Blog Post

UK government wants to accurately identify law-breaking web users

The U.K. government is set to announce measures to force internet service providers to maintain records of which customers use which IP addresses, so as to make online anonymity more difficult.

The details of how this is to be achieved are yet to be announced, but reports on Sunday noted that the measures will form part of a wider anti-terrorism bill that’s due to be introduced on Wednesday. The IP addresses that ISPs assign to their customers are often shared and also sometimes reset when they turn equipment off and on again. In theory, this move would make it easier to link an IP address known to have been used in a specific communication to a specific device.

Terrorists aside, the Home Office wants IP matching to help identify and prosecute online bullies, hackers and so on, and identify children who have “threatened over social media to commit suicide.”

Nonetheless, home secretary Theresa May is annoyed at the Liberal Democrats, her Conservative Party’s junior coalition partner, for blocking moves to reintroduce a repeatedly floated, and repeatedly shot-down, “Snooper’s Charter” – more properly known as the Communications Data Bill.

This would force service providers to retain users’ web metadata to allow greater state surveillance of what people do online – something that is at least theoretically enabled by the DRIP Act that was recently rushed through Parliament, but only on a temporary basis until 2016. While the Lib Dems have consistently opposed this, they have long supported IP matching.

“The Home Office had gone quiet on the issue of IP address matching until it resurfaced as a result of deeply misleading claims made in Theresa May’s Conference speech,” the Lib Dems said in a self-congratulatory blog post on Sunday. “May accused the Liberal Democrats of putting children’s lives at risk by blocking the Snoopers’ Charter, citing cases dropped by the National Crime Agency. In fact it was the failure to match IP addresses that led to the failure of those cases.”

The move has also received a cautious welcome from the likes of Big Brother Watch and veteran Conservative rebel and civil liberties activist David Davis — with the conditions that its use has proper oversight and isn’t a bridge towards the reintroduction of the Snooper’s Charter, which May clearly wants.

The home secretary said in a statement emailed to me by the Home Office:

Loss of the capabilities on which we have always relied is the great danger we face. The Bill provides the opportunity to resolve the very real problems that exist around IP resolution and is a step in the right direction towards bridging the overall communications data capability gap

But I believe that we need to make further changes to the law. It is a matter of national security and we must keep on making the case for the Communications Data Bill until we get the changes we need… This data will only be available on a case by case basis, where necessary and proportionate, to public bodies approved by Parliament to acquire it for lawful purposes.

It appears that this would be an evidential tool as much as anything else; something to prove that a person accessed unlawful content, once their IP address has been found communicating with the server of that content. In a separate move, British ISPs recently agreed to stop people from seeing “extremist” material online.

Linking IP addresses to devices would certainly make for tighter evidence, though arguably not always enough to link a specific person to specific content and communications, as some devices are shared. Who knows: perhaps the move might wake the U.K. authorities’ draconian copyright enforcement powers from their current slumber.

It would be premature to pass judgement on the IP address-matching move without seeing the details (tech lawyer Graham Smith reckons it might involve port number retention), but while IP matching may in itself be unobjectionable – and perhaps even to be welcomed in certain cases — there can be great value in anonymous web usage, from intellectual exploration to whistleblowing. As these measures could and sometimes should be circumvented, I’m concerned about whether the government intends to crack down on anonymizing services such as VPNs and Tor.

Ultimately, the real danger lies in how the practice might be used in conjunction with other, more authoritarian laws, such as the aforementioned DRIP Act and the data retention law it bolsters, RIPA. Unfortunately, UK law enforcement legislation has a nasty tendency to be used for purposes that weren’t originally on the menu, such as RIPA being used to uncover journalists’ sources and spy on lawyer-client communications. On IP matching, the devil may be in the details.

One Response to “UK government wants to accurately identify law-breaking web users”

  1. I wonder how the UK Government are going to manage to gain foolproof identity information from IP addresses. After all, if this was possible, the ISPs would be selling the information to advertisers and making huge profits.

    Also, if it is just collecting “metadata”, how can it ‘identify children who have “threatened over social media to commit suicide.”’? Surely, this means scanning the content of messages?

    I’m all for protecting people, but this all seems like a reactionary response by people who don’t really understand the technology or the capabilities of the threat. It’d be trivial to avoid the proposed systems, for a motivated person or organisation.