Report of the Interception of Communications Commissioner - 2016
property at which children are living, some of the usual investigative work, which would
corroborate the resolution but takes time, is not always done before executive action is
taken. There needs to be a change of mindset away from the assumption that technical
intelligence, such as an IP address resolution, is always correct.
Many of the errors set out in Annex D are IP Address Resolution Errors.
IOCCO’s response
Last year, I decided to review the measures that had been taken to improve processes,
training and general awareness, with the intention of reducing these errors. In addition, I
wrote to the National Police Chief’s Council lead on communications data on 16 December
2016. During my review, inspectors paid particular attention to the recommendations in
my July 2015 half-yearly report:
•
•
•
•
•
Make it easier for applicants to be able to electronically transfer (i.e. copy/
paste) communications addresses and timestamps into their applications;
Resolve more than one IP address relating to the same activity and compare
results;
Make it easier for those processing applications to check the source information
on which an application is based;
Those receiving from CSPs the results of a resolution should double-check all
disclosures against the original requirements prior to taking action; and
Investigators should undertake further research and intelligence checks to try
to corroborate the result before executing warrants.
During this review, inspectors have in particular focused on staff within teams that
regularly resolve IP addresses using timestamp conversions.
My inspectors have found a wide variation of capabilities available to applicants to transfer
electronically (i.e. copy/paste) communications addresses (and relevant dates / times /
time zones) into their applications. Some investigators use dual-screen terminals with
access to all systems within an inter-connected desk-top environment. Others work on
standalone systems that require members of staff to use approved USB sticks to transfer
data. Other investigators are required to re-type communications addresses (and relevant
dates / times / time zones) into their applications. There are often good reasons for the
use of standalone systems, but requiring investigators to re-type a significant number of
IP addresses greatly increases the risk of error.
Where there is more than one IP address related to the incident, or more than one date /
time, I am satisfied that investigators will usually seek to resolve more than one to make
a comparison.
My inspectors have concluded that it is now common practice for applicants to make
available to those who process the applications (the SPoC) the source information on
22
@iocco_oversight