Multiple sources indicate the controversial Interception Modernisation Programme (IMP) first floated in 2008 and appearing in revised form in 2009 is to resurface when Parliament returns from its Christmas break.
The original plan was to create a huge centralised database of "communications traffic data" (sites visited, people emailed, etc).
Version 2 in 2009 scaled back on data centralisation, but increased what was to be collected. The ISPs would keep the data, only handing it over to police and local council school admission compliance officers, dog wardens etc so long as they produced a
But the little black boxes to be installed within ISPs under IMP v2 would have been capable of reading much more, including who was writing to whom via webmail services, etc, using a technology called deep packet inspection.
Sources tell me the current plan is similar to version 2, a central database is still off the table. ISPs will keep the extra data gathered "as they do now, under the data retention rules". But it's not the same as data retention. Data retention obliges ISPs and other communications service providers to store only the traffic data generated as part of their normal business.
IMP requires new equipment to be installed to "drill deeper" into the data stream, then obliges ISPs to store this data. I'm told the focus is personal/direct messages sent via social media websites and instant messenger services.
On the surface officials want ISPs to install equipment to record who we're communicating with. The new capability is needed given a shift away from traditional email towards cloud email and services like Facebook, Google+ etc. ISPs will be compensated for the equipment, data storage and each data access request from
But this argument doesn't bear close inspection, since a lot more traffic these days is encrypted, sometimes by default, than in 2009 when this plan first surfaced. Most web email services, Skype, Google+ and Facebook allow users to connect more securely, using https://
Whilst it's theoretically possible for most governments to read https:// traffic in transit, replacing the SSL certificate of the original website with one generated on the fly in collusion with a friendly local Certification Authority (CA), I'd be gobsmacked if this was to happen in the UK; it introduces far more security holes than it fixes. Besides, it might only serve to drive a new generation of encryption and certification technologies based on distributed trust.
Which begs the question what is the government really planning, and why? I've heard measures will be introduced via a parliamentary bill focussing mainly on national security and not via the ongoing process to develop a new Communications Bill.
The Communications Bill Green Paper is also due to hit Parliament in January, but my contacts tell me IMP V2.2 will be pushed through in a separate process with officials hoping for IMP v2.2 to be operational before the Communications Bill is finalised in 2013, which could be significant.
There's a possibility the push to get ISPs to install little black boxes now, under the guise of national security, could then later be exploited in the Communications Bill to e.g. force ISPs to block websites from a government-mandated list of "rogue" sites.
I'm told the list will be governed by a court process and would come under the government's Prevent strategy; e.g. focus on "hate crimes" such as incitement to commit racial hatred and other extremist causes.
The UK embarked on the slippery state-ordered censorship slope this summer when a court ordered ISP BT to block Newzbin on grounds of copyright infringement. Similar plans in the US, the Stop Online Piracy Act and Protect IP Act, look doomed after a public outcry over free speech. The supposedly free-speech-friendly replacement OPEN Act is designed to hit criminal piracy enterprises in the pocket by blocking advertising and payment services.
In the UK websites can - for the time being at least - only be blocked on copyright grounds under controversial Section 97A of the Copyright, Designs and Patents Act.
This could change with the forthcoming Communications Bill. It's also worth nothing that the BPI are once again pushing for the additional copyright website blocking powers lying dormant in sections 17 and 18 of the Digital Economy Act to be activated, despite website blocking being rubbished by an Ofcom study. The BPI said in response (pdf) to a recent consultation "We would call on the Government to swiftly implement the Sections 3 to 18 of the Digital Economy Act". (Note the inclusion of 17 and 18; Parliament has so far only authorised Sections 3-16.)
One good thing (!!) to come from court-ordered web censorship would be the blocking of all gossip about the sex lives of footballers...
However, in the not-so-good bucket (!!) would be a nationwide porn blocking filter I hear is also still on the cards for the upcoming Communications Bill, in an attempt "to appeal to female voters". At issue here isn't access to porn but the very real risk of over-blocking when Vodafone blocked popular underwear resellers with their on-by-default "adult" content filter.
Another lobbying scandal in the making?
Another possible reason for the new push on interception modernisation is simply lobbying by manufacturers of the specialised equipment necessary to implement the scheme.
It's easy for a salesman or lobbyist to down-play problems cause by encryption; "oh yes, Minister, our system can see inside encrypted traffic". Technically it can, but we definitely don't want to go down a route of forged SSL certificates if we value cyber security and e.g. the integrity of our online banking system, etc.
With well over half a billion pounds allocated from the UK treasury plus a reported $60bn in the US for cyber security, if I were a well-paid lobbyist working for one of these companies I wouldn't be doing my job properly if I wasn't brushing over problems with encryption and over-emphasising the risks from not doing something now that would help catch future terrorists and lingerie purchasers.
Here's a thought: perhaps the budget would be better spent on recruiting cyber talent and analysts than lining the pockets of equipment manufacturers?