mailing list archives
Re: Fed Bill Would Restrict Web Server Logs
From: "David G. Andersen" <dga+ () cs cmu edu>
Date: Tue, 14 Feb 2006 10:33:19 -0500
On Tue, Feb 14, 2006 at 09:47:50AM -0500, Jon R. Kibler scribed:
to delete information about visitors, including e-mail addresses, if the
data is no longer required for a "legitimate" business purpose.
Original posting from Declan McCullagh's PoliTech mailing list. Thought
NANOGers would be interested since, if this bill passes, it would impact
almost all of us. Just imagine the impact on security of not being able
to login IP address and referring page of all web server connections!
Call me weird, but I fail to see where the scary teeth lie in such
a bill. First of all, it's phrased very abstractly and would hopefully
have its language clarified by the time it escapes a committee. Second,
the bill is fairly clear about the meaning of personal information, and
it doesn't include things like IP addresses in its examples; the latter
would be a matter for a court to decide, and it's not clear cut at all:
"... that allows a living person to be identified individually,
including ... : first and last name, home or physical
address, ... "
Third, it says nothing at all about restricting what you can log:
"An owner of an Internet website shall destroy, within
a reasonable period of time, any data containing personal
information if the information is no longer necessary for
the purpose for which it was collected or any other legitimate
If you need IP address logging to ensure the security of your website,
then that sounds like a pretty legitimate business practice. The more
interesting question is how _long_ you need to keep the personal
information around for your for your legitimate business purposes.
A week? A month? A year? Ultimately, it would probably boil down to
a dash of best practices and a pinch of CYA. But there's nothing
in there to freak out about for day to day operations. The worry
is more that you'd probably have to ensure that your logs get blasted or
sanitized according to a well-defined schedule. Which, when you
think about it, might not be a bad thing at all.
Dave Andersen dga () cs cmu edu
Assistant Professor 412.268.3064
Carnegie Mellon University http://www.cs.cmu.edu/~dga
Re: Fed Bill Would Restrict Web Server Logs Hyunseog Ryu (Feb 14)
Re: Fed Bill Would Restrict Web Server Logs Steven M. Bellovin (Feb 14)
Re: Fed Bill Would Restrict Web Server Logs Owen DeLong (Feb 15)