On the 6th of January 2017 the Investigatory Powers Bill came into effect. At this point all CSPs (ISPs such as TalkTalk, Vodafone and BT) must start collecting internet connection records - or ICRs.
I'm not going to get into the morality or the why's and wherefores but, according to the IPB these must contain the details of websites each internet connection connects to, but not the full URL or details of every page visited.
So how are they intending to collect that information? There's several ways to do that. Perhaps a form of DNS caching silo-ed to each household and business; perhaps packet inspection?
Whichever way this will be achieved the focus now shifts to the ICRs themselves - which of course are chunks of information stored about a person.
Wait... *sound of rustling paper* ...that means that under the Data Protection Act these ICRs come under the definition of personal data (section 1 I think states that but it is also referenced in schedule 2). But surely that would mean we could see what's being collected then? We each have the right to see all our data and meta-data to ensure that it is correct and being processed correctly.
Time for an exploration into some of these grey areas to see what will happen if I SAR my ISP for ICRs. The complication here is that I use a business account wired to my home address; but that isn't so much of a complication when you consider that when you inform someone that a Thing is personal data, you are associating your name with that Thing ... and therefore it becomes personal data (assuming it is about you). So... The ISP doesn't have an open email inbox although this makes sense - they'd just get spam.
Instead I have to log a request via the support system or send a *shudders* letter. My ISP also mandates that I should send them a cheque for £10 in the post before they'll deal with the SAR... but a) that's *shudders* basically a letter and b) I don't have a cheque book any more and and and and c) my ISP themselves don't accept cheques in payment for their services.
So I call cow poo on that one.
So this morning I logged the following support ticket - please feel free to take this and shape it to your own personal needs if you wish:
"Please pass this request to your legal department. It has been logged as a support request for tracking purposes.
This is a subject access (a section 7) request under the Data Protection Act.
As the internet services provided by this business account are also used for personal / home reasons, this SAR essentially ties the internet connection records (ICR) to my name, and therefore expands the scope of "personal data" to include the ICR themselves by association.
I am also the authorised person on the business account and am happy to be verified as such.
With that in mind, please provide copies of all data - in electronic format - and associated meta-data for the ICRs collected as required by the Investigatory Powers Bill - related to me.
As I do not have a cheque book it is impossible to follow your privacy guidelines about how to pay the £10 DPA-mandated fee, so ask that you contact me directly to provide alternative payment details."
Updates to follow (although bearing in mind the ISP involved, it won't be any time soon). I'm expecting some attempt to wiggle out of it either by admitting that they're not up-and-running with it yet, or that they try and claim a DPA exemption.
So the ISP has called a couple of times, the foreign call centre handler then immediately passed me through to their billings complaints department. After 10 mins of me telling them the reference number from their own email (and them claiming it wasn't a valid reference number), they agreed to speak to the call handler who had passed my call to them. They're now speaking to him and will call me back later.
I'm still a little surprised that this ISP (a large multinational) has live chat on the website, a ticketing system for non-standard queries and a web portal for account management still requires postal methods for a SAR. Seems an overly obstructive approach and making it almost dissuasive for most people.
The next few updates deserved a post of their own, check for new posts in coming days...
I'm not going to get into the morality or the why's and wherefores but, according to the IPB these must contain the details of websites each internet connection connects to, but not the full URL or details of every page visited.
So how are they intending to collect that information? There's several ways to do that. Perhaps a form of DNS caching silo-ed to each household and business; perhaps packet inspection?
Whichever way this will be achieved the focus now shifts to the ICRs themselves - which of course are chunks of information stored about a person.
Wait... *sound of rustling paper* ...that means that under the Data Protection Act these ICRs come under the definition of personal data (section 1 I think states that but it is also referenced in schedule 2). But surely that would mean we could see what's being collected then? We each have the right to see all our data and meta-data to ensure that it is correct and being processed correctly.
Time for an exploration into some of these grey areas to see what will happen if I SAR my ISP for ICRs. The complication here is that I use a business account wired to my home address; but that isn't so much of a complication when you consider that when you inform someone that a Thing is personal data, you are associating your name with that Thing ... and therefore it becomes personal data (assuming it is about you). So... The ISP doesn't have an open email inbox although this makes sense - they'd just get spam.
Instead I have to log a request via the support system or send a *shudders* letter. My ISP also mandates that I should send them a cheque for £10 in the post before they'll deal with the SAR... but a) that's *shudders* basically a letter and b) I don't have a cheque book any more and and and and c) my ISP themselves don't accept cheques in payment for their services.
So I call cow poo on that one.
So this morning I logged the following support ticket - please feel free to take this and shape it to your own personal needs if you wish:
"Please pass this request to your legal department. It has been logged as a support request for tracking purposes.
This is a subject access (a section 7) request under the Data Protection Act.
As the internet services provided by this business account are also used for personal / home reasons, this SAR essentially ties the internet connection records (ICR) to my name, and therefore expands the scope of "personal data" to include the ICR themselves by association.
I am also the authorised person on the business account and am happy to be verified as such.
With that in mind, please provide copies of all data - in electronic format - and associated meta-data for the ICRs collected as required by the Investigatory Powers Bill - related to me.
As I do not have a cheque book it is impossible to follow your privacy guidelines about how to pay the £10 DPA-mandated fee, so ask that you contact me directly to provide alternative payment details."
Updates to follow (although bearing in mind the ISP involved, it won't be any time soon). I'm expecting some attempt to wiggle out of it either by admitting that they're not up-and-running with it yet, or that they try and claim a DPA exemption.
Update 1: Jan 19th, 2pm
Expected this sort of thing.So the ISP has called a couple of times, the foreign call centre handler then immediately passed me through to their billings complaints department. After 10 mins of me telling them the reference number from their own email (and them claiming it wasn't a valid reference number), they agreed to speak to the call handler who had passed my call to them. They're now speaking to him and will call me back later.
I'm still a little surprised that this ISP (a large multinational) has live chat on the website, a ticketing system for non-standard queries and a web portal for account management still requires postal methods for a SAR. Seems an overly obstructive approach and making it almost dissuasive for most people.
The next few updates deserved a post of their own, check for new posts in coming days...
