The UK government has unveiled its draft Investigatory Powers Bill, which will compel Internet service providers to store a record of their subscribers’ web browsing history for a year.
The bill will allow the police to identify which communications services a person or device has connected to – called “internet connection records”.
UK home secretary Theresa May said it will not require the full web histories of users. Instead, it will store a record of the communications service a person has used.
“So, if someone has visited a social media website, an Internet Connection Record will only show that they accessed that site, not the particular pages they looked at,” she said.
While most South African ADSL ISPs do not record this information, some mobile operators keep a record of the online activity of their users.
What Vodacom knows about your online activity
Vodacom said it records some information which allows it to identify specific sites visited by its subscribers.
Vodacom said it does not record individual subscribers Internet usage down to URL level, though.
“As per our Data Usage Information Policy, we are only allowed to look at data up to OSI Layer 3,” said Vodacom.
“We can therefore give a resolved IP which will give you a domain name and volume of data. Our policy prohibits deep packet inspection.”
Vodacom said it can, on special request or subject to user consent, mine log files from its network systems to identify specific sites visited. This does not include the activity on that site.
For example, it can be determined that a subscriber visited YouTube, but not which video was watched.
To safeguard the information, it is only available by dynamic IP address and not MSISDN (phone number) in the relevant systems. In addition, these log files are transient and the data is not stored long term.
The information of which MSISDN was assigned which IP address, at a specific time, is stored in another system and it is a substantial process to tie these together.
It is therefore not possible to get a single view on which URLs were visited by a specific subscriber.
Who has access to this information
Vodacom said access to the multiple systems storing the information is limited to an investigative team.
When needed, this team will pull the data from the various sources and provide a report to the subscriber.
“This is only done on special request and only once the subscriber has requested this and given consent. Even then, this is only possible for the short term as the log files get overwritten quite quickly,” said Vodacom.
The information is safe
Vodacom said even if the data is somehow leaked or hacked, it will not provide an identifiable browsing history of a user.
“Numerous data sets in various formats need to be pulled together before a single view can be presented.”
Vodacom said it would require the hacking of a substantial number of different systems, in different domains, to get a person’s browsing history.
It said it has implemented multiple layers of security systems and processes to protect the security of this information.