U.K. Law Enforcement Accelerating Development of Internet Connection Records Storage wired.com

Matt Burgess, Wired:

Official reports and spending documents show that in the past year, UK police have deemed the testing of a system that can collect people’s “internet connection records” a success, and have started work to potentially introduce the system nationally. If implemented, it could hand law enforcement a powerful surveillance tool.

Critics say the system is highly intrusive, and that officials have a history of not properly protecting people’s data. Much of the technology and its operation is shrouded in secrecy, with bodies refusing to answer questions about the systems.

It is worth reading this alongside British efforts to undermine and fearmonger over end-to-end encryption, as it paints a bleak picture of what the government appears to be hoping for.

Reading between the lines here, the internet connection records, which British law enforcement could order ISPs to retain, would be an individual customer’s DNS connection history, subject to technical limitations. For example, insecure web connections contain the domain and path of access, while secure connections only permit ISPs to learn the domain. That is, an ISP knows you have accessed pxlnv.com right now, but not which articles you are reading; they could also know you accessed duckduckgo.com, but not what you were searching.

If law enforcement agencies believe they are entitled to reduced encryption on devices so they are able to see their full contents, I think it is reasonable to assume they would also want some kind of back door in secure web traffic. The contents of a criminal’s web search may be of investigative relevance after all, is how they could justify such a stance. This is not hypothetical: ten years ago, we learned the GCHQ and NSA intelligence agencies had figured out how to breach SSL traffic. Perhaps the thinking of these agencies has evolved: instead of going through all that effort to find vulnerabilities, why not legislate security weaknesses? There are already attempts to do so for device encryption; why would secure web traffic be let off the hook?