A real Internet connection

Just as you do not expect the highways agency to stop any cars coming down your road so you can let your children play on the tarmac unsupervised, please don't expect us to try and block unsavoury content on the Internet - we could not do that even if we wanted to - just look at how ineffective blocks on the pirate bay have become, and that is just trying to block one web site!

Recent OFCOM reports show that kids know how to bypass blocks and that most parents feel that their children know more than they do about the Internet.

Simply use a search engine to look for parental controls - there are many packages, free, and paid for, and even built in to many computers to help manage access to the Internet on a per user, and age appropriate, basis. If you are not sure, please do call our support staff who can point you in the right direction, or consider simply supervising younger children instead.

We do have some tools to help if you are trying to avoid some accidental access to unsavoury material for younger children. Ensuring safe search is set on search pages is a start. But there are tools you control if you want. We can pre-configure the router we supply with alternative DNS servers such as openDNS if you wish - just ask support. But do not be lulled in to any false sense of security - this is good to help with younger children and accidental exposure to some web sites, that is all.

Nat is evil ;-)

It is an important part of the design principles of internet protocol (IP) that every endpoint has a unique globally routable address. That does not mean there are no firewalls, but it does mean that subject to firewalls and filters a packet can be addressed to any end point on the internet using its unique IP address. Systems like NAT (network address translation) break that. They work by tracking sessions to route reply traffic and having redirection rules. They work well for a small subset of possible uses of internet protocol. The widespread use of NAT limits the development of internet protocols and stifles innovation.

Now that legacy IPv4 has finally run out in Europe, this means that many new connections will only get one external public non-NAT IPv4 address. This often means customers end up using NAT for IPv4. However, we have no Carrier Grade NAT in our network. You can route and use that one fixed legacy IPv4 address as you wish in your network. Any NAT you have is on your router and under your control.

For the current version of IP, IPv6, we provide a large allocation (/48) and allow you to route one or more /64 or larger block as you need to each line or site that you have. This allows your own network to operate without any NAT.

For those wishing to experiment with IPv6 only networks accessing legacy IPv4 addresses, as a temporary measure (until the world catches up), we do have a public NAT64 gateway you can use if you wish.

It is worth bearing in mind that even a real Internet connection has limits. There are limits on the rate of your line because of the DSL sync speed. IP never guarantees that all packets arrive, in order, and not duplicated. However, we are not imposing any artificial limits on your internet connection. We don't traffic shape any protocols to slow down your link in any way (unless you ask us to, e.g. giving VoIP priority). We do have clear 1500 byte IP to our core network where we have 1500 byte peering and transit. If you use PPPoE there is a lower MTU (1492) which is part of the protocol, but we support 1500 byte PPPoE on lines or where your equipment can handle it. We provide native IPv6 with clear 1500 byte packets throughout our network and peering and transit links.

You can opt for tariffs, such as Home::1, which have specific usage limits that stop or slow your service unless you top up or wait for a new month to start.

We specifically monitor traffic levels and make this available to you. If we are helping you debug a problem we can monitor traffic for you in real time, but we don't keep that data. All of our servers which you use (e.g. email, web servers, VoIP, etc.) have logs which are kept for a few months, but you do not have to use our servers if you do not want to. Some services can log things if we are diagnosing an issue (e.g. DNS resolvers) but do not normally do so and any debugging logs are deleted as part of normal log rotation. We don't log the content of VoIP calls, though you can ask us to make call recordings (which we email to you), as can the person you are talking to (using our services or someone else's), so best to assume calls might be recorded.

We keep PPP negotiation logs for a few months too, for debugging line and router issues. Some servers have diagnostic logs that hold some data for a few days (e.g. SIP control traffic) for debugging, but only relevant if you use our servers. We do not run anything like Phorm, and never will.

The law is such that we may, one day, have to add such black boxes, but we would resist as far as possible. We may even find we are not allowed to change this web page if ever that happens. However, our Company Director, is happy to answer direct questions on this matter on irc (user RevK) or on twitter (@TheRealRevK). If black boxes become mandatory we aim to find ways and services to maintain the basic human right to privacy.

• We have never had an intercept order to intercept any communications on our network or in our equipment
• We have never had a maintenance of capability order for interception on our network or in our equipment
• We have never had a data retention order, and only retain some data as needed for normal diagnostics and business purposes as detailed above
• We have had RIPA requests, rarely, to identify an account holder (we stress that we cannot identify a user) from an IP or phone number. Many of these are invalid (e.g. spoofed phone number that has never been issued to a customer).

So, practical steps that we should all take to make covert monitoring harder and to make encryption normal and not an indication of something to hide.

Wherever possible access web sites using https. This provides end to end encryption. Be suspicious of errors reported. The site does not actually have to be with a well known CA to be secure from passive snooping and if you really want to be careful you need to check the certificate manually by some other means. In fact, a site not using a CA that is in your browser means setting a manual exception and as such you will be told if the site certificate changes which gives you more information than sites that do use a standard CA. If you want to know more - read up on TLS and HTTPS and how it works.

Make use of end to end email encryption such as pgp. This allows you to ensure the email is encrypted right up to the actual recipient, though the email addresses and subject and other headers are not encrypted.

Use secure POP3, IMAP and SMTP. We offer all of these for email sending and receipt. This means the link from you to us is encrypted and BT could not snoop on the email even just to see your email addresses used. Where available we will use secure encryption to the next mail server but this only protects against passive snooping on intermediate links.

If you are worried about us logging your email, send email directly using MX records and receive directly to your own mail server. The current legislations means we would not log anything in that case even if asked to. If you really want, use secure SMTP in such cases where possible to make it impossible for us or BT to log anything. Our support desk can provide help and advice on setting up your own mail server.

Use encryption as much as possible for all normal traffic. This is important. Encryption should be as normal as using opaque envelopes when sending things via the Royal Mail. The more people using encryption for normal traffic the more the argument of having something to hide falls down. Use https for twitter and facebook and any other normal communications.