cancel
Showing results for 
Search instead for 
Did you mean: 

Website access logging

iwrconsultancy
Dabbler
Posts: 18
Thanks: 5
Registered: ‎21-11-2016

Website access logging

Just a question the PN guys could maybe shed some light on: With the Investigatory Powers Bill no passed, ISPs will have to compile a log of 'Websites visited' by accountholders. Thing is, do you think it is actually even feasible to do that?

Every major website that I know of uses Javascript to pull data from other sites (Facebook, Doubleclick etc) without the visitor's permission or knowledge.These offsite downloads are carried out at the instruction of the originating site's webmaster. Although they are obtained using your browser, you are not in control of the process.

Since the HTTP GET requests are nearly identical for human-initiated and javascript-initiated data fetches, I find it hard to believe that it would be possible to identify where the visitor had actually typed a URL or clicked a link, as opposed to being hit with stuff they never asked for.

Even if Javascript were disabled in the browser, a frameset or redirect could also land the user on a site they had not asked to visit. Thus I don't see how what the government requires is even feasible.

-Any thoughts on this?  I'm preparing a writeup on the subject for my MP and it would be useful to know if ISPs think the requirements -of identifying sites visited by the user- are technically feasible. 

 

8 REPLIES 8
Jonpe
Hero
Posts: 3,459
Thanks: 1,384
Fixes: 9
Registered: ‎05-09-2016

Re: Website access logging

I always use a mouse with my laptop so that I don't accidentally put my finger on the touchpad and click on something I don't want to click on.  However, using a mouse on a slightly shiny/reflective surface can cause the cursor to fly to another part of the screen resulting in a 'misclick'.

You could try emailing pressroom@plus.net with your enquiry.

ejs
Community Veteran
Posts: 5,442
Thanks: 630
Fixes: 25
Registered: ‎10-06-2010

Re: Website access logging

I thought it would be fairly obvious that they're going to log everything, they're not going to be bothered if you intended to visit it or not. I'm sure someone can always claim that their cat jumped on the keyboard and that's how they ended up on a particular website.

gleneagles
Community Veteran
Posts: 10,689
Thanks: 2,209
Fixes: 16
Registered: ‎02-08-2007

Re: Website access logging

@iwrconsultancy

I Think you have the right to request all the data a company holds about you for a fee of £10.

If you requested that data and decided the information was incorrect would you not have the right to ask for it to be removed, so if the list showed I visited website x on such a date and time and I claimed I did not, would it not be up to the ISP to prove I did ?

If a number of users requested and queried data held the ISP would end up with a lot of non productive work on their hands.

My concern about this bill is that it could be open to abuse in several ways and we will see examples of this as time goes on.

We are born into history and history is born into us.
iwrconsultancy
Dabbler
Posts: 18
Thanks: 5
Registered: ‎21-11-2016

Re: Website access logging


@ejs wrote:

I thought it would be fairly obvious that they're going to log everything


Which is what I imagine they'd have to do as there is no way to distinguish original requests from robots.

If so, that opens the way to all kinds of malicious activity. Even without using Javascript, it would just be a matter of hacking a well-known website (If it uses SQL, how hard is that?) and putting a frameset on it with the legit site taking up 99% of the page and a few choice illegal pr3n images in the other 1px-high frames.  To target a specific individual, just put in a bit of php to check the host and only echo the frameset if it's the intended victim.

Wait a while, make a phone call, victim framed. If you'll excuse the pun.

NO. If this to be implemented, it has to be only the sites visited. If it includes robot downloads it's worse than useless. Dangerous, in fact, because it's so easily exploited for criminal frame-up purposes.

 

ejs
Community Veteran
Posts: 5,442
Thanks: 630
Fixes: 25
Registered: ‎10-06-2010

Re: Website access logging

If it's so easy, perhaps you should do a bit of white-hat hacking, and arrange for some well-known websites to warn people of the problem you describe? Oh wait, that would probably be illegal.

Also, how exactly are you going to check the host to find the intended victim? How will you know their IP address?

ejs
Community Veteran
Posts: 5,442
Thanks: 630
Fixes: 25
Registered: ‎10-06-2010

Re: Website access logging


@iwrconsultancy wrote:

With the Investigatory Powers Bill no passed, ISPs will have to compile a log of 'Websites visited' by accountholders. 

 


Are you sure that's correct?

Looking at https://www.gov.uk/government/publications/investigatory-powers-bill-fact-sheets - Factsheet: communications data

The Bill will also require communications service providers to retain internet connection records. ICRs do not provide a full internet browsing history. The ICRs do not reveal every web page that a person visited or any action carried out on that web page.
iwrconsultancy
Dabbler
Posts: 18
Thanks: 5
Registered: ‎21-11-2016

Re: Website access logging

Yes, that's correct. The Bill requires domains visited to be logged. It does not require lists of pages read.

The situation is that when you visit most large websites, a 'robot' on the page also fetches data from other domains.  Thus, it will appear that you visited a great many more domains that the one you actually visited. To give an idea how bad the problem is, even loading a fairly reputable site might cause 20 other-domain data fetches. With some sites like tabloid newspapers festooned with ads, that might be anything up to 100.

So, the log will contain anything from 20 to 100 entries for every site you visit  Of those, you visited one. The rest you didn't visit, but AFAICS there is no way for the ISP to determine which is the needle in that haystack.

There is an obvious legal issue here, in that any surveillance or reporting on the public must be accurate. Otherwise it would be in breach of all kinds of regulations, including human rights Law. Over-reporting of sites you didn't visit is obviously worse from a legal standpoint than under-reporting of sites you did, since that might lead to a false prosecution.

I could see situations where NOT logging the pages visited could actually be worse then doing so. Supposing a robot on a page you visit accesses a known child abuse site, but all it does is to get the robots.txt file from that site. With only the domain logged, it would appear that you had been downloading child abuse material. If the file download history  were available, then it would be clear that nothing of the sort was involved.

There is a reason why courts ask for the truth and the WHOLE truth.  Half-truths are dangerous.

ejs
Community Veteran
Posts: 5,442
Thanks: 630
Fixes: 25
Registered: ‎10-06-2010

Re: Website access logging

Which part of The Bill says domains are going to be logged?