New law could allow GCHQ to monitor UK internet logs in real-time to tackle fraud

Britain’s cyber and signals intelligence agency GCHQ could monitor logs of domestic internet traffic in the United Kingdom in real-time to identify online fraud and interrupt criminals during the act, under a new law being considered by the government.

The system could amount to the “wholesale change in philosophy and practice” called for by MPs last year, when an inquiry into fraud and the justice system reported that the government’s current approach had failed.

Fraud is estimated to “cost society at least £4.7 billion each year” (about $5.3 billion) in financial terms and causes an immeasurable amount of personal harm and distress to its victims. However, less than 8% of reported crimes are investigated according to the inquiry, which found that “the level of focus from policing is inadequate to deal with the scale, complexity and evolving nature of fraud.”

There are questions over both whether the operational case proposed by GCHQ is technically possible, as well as the impact that the new use of internet connection records (ICRs) — a type of data which telecommunications operators in Britain can be obliged to hold for up to a year — would have on civil liberties.

ICRs are a form of metadata that the British government can compel companies to retain about the internet services their customers have connected to. They can show which device (and thus person) connected to an internet service and when, but they are not intended to collect the content that person accessed.

Currently, ICRs may only be used to identify a person who is suspected of a crime and not to develop new suspects. The government’s proposal to allow ICRs to be used to facilitate “target discovery” was recently reviewed by David Anderson, the former independent reviewer of terrorism legislation, who said the Home Office had “alluded to this issue only in the broadest of terms” rather than discussing it explicitly when commissioning his independent review.

Despite the lack of clarity from government, during the course of the review Anderson’s team received an operational case from GCHQ about how the power could work:

“ICRs could be used, for example, to search for devices which were simultaneously connecting to legitimate banking applications and to malicious control points. Such behaviour could indicate that a financial fraud is in progress. Improved access to ICRs could enable the intelligence services to detect such activity more effectively and to inform LE colleagues of the identity of the potential fraudsters and of any associated organised crime groups. Flagging suspicious behaviour in that way can lead to action being taken to prevent criminals from defrauding their intended victims.”

Alongside tackling fraud, GCHQ provided a scenario in which the new power could be used to identify child sexual abuse offenders by obtaining records of people who have engaged in “particular combinations of online behaviours” and sharing that intelligence with law enforcement partners.

Anderson, a member of the House of Lords, wrote his review team “was also shown national security scenarios to which detection and identification from ICRs would make a large difference, but these are impossible to share publicly without damaging operations and capability.”

Technical hurdles

Beyond the mention of “improved access” in the GCHQ operational case, the agency’s scenario does not go into detail about the technical challenges facing ICRs which would appear to make a real-time system extremely unlikely.

Although the Investigatory Powers Act which introduced ICRs was passed in 2016, as of 2023 they are still not in widespread use in Britain. Anderson said ICRs “take considerable effort, cost, and skilled resource to implement well” which has meant that “progress towards the operationalisation of ICRs has been slow.”

“Collecting and using ICRs is not a straightforward business. It requires telecoms operators to collect and store the correct network records, and investigators to make good-quality queries and inferences from those records. As internet usage shifts to mobile phones, connecting to the internet through home and public WiFi and 3G/4G/5G, and as network operators continually change the internal architectures of their networks, the difficulties of exploiting ICRs increase.

“In addition, it is often suggested that customers will increasingly be able to frustrate the collection of ICRs by various means which allow them to browse the internet without revealing their IP addresses. One telecommunications operator… described ICRs to the Review team as ‘a gold-plated solution which will take a long time to generate’.”

Steven Murdoch, a professor of security engineering at University College London, told Recorded Future News: “ICRs are certainly a powerful tool in identifying behaviour, but consequently are very privacy invasive. If their scope for use by intelligence agencies expands from national security to other offences there would be questions as to whether the level of privacy intrusion is justified.”

Anderson recommended that the new power should be introduced allowing the intelligence services to apply for a warrant to detect suspects or persons of interest “when it is necessary and proportionate for a national security or serious crime investigation,” but citing how the Home Office had only alluded to this increase in powers, Anderson also said that any such proposal “should receive proper pre-legislative scrutiny.”

A spokesperson for the Home Office said the department was “very grateful to Anderson and his team for their work on this report. We are now carefully considering his recommendations to inform proposals for future legislation.”