IPB Police have demanded to be given access to the whole of the public's web-browsing history as part of the forthcoming Investigatory Powers Bill, due to be published in draft form next week.
The government has been lobbied by senior police officers to include in its new surveillance legislation a requirement for service providers to retain a greater range of data, including weblog data, which police would be able to access for investigative purposes.
The Times reported that "[a] final decision on whether the retention of internet connection records (ICRs) will be included in the bill is not expected until just before publication" of the draft Investigatory Powers Bill, due next week.
The retention of such connection records, or weblogs, was included within the Draft Communications Data Bill in 2012, garnering it the epithet of Snoopers' Charter, before it was torpedoed by the Liberal Democrats in the coalition government.
The Times stated that the police "would not have access to the content of internet searches and social media messaging without judicial approval." However, records would be collected on which sites Britons had visited – although not beyond the root directory.
"We didn't read books over the telephone, but as an entirely accidental by-product of communications technology, our reading habits are now trackable."
An unnamed senior officer told The Times that the capability was "about everyday investigation rather than surveillance", while Richard Berry, spokesperson for the National Police Chiefs' Council on data communications issues, claimed that law enforcement was "not looking for anything beyond what they were traditionally able to access via telephone records."
However, the degree to which traditional copper-wire communications may be compared with those taking place through the internet is strongly contested by privacy advocates. Jim Killock, executive director of the Open Rights Group, said: "Our web browsing histories can reveal very personal details about our lives, such as our political views, sexuality and health concerns. It is highly intrusive for this data to be retained just in case we commit a crime in the future. Surveillance should be targeted at those who are under suspicion of committing a crime."
Retention of weblog data has additionally been described as "[p]erhaps the most contentious and confused aspect of communications data retention" by Graham Smith, an expert in IT law and partner at Bird & Bird.
Smith told The Register that the powers the police have been reported to be seeking are equivalent to recording "every magazine you've read, but not which articles on which pages" and noted the Home Office's definition of weblog data, as provided to David Anderson QC, the UK's independent reviewer of terrorism legislation:
Weblogs are a record of the interaction that a user of the internet has with other computers connected to the internet. This will include websites visited up to the first ‘/’ of its [url], but not a detailed record of all web pages that a user has accessed. This record will contain times of contacts and the addresses of the other computers or services with which contact occurred. [9.53]
Smith noted how Anderson recognised in his review that even limited in this way, weblogs could still "reveal, as critics of the proposal point out, that a user has visited a pornography site, or a site for sufferers of a particular medical condition, though the Home Office tell me that it is in practice very difficult to piece together a browsing history. [9.54]"
The ORG's Killock concurred, noting that "by looking at someone's web browsing history, you can build a much more detailed and intimate picture of someone's life. It can reveal political interests, who you bank with, whether you have children, your sexual interests, where you live, where you travel to and so on."
Berry explained the police's desire to The Times by saying "We want to police by consent, and we want to ensure that privacy safeguards are in place. But we need to balance this with the needs of the vulnerable and the victims."
We essentially need the “who, where, when and what” of any communication — who initiated it, where were they and when did it happen. And a little bit of the “what”, were they on Facebook, or a banking site, or an illegal child abuse image-sharing website?
Five years ago, [a suspect] could have physically walked into a bank and carried out a transaction. We could have put a surveillance team on that but now, most of it is done online. We just want to know about the visit.
Killock told The Register that such communications data may be even more revealing about an individual that the actual content of their phone calls.
Bird & Bird's Smith additionally scrutinised the the Home Office's description of weblog data, under terms "also intended to cover data such as destination IP addresses, DNS server logs, http ‘GET’ messages and IP service use data."
"The inclusion of GET messages is odd," he wrote, noting that a "GET message requests a page from the web server" which, unless truncated, "would be the equivalent of retaining a full URL."
Smith told The Register: "We used to talk on landline telephones with a fixed, known location. You can argue that because phones have gone mobile, law enforcement needs access to more data to get the same result – but the real issue is that we don't just talk any more."
The realm of human activities which have become trackable has expanded considerably due to the internet, Smith told The Register: "We didn't read books over the telephone, but as an entirely accidental by-product of communications technology, our reading habits are now trackable. Were these implications fully realised when RIPA was passed in 2000?" Smith asked. "Now is the time to have that debate."
The claims regarding weblog data retention follow suggestions that the draft legislation will not include another of David Anderson's recommendations, namely that judges, rather than ministers, take responsibility for signing surveillance warrants. ®