Home & Office

Police u-turn on ISP server logs

The National Crime Squad has retracted earlier statements suggesting that it had access to Demon Internet's download logs for a major investigation
Written by Wendy McAuliffe, Contributor

The National Crime Squad (NCS) on Thursday denied that it had access to the traffic logs of Demon Internet for Operation Landmark, despite implying on Wednesday that it had "imaged" the servers of the Internet Service Provider (ISP) for 16 days.

British and Scottish police forces executed search warrants on 12 houses throughout the UK at 06:00 GMT on Wednesday, and seized thousands of files containing images of children being abused. Demon was praised for its cooperation with the investigation, which at the time the NCS said included allowing access to its servers. The NCS now claims that the ISP only provided it with publicly available information from newsgroup headers.

In an NCS press statement issued on Wednesday morning, detective superintendent Peter Spindler, who led the investigation and is billed as an expert in high-tech crime, said: "With the assistance of Demon Internet and the support and guidance of the National Hi-tech Crime Unit, we are able to show that those accessing these newsgroups did so regularly and with purpose." He also claimed on the Today programme that Demon was asked to image its servers for the duration of the investigation.

NCS has now retracted these statements, and admits that the terminology used was misleading. "'Imaged' was a phrase that I was given, which was the wrong phrase," said an NCS press officer. "We had access to the servers, but we didn't access any logs."

When used in an accurate context, the "image" of a server refers to an entire copy of the content of a server, including all software and traffic logs that is held on it. "Spindler didn't mean what those of us in the industry would interpret that to mean -- he's not a technical expert, he's a policeman," added Ian Hood, director of corporate communications at Thus, the company that owns Demon.

The official line on Thursday was that NCS only had access to Demon's NNTP (network news transport protocol) servers, meaning that it had the same level of access to information as a member of the public with a Demon connection. "We created a direct connection between NCS and the newsgroup servers, and configured it so that they could download the messages very quickly," said Hood, to clarify the assistance that Demon provided. "We also kept the message base for longer than we would normally do so, so that they could check against old postings."

British privacy and policy-making groups, who have asked not to be named, are suspicious of the discrepancy between the original statement issued by NCS on Wednesday, which implied that it has access to Demon download logs, and the revised statements on Thursday. But NCS insists that the 10,000 IP addresses gathered through the investigation were obtained legally.

Demon Internet differs from most ISPs by giving its customers a static IP address. "It will always be trivial to go from Demon's NNTP server logs back to the user's account," said a technical expert at ZDNet UK. When the Regulation of Investigatory Powers Act (RIPA) part I, chapter II and the Anti-Terrorism Bill come into force, ISPs can be required to retain traffic data, and must disclose on the authority of a superintendent, all IP addresses of those subscribers downloading from any newsgroup, without a warrant.

See the Net Crime News Section for the latest on hacking, fraud, viruses and related issues.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards