The draft Investigatory Powers Bill—the UK's proposed surveillance legislation that would force internet service providers (ISPs) to store the browsing history of all customers for a year—may soon be a reality. After the Paris attacks, UK politicians called for the Bill to be fast-tracked through Parliament as soon as possible, rather than waiting until the end of 2016.
But while law enforcement and government are absolutely sure that they need these new powers, those who would have to carry out the surveillance outlined in the Bill don't have any concrete idea how much the whole thing would cost. The government has presented an estimate, but internet service providers and trade associations say questions remain about what exactly they would need to collect, leaving the full cost of the program up in the air.
Richard Alcock, programme director of the Home Office's Communication Capabilities Directorate, told the Science and Technology Committee in an oral evidence session on Tuesday that the predicted cost to ISPs to collect and store web histories is £174 million over 10 years.
This figure was generated from "a body of knowledge and historical costs," and would also include making sure that the collected data is stored to a certain standard of security. ISPs would be reimbursed for setting up the system, although it is not clear from Alcock's comments whether the government would pay for absolutely everything. "We will make reasonable cost provision," Alcock said.
"It is very likely that the retention of ICRs will be technically very difficult and expensive"
Representatives from ISPs and trade associations cast doubt on whether such an estimate can be accurate without more information on the proposals.
The Investigatory Powers Bill will force ISPs to collect something called internet connection records, or ICRs. Paul Bernal, a lecturer in law at the University of East Anglia (UEA), previously told Motherboard that "'Internet Connection Records' are described in the notes to the Bill as 'a record of the internet services a specific device has connected to, such as a website or instant messaging service.'"
Because internet connection records are so broadly defined, ISPs complain they're not sure what they would be expected to collect, and in turn, how much that collection would cost.
Written evidence submitted by the Internet Service Providers Association (ISPA) reads, "The Investigatory Powers Bill does not provide a clear definition of ICRs making it difficult to assess what data could fall under the definition and what impact the collection of this data may have on businesses and consumers."
"This makes an assessment of either the technical or the public policy impact of ICRs very difficult, but it is very likely that the retention of ICRs will be technically very difficult and expensive, although not impossible," the ISPA continues.
"Assumptions have to be put in that take account of the fact that bandwidth will increase"
There are also different ways to go about the collection, making definitive costs even more difficult to estimate.
"Technically, there are many different options, depending upon what you come up with, so there is a definite range of possible costs," Mark Hughes, president of BT Security, told the Science and Technology Committee.
Even if ISPs were to get a hold on what exactly an internet connection record is, and how to store them, it seems likely that the amount of data that needs to be collected will increase over time.
"When one looks at the internet connection records part of the Bill, the bandwidth appetite in our country is increasing very rapidly, so, clearly, assumptions have to be put in that take account of the fact that bandwidth will increase," Hughes said.
Of course, this may all be getting slightly ahead of the issue. The Bill has yet to pass, and has been met with fierce opposition from civil liberties and privacy campaigners. More dialogue between the Home Office, the telecoms industry and experts will be conducted over the coming weeks, and, if the Bill does become law, it might be years before we ISPs develop their collection capabilities.
Hugh Woolford, director of operations at Virgin Media, said, "We've put some thought into the timescales. We feel that we could probably, as long as the discussions and detail are worked through, we could start 2017 with earliest deployment in 2018, depending on the scale of the request."