The Anti-Theresa May Device

As you may be aware, the "Investigatory Powers Act 2016" (also called the Snoopers' Charter) was made law in the UK on December 30, 2016. The basic premise of this Act is to ensure that the UK Intelligence Agencies can collect "Internet Connection Records" of any and all users of an Internet Service Provider, including home, mobile and public internet connections.

While I agree, of course, that terrorism and other evil and illegal activities should be detected, investigated and punished to the full extent of the law, I do not agree that mass collection of the population's internet connection records is the correct way to go about this. Let's suppose there are 1000 terrorists in the UK (perhaps a high number [1]) out of a population of 65 million. I imagine a large percentage of that 65 million have some sort of internet connection, let's take 50% as a rough estimate, so 32.5 million. That means 99.9997% of the population are having their connections to Facebook, Twitter, potentially adult websites, everything they do on the internet recorded to try and detect 0.0003% of the population doing something illegal.

What is in an ICR (Internet Connection Record)?

The specific description from the Act [2]:

...means communications data which—
(a) may be used to identify, or assist in identifying, a telecommunications
service to which a communication is transmitted by means of a telecommunication system for the purpose of obtaining access to, or running, a computer file or computer program, and
(b) comprises data generated or processed by a telecommunications
operator in the process of supplying the telecommunications service to
the sender of the communication (whether or not a person)

In simple terms, the following can be assumed to be recorded:

  • Timestamp (to millisecond precision)
  • Source IP address and port
  • Destination IP address and port

The issue with this data being collected is that websites do not always have a 1-1 correlation between IP address and website name. For example,, an Ice Hockey team website is shared with, a Yorkshire magazine website. This could easily be instead something totally innocent and something quite illegal, but from the data collected it cannot be determined, so what happens to the user that has connected to this IP address?

The agencies which have access to this data

Here is a subset of the agencies that have access to the ICRs without a warrant, more can be found here.

  • Department of Health
  • Department for Transport
  • Financial Conduct Authority
  • Health and Safety Executive
  • Scottish Ambulance Service Board

Why do these agencies require warrentless access to the internet connection records of the population and although there is protection in place to prevent misuse (jail sentences are mentioned) how is it technically achieved? Is there an audit log of this massive database?

How much storage is required?

The BBC website, as of the date of publishing this article requires 102 TCP connections to get all the data on the page. Let's imagine it takes 60 bytes to store the timestamp, source and destination information. That's nearly 6KiB per page load. I have no idea what an average browsing session may be, but let's estimate 50 pages and 4 websites, 200 page loads. That's 1.2MiB per session per user. Multiply that by the number of active internet users, and that adds up to be tebibytes (terabytes) of data per day - even compressed or archived, the amount of data is mind boggling. I'd like to see what type of database is used to store it!

What I've done - the "Anti-Theresa May Device"

Network layout:
WAN > Netgear DM200 VDSL Modem > USB/Ethernet Converter > HP t5740 running pfSense > Ethernet > Wireless Access Point

I quite simply refuse to have my internet browsing habits or records of which servers I connect to in a massive database for Government agencies to look through. To prevent this, I have a dedicated server in Germany which is running pfSense. On the client side in the house, connected to my broadband line I have another pfSense router (a HP t5740 Thin Client with the OS changed, which was less than £20 new on eBay) and have a site to site IPSec VPN running over UDP on a random port number. All traffic goes through this tunnel. I've not experienced much slowdown, in fact the VPN is able to run at ~30mbps with minimal latency (~50ms). My phone also connects to the VPN when I'm out and about. Future improvements include a separate WiFi network which is not filtered as some websites do not have a country picker and default to geo-location of your IP address, which is frustrating when websites think you're in Germany. If you'd like more information on how this VPN setup is achieved, leave a comment below.

"If you have nothing to hide, you have nothing to fear" does not cut it any more and you should not put up with needless data collection. This database of connection records would be a goldmine for corruption, blackmail and potentially worse. In fact, MPs are exempt from having their ICRs viewed without a warrant... [3]