Watching and listening to the Commons debate over the Investigatory Powers Bill, and in particular when ‘Internet Connection Records’ were mentioned, it was hard not to feel that what was being discussed had very little connection with reality. There were many mentions of how bad and dangerous things were on the internet, how the world had changed, and how we needed this law – and in particular Internet Connection Records (ICRs) – to deal with the new challenges. As I watched, I found myself imagining a distinctly unfunny episode of Yes Minister which went something like this:
Scene 1:
Minister sitting in leather arm chair, glass of brandy in his hand, while old civil servant sits opposite, glasses perched on the end of his nose.
Minister: This internet, it makes everything so hard. How can we find all these terrorists and paedophiles when they’re using all this high tech stuff?
Civil Servant: It was easier in the old days, when they just used telephones. All we needed was itemised phone bills. Then we could find out who they were talking to, tap the phones, and find out everything we needed. Those were the days.
Minister: Ah yes, those were the days.
The Civil Servant leans back in his chair and takes a sip from his drink. The Minister rubs his forehead looking thoughtful. Then his eyes clear.
Minister: I know. Why don’t we just make the internet people make us the equivalent of itemised phone bills, but for the internet?
Civil Servant blinks, not knowing quite what to say.
Minister: Simple, eh? Solves all our problems in one go. Those techie people can do it. After all, that’s their job.
Civil Servant: Minister….
Minister: No, don’t make it harder. You always make things difficult. Arrange a meeting.
Civil Servant: Yes, Minister
Scene 2
Minister sitting at the head of a large table, two youngish civil servants sitting before him, pads of paper in front of them and well-sharpened pencils in their hands.
Minister: Right, you two. We need a new law. We need to make internet companies make us the equivalent of Itemised Phone Bill.
Civil servant 1: Minister?
Minister: You can call them ‘Internet Connection Records’. Add them to the new Investigatory Powers Bill. Make the internet companies create them and store them, and then give them to the police when they ask for them.
Civil servant 2: Are we sure the internet companies can do this, Minister?
Minister: Of course they can. That’s their business. Just draft the law. When the law is ready, we can talk to the internet companies. Get our technical people here to write it in the right sort of way.
The two civil servants look at each other for a moment, then nod.
Civil servant 1: Yes, minister.
Scene 3
A plain, modern office, somewhere in Whitehall. At the head of the table is one of the young civil servants. Around the table are an assortment of nerdish-looking people, not very sharply dressed. In front of each is a ring-bound file, thick, with a dark blue cover.
Civil servant: Thank you for coming. We’re here to discuss the new plan for Internet Connection Records. If you look at your files, Section 3, you will see what we need.
The tech people pick up their files and leaf through them. A few of them scratch their heads. Some blink. Some rub their eyes. Many look at each other.
Civil servant: Well, can you do it? Can you create these Internet Connection Records?
Tech person 1: I suppose so. It won’t be easy.
Tech person 2: It will be very expensive
Tech person 3: I’m not sure how much it will tell you
Civil servant: So you can do it? Excellent. Thank you for coming.
The real problem is a deep one – but it is mostly about asking the wrong question. Internet Connection Records seem to be an attempt to answer the question ‘how can we recreate that really useful thing, the itemised phone bill, for the internet age’? And, from most accounts, it seems clear that the real experts, the people who work in the internet industry, weren’t really consulted until very late in the day, and then were only asked that question. It’s the wrong question. If you ask the wrong question, even if the answer is ‘right’, it’s still wrong. That’s why we have the mess that is the Internet Connection Record system: an intrusive, expensive, technically difficult and likely to be supremely ineffective idea.
The question that should have been asked is really the one that the Minister asked right at the start: how can we find all these terrorists and paedophiles when they’re using all this high tech stuff? It’s a question that should have been asked of the industry, of computer scientists, of academics, of civil society, of hackers and more. It should have been asked openly, consulted upon widely, and given the time and energy that it deserved. It is a very difficult question – I certainly don’t have an answer – but rather than try to shoe-horn an old idea into a new situation, it needs to be asked. The industry and computer scientists in particular need to be brought in as early as possible – not presented with an idea and told to implement it, no matter how bad an idea it is.
As it is, listening to the debate, I feel sure that we will have Internet Connection Records in the final bill, and in a form not that different from the mess currently proposed. They won’t work, will cost a fortune and bring about a new kind of vulnerability, but that won’t matter. In a few years – probably rather more than the six years currently proposed for the first real review of the law – it may finally be acknowledged that it was a bad idea, but even then it may well not be. It is very hard for people to admit that their ideas have failed.
As a really helpful tweeter (@sw1nn) pointed out, there’s a ‘techie’ term for this kind of issue: An XY problem! See http://xyproblem.info. ICRs seem to be a classic example.
Paul Bernal's Blog 
As a retired engineer myself I think I should know how these things work: There was this new guy, (this is some years back) full of confidence. The manager entered and gave him a job to do. I thought it a little strange as I came and went, but he seemed to spend all day looking at the drawing he had been given and punching at his calculator. The next thing I know he confronted the manager saying, “this job is impossible”. I recall thinking “Oh Shxt”, (an engineer never says that).
The manager sacked him on the spot and with a face like thunder, strode to my desk and slammed the drawing down. He only uttered two words…”DO IT!”. The point of this tale is that I would put money on the safe bet that the manager did not have a clue as to what was right or wrong with an engineering job – I never met one that did.
I think it was Winston Churchill who said that engineers should be on tap and not on top. This may account for the treatment we received like being spoken-to like a dog together with the low pay. It may also account for the reluctance of students to follow an engineering career; I was a college lecturer. I know I always told my kids to steer clear of engineering. I would imagine that the computer industry is a very similar situation. They will do it, but it may not work.
I have a file search on my Linux Mint that is surprisingly bad. In fact I sometimes give-up on it and search manually. I have to ask how it would cope with the prospect of multi-billion files? I tend personally to think that the overly confident computer problem has been created over a few drinks, by what the computer techies tell the scientific press. I regularly read about something called AI. AI to me is a bit like the pulsars and black holes, in that we are all assured they are there but no one has ever seen one.
cadxx
Paul,
The issue is not a technical or political one. It is an economic one. And I’m not talking about cost. I’m talking about your line:
“It’s a question that should have been asked of the industry, of computer scientists, of academics, of civil society, of hackers and more. It should have been asked openly, consulted upon widely, and given the time and energy that it deserved.”
If we answer that question with “settlements” that serve as price signals providing both incentives and disincentives then we will be heading down the right path and solve a lot of issues that plague us.
Remember, the internet itself was (is being) resurrected out of the ashes of the vertically integrated telco model with inefficient settlements jerry-rigged by decades of political and business “bargaining”.
By replacing that model with a market-driven one, we foster much more innovation, reduce the digital divide and raise the costs for bad actors.
The TCP/IP stack was a 4 layer model built between trusting institutions that scaled on commoditized WAN and flat-rate MAN markets in the US in the 1980-90s. Until the latter part of the 1990s, data was still the pimple on the voice elephant’s behind, so few gave settlements much thought economically.
It’s finally time that we shift the debate and include more of the network risk takers and economists (along with the above group you mention).
Much work needs to be done around “settlements” and achieving broader ecosystem network effect than the insecure and balkanized and monopoly-filled silos we have at the core and edge today due to “settlement-free” principles. Settlements, as I pointed out, developed a shabby reputation and have never truly been accorded the right type of academic analysis and thought.
A networked world of incentives is much better than the “every person for themselves and g-d against all” model we have today.
Cheers,
Michael, NYC
Sorry, but I should add that the ICRs already exist and have scaled beyond anyone’s wildest imaginations back in the 1980-90s when we compared them to the arcane and inflated CDR’s and telco/enterprise mediation from the silo-ed IT world of old. The major cost for ICRs are very much baked into the ad-exchange models of today. And with cloud economics zooming ahead they are getting cheaper all the time.
Michael
Well, I think their should be a law enforcement agency to control the dangers over internet and I think there should the mutual agreement among all the nations.
Well, there are also many benefits of internet as it is invented as the cheapest way to communicate with people allover the world.
Well, I think internet connection records are necessary to identify each internet user and their browsing history. I think it is helpful to control the online crimes.
Well, almost in every country the law enforcement agencies kept and collect the record of internet users to prevent any type of online crime.