CHAPTER 9: LAW ENFORCEMENT
that explicitly identifies the internet communications service or websites a user
of the service has accessed. This type of data is sometimes referred to as web
logs.”
That exception (and even its description) remains controversial, as discussed below.
9.50.
The utility of the new requirement may be demonstrated by the scenario in which the
police get hold of a server that was used to host criminal activity. They can retrieve
the IP addresses that contacted it; but without the ability to resolve IP addresses which
may have been used over time by more than one device, will not know the specific
computer or phone that was using each address at the time when contact was made.
9.51.
Law enforcement bodies welcome CTSA 2015 Part 3, believe that it will have some
independent utility in resolving IP addresses, and want an equivalent provision to be
introduced after the end of 2016. They also emphasise however that it is no more
than a stepping-stone. Some CSPs, particularly, those using dynamic IP addresses
such as mobile phone operators, require destination IP as well as sender IP to match
up who is involved in an action. There is a strong belief that the exclusion in CTSA
2015 s21(3)(c) may need to be revisited if reliable IP resolution is to be achieved. But
as explained below, this does not necessarily mean that law enforcement bodies want
any more than is needed to maintain their operational capabilities.
Web logs / destination IP
9.52.
The Home Office explained to the JCDCDB that it wanted law enforcement to be able
to access “two specific types of data: subscriber data relating to IP addresses and
web logs”.30 The retention of the former has been provided for by CTSA 2015 s21(3):
but for the time being at least, the same Act excludes the compulsory retention of web
logs (see 9.49 above).
9.53.
What is meant by web log in this context has caused some uncertainty, and
independent experts to whom I have spoken criticise the term, and those who use it,
on the basis of imprecision (as well as the inapplicability of the term to non-web based
services). But the Home Office has provided me with this definition:
“Weblogs are a record of the interaction that a user of the internet has with
other computers connected to the internet. This will include websites visited
up to the first ‘/’ of its [url], but not a detailed record of all web pages that a user
has accessed. This record will contain times of contacts and the addresses of
the other computers or services with which contact occurred.”31
9.54.
30
31
32
Under this definition a web log would reveal that a user has visited e.g.
www.google.com or www.bbc.co.uk, but not the specific page.32 It could also of
JCDCDB Report, para 73.
Evidence to the Review, March 2015.
Even so, this is not straightforward. CSPs’ networks are all built and configured differently and there
are many datasets which could be used directly or indirectly to identify the services or sites accessed
by a customer. The Home Office has indicated that such data could include but is not limited to:
url addresses: Under the current accepted distinction between content and CD, www.bbc.co.uk would
be communications data while www.bbc.co.uk/sport would be content; and this is set out in the
177