UK carriers say draft snooping law will be a technical feat
They won't even speculate on how much data collection systems could cost to set up.
Key to the draft Investigatory Powers Bill is a proposal that would require internet and other communications providers to collect and store 12 months of web traffic data, so it can be made available to government agencies when needed. It's a subject of ongoing debate in Parliament, and just last week, the UK's major ISPs voiced their concerns over the cost and technical challenges associated with gathering and processing these Internet Connection Records (ICRs). Yesterday, it was the turn of execs from EE, Three, O2 and Vodafone to meet with the draft bill's joint committee, and while the big four carriers echoed the sentiments of the ISPs, they are even more wary of the scale and scope of what the government is asking them to deliver.
Reiterating a point raised by the ISPs, top brass from the major mobile providers said there has been no previous need to collect this kind of data. As such, the technology to do so doesn't exist, and would need to be built from scratch. Carriers will have the added burden of developing systems that can pinpoint the web traffic of an individual mobile user. There aren't enough unique IP addresses to go around, so mobile providers bundle up customer connections and route them through a single IP. This can mean "multiple thousands of unique devices attached to that public-facing IP address," with one exec estimating it would take up to 18 months to create a system for processing and recording an individual's mobile data.
An indeterminable cost
All the execs wouldn't even begin to speculate what it might cost to meet the government's requirements. The big ISPs warned last week that the £174 million put aside by the Home Office to fund the proposal wouldn't be enough to cover their costs alone. The carriers agreed the government should pick up the bill, but wouldn't be able to volunteer estimates when the definition of ICRs is still far from clear. In its simplest form, an ICR would include the top-level domain being accessed, but not individual webpages. Things get a bit muddier when you throw over-the-top services like WhatsApp into the mix, however.
While mobile networks route a ton of data from over-the-top services, they are not party to its contents. Therefore, you can't extract a great deal of information from this traffic without unpacking it to figure out, for example, if it's a Skype call -- not to mention that most communications data is encrypted. And with encryption becoming more commonplace, the fear is the complex and expensive systems required by the draft bill will simply be processing inordinate amounts of useless data. The volume of internet traffic handled by mobile networks is rising steadily, too, so there will be ongoing costs associated with upgrading these systems to gather and store more and more data.
Define Internet Connection Record
It also raises the question of whether network providers should be required to store and analyse data from third-party, over-the-top services when the government could engage with them directly, which one exec argued would be a much more "elegant" solution. Instead of piecing together potentially inaccurate information from multiple connection providers, the service itself could collate all of a user's activity and understand the data. It also helps that carriers could keep private, encrypted data at arms length, of course. With so much of the scope of the ICR proposal still unclear -- including exactly what type of data an ICR would compromise, and how it would need to be stored, accessed, etc. -- the carriers dared not speculate on the costs of building the appropriate collection systems, apart from saying they would be "significant."
Other issues raised by the carriers included the security of such large, complex databases, particularly when they would be accessed by government agencies and third parties working on behalf of them. It's imperative that customer privacy and data protection rights be upheld throughout the chain, they argued, also noting that it's going to be a serious challenge training people to understand the data in the first place.
Obviously, it's not just connection providers like carriers and ISPs that are questioning the finer details (or lack thereof) of the draft Investigatory Powers Bill. Today, a number of legal experts will sit down with the joint committee and voice their concerns that legally privileged communications (aka the attorney-client privilege) aren't specifically protected under the proposed surveillance legislation. Speaking to The Guardian, Peter Carter QC of the Bar Council (who will appear in front of the committee) said: "Under the current draft, security services would be allowed to spy on private communications between clients and their lawyers because protections for legal privilege are not written into the bill."