As my former colleague Dave Walker touched upon in a comment in this blog there is a massive question over who has to provide CCDP interception capability if you’re a British Communication Service Provider.

Say you use the Amazon EC2 Cloud – the servers are all outside the UK: Ireland, US West/East/Central, South America, Far East – so none of them are impacted by CCDP, but if you’re a UK business you could end up having to modify your code, take extra logs and provide some means just in case the Government want to know what/whom you’ve been accessing/doing/talking to.

Case in point might be Netflix who use just such a cloud architecture – the Government might want to know in case you’ve been watching some terrorist movies or somesuch; or if you’ve set up one of the thousands of template-driven niche-specific dating websites (example1, example2, example3, example4, example5) which clearly enable communication between individuals.

Will these cloud-hosted sites have to have gchq-logging.php added to their codebase?

And will the module be open-source?

Smells like CALEA.