Must all UK Internet access providers keep records of which websites I visit?

old filing cabinets

This blogpost addresses a common claim, that all UK Internet access providers are required to retain everything about their subscribers' or users' activities.

Every packet they shift, every web page they visit, every message they send.

tl;dr

There is no evidence to support the claim, and the legislative framework and accompanying code of practice strongly suggests otherwise.

ISPs are not subject to an automatic obligation to retain communications data. In other words, if you are providing an Internet access service, you don't have to retain data unless you're specifically ordered to do so.

If you provide an Internet access service, you may want some kind of logging capability for your own purposes (for example, to help you comply with requirements around accuracy of billing for metered tariffs) but:

  • you'd need to do so in a manner consistent with the law; and
  • it's very unlikely you would need to know which websites someone has visited for this.

Internet access and encryption

Before we get into the legal issues, the increasing use of encryption — in particular, the prevalence of https, and the work done by Let's Encrypt — means that Internet access providers could not tell the particular pages of many website you are visiting (i.e. the fact that you are viewing the content at /blog/2021/06/must-all-uk-internet-access-providers-keep-records-of-which-websites-i-visit of the decoded.legal site), or the content which you are posting to those sites, and, in the case of many over the top communications services, the person or people with whom you are exchanging messages.

Determining the identity of the site (in the case of this blog, decoded.legal) or service is technically possible in many cases, unless the user has taken measures to which obfuscate this.

Retention notices and the Investigatory Powers Act 2016

The Investigatory Powers Act 2016 is the UK's latest iteration of its telecoms / Internet surveillance framework. It includes rules around the retention of communications data by Internet access providers and other telecoms operators.

These rules have changed considerably since the Act came into force, thanks to ongoing litigation.

One thing which has not changed is that the Investigatory Powers Act 2016 does not impose a data retention obligation on all ISPs.

The IPA 2016 does not impose a retention obligation on all ISPs

You are not subject to a retention obligation just because you meet the definition of "telecommunications operator". This is fortunate, because the definition is sufficiently broad to cover someone who operates a network in their house...

Instead, the framework empowers the Secretary of State to issue retention notices. The Secretary of State has to actively do something to trigger a retention obligation.

You might, I suppose, argue that it is a question of semantics as to whether the Act imposes a direct obligation, or if the Secretary of State does it. However, even if you did treat them as the same thing (which they are not, IMHO), the remainder of Part 4 of the Investigatory Powers Act 2016 does not evidence the claim that all ISPs are subject to retention obligations.

For example, paragraph 17.3 of the Communications Data Code of Practice sets out some of the factors the Secretary of State may take into account when deciding to give a retention notice.

These include the size of the operator (the larger, the more likley a notice is), the number of acquisition authorisations or notices which are imposed on the operator each year (the more, the more likely a notice is), and factors relating to the service or its user base.

There are three phases to giving a notice:

  • The Secretary of State must take reasonable steps to consult the operator to which the proposed notice relates.
    • In practice, the Home Office is likely to consult informally with the potentially affected operator long in advance of a formal consultation.
    • If you are approved by the Home Office over a retention notice, and want to talk with a lawyer about it, do get in touch.
  • The Secretary of State must consider that a retention notice is necessary and proportionate for one or more of the statutory powers.
    • This covers both the decision to issue a retention notice, and the content of that notice — the data which it requires the notice recipient to retain, and the duration of that retention (up to a maximum of 12 months).
  • Once the Secretary of State has decided to give the notice, their decision must then be reviewed and approved by an independent body of ex-judges, known as the Judicial Commissioners.
    • In other words, in addition to the staff at the ISP, and the staff in the Home Office working on it, and on top of the Secretary of State, there is at least one set of further eyes scrutinising the decision.

There is also a quasi-appeals process, under which an operator can refer a notice back to the Secretary of State.

A retention notice does not necessarily cover everything an ISP might have anyway

Where the Secretary of State decides to issue a retention notice, the Investigatory Powers Act 2016 does not require that that retention notice covers absolutely everything which an ISP could retain: everything in a notice is subject to the requirements of necessity and proportionality.

Paragraph 17.31 of the Code of Practice says:

A notice will not necessarily represent the full range of services and data types which a telecommunications operator or postal operator could retain.

In other words, an ISP may have a retention notice, and it may still not be required to retain the particular information you are thinking about.

Don't all ISPs have retention notices?

Probably not (for the reasons above), but this is not public information, and ISPs and others subject to retention notices face statutory prohibitions on disclosure.

Paragraph 21.2 of the Code of Practice says:

The Home Office does not publish or release identities of telecommunications operators and postal operators subject to a data retention notice as to do so may identify operational capabilities or harm the commercial interests of companies that have been given a notice. Should criminals become aware of the capabilities of law enforcement then, they may alter their behaviours and switch operator making it more difficult to detect their activities of concern.

If all Internet access providers were subject to retention notices, wouldn’t it be easier to say that? There would be no need to dance around issues of secrecy, or explain why the list of notice recipients cannot be published. The fact that the Home Office chooses to take this approach undermines the claim that all providers have notices.

The outcome

The outcome is that:

  • the Investigatory Powers Act 2016 can be used to impose retention requirements on Internet access providers.
  • it is very likely that there are retention notices, since the power has been around for a long time.
  • ISPs are not automatically subject to retention obligations.
  • the available information suggests that the claim that every ISP has a retention notice incredibly unlikely.

"But the police expect providers of Internet access to log web browsing..."

Occasionally, I hear arguments along the lines of "even if you do not have a statutory obligation to do so, the police will take a dim view of any Internet access provider which does not log records of who visits which websites".

I hear this most often from people selling systems to retain records of who visits which websites. Most recently, I saw it in the context of someone selling these services to schools.

I've yet to see any evidence for claims of this nature, and I regard them as sales fluff. Fluff which I note just might have the effect of scaring an organisation into buying a lucrative equipment and maintenance package.

It's a remarkably unspecific claim:

  • who is "the police"? Which police force?
  • where is the evidence to show that these unspecific "police" take a "dim view" of a lack of a retention system?
  • left unstated is the (lack of?) impact of them taking a "dim view". Does it matter if they take a dim view? What are they going to do?

Lastly, there is clear legal framework for imposing obligations on providers, where necessary and proportionate to do so for a range of things, including the prevention and detection of crime (different types of crime apply to different obligations). If "the police" had an operational requirement for you to retain communications data because of the services you provide, they are likely to approach the Home Office to discuss the imposition of a retention notice.

But we want to log which users visit which websites

If you or your organisation wants to retain information about use made of an Internet access service which you are providing — whether on the basis of the perception of a "dim view" by law enforcement, or for some other reason — you may be able to find a way to do so legally. At a minimum, you'd need to make sure that what you were proposing was consistent with:

  • rules around the interception of communications (which have both criminal and administrative penalties, in addition to the risk of civil claims from affected users)
  • the ePrivacy framework, and its rules on anonymisation of traffic data once no longer necessary for the transmission of a communication
  • the data protection framework, to the extent that what you are doing entails the processing of personal data

Depending on your purpose for engaging in this surveillance, with good advice and sensible planning and service design, these are unlikely to be insurmountable obstacles, but it very much depends on the purpose(s) for which you are doing it, and it is certainly not just a case of sticking a probe into your network, vacuuming up whatever you can get, and keeping hold of it indefinitely.

Be wary of vendors claiming that "it's all fine", or being vague about the legal issues in engaging in this kind of surveillance: your objectives and theirs are not necessarily aligned, and it is likely to be you which carries the risk.

Note the Home Office has an obligation to provide a measure of funding to Internet access providers when it imposes a retention notice on them. You'd have to be really keen to want to pay out of your own pocket for your own retention system (and for associated legal advice).

If you're still thinking about doing this and want a hand, do get in touch.

--

The image is licensed under the Pexels licence.