Home page logo

nanog logo nanog mailing list archives

Re: Fed Bill Would Restrict Web Server Logs
From: "David G. Andersen" <dga+ () cs cmu edu>
Date: Tue, 14 Feb 2006 10:33:19 -0500

On Tue, Feb 14, 2006 at 09:47:50AM -0500, Jon R. Kibler scribed:


to delete information about visitors, including e-mail addresses, if the 
data is no longer required for a "legitimate" business purpose.

Original posting from Declan McCullagh's PoliTech mailing list. Thought
NANOGers would be interested since, if this bill passes, it would impact
almost all of us. Just imagine the impact on security of not being able
to login IP address and referring page of all web server connections!

Call me weird, but I fail to see where the scary teeth lie in such
a bill.  First of all, it's phrased very abstractly and would hopefully
have its language clarified by the time it escapes a committee.  Second,
the bill is fairly clear about the meaning of personal information, and
it doesn't include things like IP addresses in its examples; the latter
would be a matter for a court to decide, and it's not clear cut at all:

  "... that allows a living person to be identified individually,
   including ... : first and last name, home or physical
   address, ... "

Third, it says nothing at all about restricting what you can log:

  "An owner of an Internet website shall destroy, within
   a reasonable period of time, any data containing personal
   information if the information is no longer necessary for
   the purpose for which it was collected or any other legitimate
   business purpose."

If you need IP address logging to ensure the security of your website,
then that sounds like a pretty legitimate business practice.  The more
interesting question is how _long_ you need to keep the personal
information around for your for your legitimate business purposes.
A week?  A month?  A year?  Ultimately, it would probably boil down to
a dash of best practices and a pinch of CYA.  But there's nothing
in there to freak out about for day to day operations.  The worry
is more that you'd probably have to ensure that your logs get blasted or
sanitized according to a well-defined schedule.  Which, when you
think about it, might not be a bad thing at all.


Dave Andersen                                 dga () cs cmu edu
Assistant Professor                           412.268.3064
Carnegie Mellon University                    http://www.cs.cmu.edu/~dga

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]