What does the Home Office mean by “IP Address Matching”?

The Counter-Terrorism and Security Bill was published yesterday, along with a couple of supporting documents, but it is still unclear exactly what data the Home Office is proposing to retain.

There is a need for the government to clarify the language in the bill and supporting documents, because it will be difficult to have a debate about security vs. freedom without this information. (We would really have to assume the worse case option, numbers 2 & 3 below combined) It may also result in legal wrangling if a service provider objects at a later stage to the information they are being asked to collect.

There are three likely interpretations of the bill:

  1. They want to keep:
    • account-to-IP address mappings for broadband
    • source IP address and port for NAT on mobile and cloud networks
    • MAC addresses on cloud WiFi networks.

    Although the data does not seem particularly useful and would thus query the price tag, the civil liberties implications seem minor, given that this data may be being kept by the ISPs in many cases already.

  2. As (1), but also collecting data such as MAC addresses from end-user equipment where it is operated by an ISP. (E.g. BT Home Hub) This is troubling, as people will not expect that equipment in their own homes would be spying on them.
  3. As (1) or (2), but also keeping some element of destination information to allow matching with destination server logs – e.g. destination IP address and port. Although in many cases an IP address/port combination is ambiguous when it comes to what site is being visited that is not always the case. Collecting this data strays into the same territory as with the Communications Data Bill.

It has been suggested that there may be a provision somewhere to also require CSPs (Facebook, Twitter etc) to keep source port information in server logs, which would make the data from (1) more useful if the source and destination is also in the UK.

If they could also publish how many additional RIPA requests they would expect to be able to get a positive result from due to this bill, that would also be useful information.

(It’s also worth reading the Impact Assessment if you are researching all this)