The Counter Terrorism and Security Act 2015, an Act of Parliament, makes provision for the retention of data by Content Service Providers (CSPs), amongst other counter-terrorist measures. Part III of the Act revises DRIPA to include mandating the retention of data regarding the allocation of IP addresses to given devices at particular times – thereby providing authorities with more information about the identity of a particular device user when IP addresses are used by multiple users simultaneously. For technical reasons however this provision does not make it possible in every case to verify the identity of individuals using devices.
As the Explanatory Notes to the Act make clear, “providers generally have no business purpose for keeping a log of who used each address at a specific point in time” [1]; as such, the Anderson Review notes that the act “provided for the first time that service providers should generate and retain data that they did not need for their own business purposes” [2]. However, the Act also explicitly prevents CSPs from retaining “data that explicitly identifies the internet communications service or websites a user of the service has accessed … sometimes referred to as web logs”, a crude record of browsing history. [3]
[1] Explanatory notes to United Kingdom Parliament (2015), Counter-Terrorism and Security Act, available at http://www.legislation.gov.uk/ukpga/2015/6/notes/contents
[2] David Anderson Q.C., ‘A question of trust’, Report of the Investigatory Powers Review, July 2015, p.110.
[3] Explanatory notes to United Kingdom Parliament (2015), Counter-Terrorism and Security Act, available at http://www.legislation.gov.uk/ukpga/2015/6/notes/contents