This is the fifth piece in a series of articles we will be featuring on Strife in the coming week looking at the role of Proxy Warfare in the 21st century by Series Editor Cheng Lai Ki. Previous articles in the series can be found here.
By: Mustafa Batuhan Albas
On 4 November 2015, the UK government published a draft bill that aimed to (re)regulate the investigatory powers used by its law enforcement, intelligence, and security agencies. The new Draft Investigatory Powers Bill was quick to create controversy and scrutiny on encryption, the use of equipment interference, and the acquisition of bulk data along with other issues. Most importantly, the bill seeks to create ‘a new statutory basis for the retention and acquisition of communications data’ through which the government will require communication service providers (CSPs) to store details of websites accessed by all UK web users for twelve months. These details are called ‘Internet Connection Records’ (ICRs).
Early parliamentary scrutiny revealed that the government estimates the capital cost of collecting and retaining ICRs will amount to £174 million over ten years, it is however not as clear to this day whether the government is willing to cover 100% of the possible costs although it said it would ‘make reasonable cost provision’. The bill since passed its Second Reading on 15 March 2016, but the issue regarding the costs remains in a rather puzzling state. A battle is thus raging silently between service providers and the government. But why has the Home Office gone ahead with publishing the draft bill in the first place?
The UK signals intelligence, a resource constrained domain
The United Kingdom has a robust security apparatus, best exhibited through their efficient intelligence services and their integral role within the Five Eyes Alliance. However, the country has consistently been troubled by one question since the end of Second World War: ‘the growing importance and the rising costs of SIGINT’. Even during its early days, the problem for GCHQ was ‘trying to keep pace with…the NSA, which seemed to have limitless supplies of money’. This problem remains chronic. In 2014, Charles Farr of the Home Office attested that ‘US intelligence agencies are far larger and much better resourced than the [UK] Intelligence Services’ and hence could ‘provide the UK with the intelligence that the UK –with its far more limited resources– could not realistically obtain by itself’. Particularly regarding data retention, the cost of NSA’s Utah Data Centre alone is approximately three times as expensive as the entire complex in which GCHQ currently resides.  This reality is one of the driving incentives behind why the government is trying to use CSPs as proxies and share the burden of responsibilities in a domain in which the costs are a legitimate concern.
Cost of ICRs and the Draft Investigatory Powers Bill
According to the Office for National Statistics, 86% of the households (22.5 million) in the UK had internet access in 2015, with 78% of the adults (39.3 million) using it every day. With the use of multiple gadgets (computers, tablets, smartphones, etc.) and multi-tab browsing habits (maintaining more than one connection at a time), collecting and retaining ICRs could prove to be very costly, even in its most basic form. The bill thus contains certain opportunities for the government in its current state, especially regarding cost management. It is also considerably different than the previous legislation, where CSPs were mostly obligated to retain the data they generated to provide their services. A resource constrained UK government could now effectively force service providers to share the burden of collection and retention duties on a much broader scope. Some of these responsibilities are indeed trying to be outsourced to the providers mandatorily. The government ultimately has this ability to coerce, and the MPs have already acknowledged the possibility of such scenario –that is, if someone does not ‘pick up the bill’.
But would it be that easy? Communication service providers are definitely more vulnerable to government coercion than multinational technology firms. Big UK providers have their broadband networks that cross the entire country, and sometimes even provide access to these networks so that the smaller providers can carry their own services. If the business conditions in the UK ultimately become less favourable, they do not seem to have the immediate luxury nor the ability to move the majority of their operations elsewhere.
The retention of ICRs will require the introduction of certain types of equipment such as deep packet inspection tools (DPI) to the CSP networks –a method that is already associated with high technical processing requirements (and consequently, with high financial costs). Furthermore, there is the ongoing cost of maintenance and storage. One might think that the cost of storage has declined over the years, but the actual cost of bulk and enterprise storage is a lot more complicated than a ‘pennies per gigabyte’ approach, especially when the flow of data that needs to be stored is on a multi-terabyte (if not petabyte) scale. Moreover, the upwards trend in the use of data security technologies such as encryption could further complicate defining what qualifies as an ICR. Less network visibility means that the packet inspection used to deliver ICRs needs more computing power and generates far more data. Service provider representatives acknowledge that this technology challenge is ‘not impossible, but it is very expensive’ as it already is. The president of BT Security Mark Hughes said his company worked out £174 million just for themselves, whereas four mobile carriers stated that they alone could spend £247 million on ICRs.  The Home Office has been avoiding to make a clear commitment to cost recovery. This attitude was best exhibited when the Home Secretary Theresa May made contradicting references to reimburse both ‘reasonable operational costs’ and ‘100% of the compliance costs’ during the Second Reading. Service providers recently criticised May by saying that her statements ‘do not provide for the same coverage of costs’.
It appears that the government’s attempt to impose these ambiguous terms and costs on the communication service providers is not going to be a linear process. Different committee reports, including that of the Joint Committee that was tasked specifically to scrutinise the bill, came out criticising the initial draft. The issues regarding costs were strongly pronounced in at least two of these reports. While agreeing with CSPs on vague cost projections of the Home Office, the Joint Committee also noted that they ‘do not agree that 100% cost recovery should be on the face of the Bill’.
The scope of new obligations mandated under the bill are much bigger than any previous legislation, so are the possible costs. The Home Office will more likely need to explain better what it expects from the service providers amidst the criticism it is currently receiving. The Joint Committee report also suggested that ‘the Government should provide statutory guidance on the cost recovery models’. This is a sensible recommendation, and the Home Office seems to be slowly taking notice of CSPs’ concerns. It is understandable that the current opportunities the bill poses for the government are tempting, but the long-term viability of the bill lies in clarity and cooperation, not coercion nor alienation.
Mustafa Batuhan Albas is an MA Candidate in Intelligence and International Security at King’s College London. His research focus is on information security and its applications on intelligence gathering. He can be reach at @8thcolumn on Twitter.
 Theresa May, “Draft Investigatory Powers Bill,” 2015, 12, https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473770/Draft_Investigatory_Powers_Bill.pdf.
 Home Office, “Investigatory Powers Bill Factsheet – Internet Connection Records,” 2015, https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473745/Factsheet-Internet_Connection_Records.pdf.
 House of Commons – Science and Technology Committee, “Oral Evidence: Investigatory Powers Bill: Technology Issues, HC 573 (Tuesday 8 December 2015)” (UK Parliament, 2015), http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/science-and-technology-committee/investigatory-powers-bill-technology-issues/oral/25740.html.
 Alan Travis, “Minister Has Not Fully Made Case for Snooper’s Charter, Says Committee,” The Guardian, February 11, 2016, http://www.theguardian.com/world/2016/feb/11/ministers-not-conclusive-case-web-snoopers-charter.
 Richard J. Aldrich, “Counting the Cost of Intelligence: The Treasury, National Service and GCHQ,” English Historical Review 128, no. 532 (2013): 607, doi:10.1093/ehr/cet067.
 Ibid., 610.
 Privacy International, “Investigatory Powers Tribunal Case No. IPT/13/77/H,” 2014, 7–8, https://www.privacyinternational.org/sites/default/files/Witness st of Charles Blandford Farr_0.pdf.
 US Domestic Surveillance Directorate, “Utah Data Center,” accessed February 16, 2016, https://nsa.gov1.info/utah-data-center/.
 Richard Norton-Taylor, “The Doughnut, the Less Secretive Weapon in the Fight against International Terrorism,” The Guardian, June 10, 2003, http://www.theguardian.com/uk/2003/jun/10/terrorism.Whitehall.
 Office for National Statistics, “Internet Access – Households and Individuals, 2015 – Statistical Bulletin,” 2015, http://www.ons.gov.uk/ons/dcp171778_412758.pdf.
 Calum Jeffray, “Understanding the Investigatory Powers Bill,” RUSI, 2015, https://rusi.org/sites/default/files/201511_bp_investigatory_powers_bill.pdf.
 House of Commons – Science and Technology Committee, “Oral Evidence: Investigatory Powers Bill: Technology Issues, HC 573 (Tuesday 8 December 2015).”
 Broadband Genie, “Rated Broadband Providers,” 2016, https://www.broadbandgenie.co.uk/broadband/providers.
 Niccolò Cascarano, Luigi Ciminiera, and Fulvio Risso, “Optimizing Deep Packet Inspection for High-Speed Traffic Analysis,” Journal of Network and Systems Management 19, no. 1 (2011): 8, doi:10.1007/s10922-010-9181-x.
 Klint Finley, “Encrypted Web Traffic More Than Doubles After NSA Revelations,” Wired, May 2014, http://www.wired.com/2014/05/sandvine-report/.
 Joint Committee on the Draft Investigatory Powers Bill, “Oral Evidence: Draft Investigatory Powers Bill, HC 651 (Wednesday 9 December 2015),” UK Parliament, 2015, http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/draft-investigatory-powers-bill-committee/draft-investigatory-powers-bill/oral/25977.html.
 Joint Committee on the Draft Investigatory Powers Bill, “Oral Evidence: Draft Investigatory Powers Bill, HC 651 (Wednesday 13 January 2016),” UK Parliament, 2016, http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/draft-investigatory-powers-bill-committee/draft-investigatory-powers-bill/oral/26875.html.
 “Written Evidence: Internet Service Providers Association (ISPA) (IPB31),” 2016, http://www.publications.parliament.uk/pa/cm201516/cmpublic/investigatorypowers/Memo/IPB31.pdf.
 Travis, “Minister Has Not Fully Made Case for Snooper’s Charter, Says Committee.”
 House of Commons – Science and Technology Committee, “Cost of Investigatory Powers Bill Could Undermine UK Tech Sector,” UK Parliament, 2016, http://www.parliament.uk/business/committees/committees-a-z/commons-select/science-and-technology-committee/news-parliament-2015/investigatory-powers-bill-report-published-15-16/./
 Joint Committee on the Draft Investigatory Powers Bill, “Draft Investigatory Powers Bill Report,” n.d., 68, http://www.publications.parliament.uk/pa/jt201516/jtselect/jtinvpowers/93/93.pdf.
 Ibid., 10.
 Home Office, “Communications Data: Draft Code of Practice,” 2016, 96, https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/505411/Communications_Data_draft_Code_of_Practice.pdf.