Defence contractor BAE Systems wins Home Office contract
The government has signed a £2m contract with a supplier to help build a national system intended to allow authorities to search for and obtain citizens’ internet records from communications firms.
The plan to develop the nationwide system – which will build on trials embarked upon with two unnamed internet service providers in 2019 – were recently revealed in a procurement notice.
The service is intended to provide a means for law-enforcement agencies to search and, ultimately, gain access to data on individuals’ internet connection records (ICR) – information that, since the 2016 introduction of the Investigatory Powers Act, telecoms firms can now be legally compelled to store for a year.
While an ICR does not provide a full browsing history including individual webpages, it contains information on all sites visited or apps accessed by a user, as well as details of the device used and the time and date of the visit. A user’s IP address and their customer account information with the telecoms provider in question is also embedded in the records.
The Digital Intelligence sub-division of global defence firm BAE Systems has now been appointed to a contract for “the transition and build of a filtering arrangement and results platform” that police and other authorities will be able to use to search ICR databases.
The contract notice outlines that the search capability to be used nationally will, where possible, build on systems that were built as part of the trials. The “technical migration team” that the BAE unit has been hired to provide “will be responsible for the technical implementation of the national service… working in line with the expectation that a private beta version of the filtering arrangement and results platform capability will be available for use against telecom operator data by the end of 2022”.
A recently published update to the procurement notice reveals that a contract with the defence firm, worth an estimated £2m, was signed on 14 July by the National Communications Data Service (NCDS), a little-publicised unit that sits within the Home Office’s counter-terror operations and whose remit – as described in another procurement notice – is “providing the nominated representatives of law enforcement agencies and wider public authorities with access to retained communications data in accordance with legislation”.
BAE Systems Digital Intelligence is expected to fulfil an initial six-month statement of work from NCDS which, if deemed successful, will extend into a two-year engagement.
The team to be provided by the supplier will include a product manager, scrum master, a security architect, a lead developer, two developers, and two DevOps workers. This team will work with a Home Office team including both civil servants and other contractors.
Once the full national service is complete, it will enable investigators to have “access to ICR data, so that [they] can use it to support criminal investigations and identify where [they] may need to send requests for other data on other systems”.
There has been no formal announcement from the government about the decision to go ahead with a national service that could seemingly allow police to access on demand large parts of citizens’ internet histories.
For an exclusive report earlier this year breaking news of the ICR platform, PublicTechnology contacted the Home Office and the National Crime Agency – the organisations which jointly conducted the earlier trials – as well as the watchdog responsible for overseeing communications surveillance. We also contacted the UK’s 16 leading broadband providers and mobile network operators, and the primary trade industry body for ISPs.
None of these organisations answered any of our questions or provided any comment or additional information on what the service will entail, their organisation’s role or participation in its operation, whether police will need a court order to search databases of internet connection records (ICRs), or the implications for citizens’ privacy and data security.
BAE Systems has not provided comment for this story.