate service (as a separate company) where we don't know the name/address for the IP, if ever asked to log data. Ironically I cannot see a requirement to actually log the IP, just the name and address associated with it - so if required to log, we would not log the IP. No requirement to log subject lines, size of email, etc. Also, I would agree, using yahoo, gmail, etc, should bypass any logging requirement at the ISP. We would certainly not log anything as (like URLs) we do not look at that part of the packet. > Third: > > How do ISPs record the metadata? For example, if I visit www.yahoo.com I would assume that, since this request goes via my ISP, that they record it. I don't suppose retention is done via DNS requests since, in many cases, one can use a third-party DNS provider e.g. Google. No requirement to log DNS as far as I can see. > Fourth: > > How does the retention process work with non-ISPs? For example, universities provide Internet access but they are not commercial ISPs although individuals are identified with a username and password. The British Library provides free internet access. So does Starbucks. I can understand that coffee shops - even those that are part of massive chains like Starbucks - are clearly not ISPs, but what about university networks (to take one example). If data retention only applies to ISPs then it strikes me that there are numerous ways to avoid it whether deliberately (going to Cafe Nero to browse the web) or as part of one's normal work day (using university network where you work or study). Only public providers are required to log anyway, and then subject to 10(1) above. AFAIK a uni is not considered a public provider, as confirmed by ICO who consider email addresses not afforded protection of the PECR because they are not a public provider! I was wondering if I could make a "January Internet Ltd" which only offered services to persons born in January or companies registered in January. That means an arbitrary member of the public prepared to pay and agree terms could not take our service, they would have to meet the "January" requirement. Would "January Internet Ltd" be considered a "public provider". If not, that would be a good way around it. Obviously 11 other very similar companies would exist and buy access / etc from the same wholesale provider. Comments? -- Director, Andrews & Arnold Ltd www.aa.net.uk -- Please support ORG's work - join and help fund our future: https://www.openrightsgroup.org/join To unsubscribe, send a blank email to [email protected] or use https://lists.openrightsgroup.org/listinfo/org-discuss -- Please support ORG's work - join and help fund our future: https://www.openrightsgroup.org/join To unsubscribe, send a blank email to [email protected] or use https://lists.openrightsgroup.org/listinfo/org-discuss
