British Home Secretary Theresa May’s latest Counter-Terrorism and Security Bill seeks to require communications service providers to retain and make available to government details of who is using a particular IP address. But industry commentators are unhappy with the proposals and say that they will not work in practice.
The Bill covers a range of controversial measures, with only a small part (s.17) addressing communications data. The explanatory notes to the draft Bill tell us that the purpose of these provisions is to
‘enhance law enforcement agencies’ ability to investigate terrorism and serious crime by extending the retention of relevant communications data to include data that will help to identify who is responsible for sending a communication on the internet or accessing an internet communications service.’
The Bill would add a new category of ‘relevant internet data’ to the DRIP Act's category of 'relevant communications data', to include data which could be used to identify the IP address used by the sender or recipient of a message. Like the DRIP Act, these provisions would only last until the end of 2016.
The Bill would also give the Home Secretary the right to make regulations to give effect to its objectives.
Industry commentators say that the Bill simply will not work from a technical perspective. Relying on IP addresses does not make sense, as they can be spoofed, reassigned or shared among multiple users. The Internet Services Providers' Association, ISPA, has expressed its dissatisfaction, complaining of a ‘distinct lack of engagement with industry’ on this issue.