nanog mailing list archives
Re: Fed Bill Would Restrict Web Server Logs
From: "David G. Andersen" <dga+ () cs cmu edu>
Date: Tue, 14 Feb 2006 10:33:19 -0500
On Tue, Feb 14, 2006 at 09:47:50AM -0500, Jon R. Kibler scribed:
http://www.politechbot.com/docs/markey.data.deletion.bill.020806.pdf to delete information about visitors, including e-mail addresses, if the data is no longer required for a "legitimate" business purpose.
Original posting from Declan McCullagh's PoliTech mailing list. Thought NANOGers would be interested since, if this bill passes, it would impact almost all of us. Just imagine the impact on security of not being able to login IP address and referring page of all web server connections!
Call me weird, but I fail to see where the scary teeth lie in such a bill. First of all, it's phrased very abstractly and would hopefully have its language clarified by the time it escapes a committee. Second, the bill is fairly clear about the meaning of personal information, and it doesn't include things like IP addresses in its examples; the latter would be a matter for a court to decide, and it's not clear cut at all: "... that allows a living person to be identified individually, including ... : first and last name, home or physical address, ... " Third, it says nothing at all about restricting what you can log: "An owner of an Internet website shall destroy, within a reasonable period of time, any data containing personal information if the information is no longer necessary for the purpose for which it was collected or any other legitimate business purpose." If you need IP address logging to ensure the security of your website, then that sounds like a pretty legitimate business practice. The more interesting question is how _long_ you need to keep the personal information around for your for your legitimate business purposes. A week? A month? A year? Ultimately, it would probably boil down to a dash of best practices and a pinch of CYA. But there's nothing in there to freak out about for day to day operations. The worry is more that you'd probably have to ensure that your logs get blasted or sanitized according to a well-defined schedule. Which, when you think about it, might not be a bad thing at all. -Dave -- Dave Andersen dga () cs cmu edu Assistant Professor 412.268.3064 Carnegie Mellon University http://www.cs.cmu.edu/~dga
Current thread:
- Fed Bill Would Restrict Web Server Logs Jon R. Kibler (Feb 14)
- Re: Fed Bill Would Restrict Web Server Logs Suresh Ramasubramanian (Feb 14)
- Re: Fed Bill Would Restrict Web Server Logs Andy Davidson (Feb 14)
- Re: Fed Bill Would Restrict Web Server Logs Valdis . Kletnieks (Feb 14)
- Re: Fed Bill Would Restrict Web Server Logs bmanning (Feb 14)
- Re: Fed Bill Would Restrict Web Server Logs Andy Davidson (Feb 14)
- Re: Fed Bill Would Restrict Web Server Logs Suresh Ramasubramanian (Feb 14)
- Re: Fed Bill Would Restrict Web Server Logs David G. Andersen (Feb 14)
- Re: Fed Bill Would Restrict Web Server Logs Frank Louwers (Feb 14)
- Re: Fed Bill Would Restrict Web Server Logs Suresh Ramasubramanian (Feb 14)
- RE: Fed Bill Would Restrict Web Server Logs Mark Borchers (Feb 14)
- Re: Fed Bill Would Restrict Web Server Logs Jeff Shultz (Feb 14)
- Re: Fed Bill Would Restrict Web Server Logs Florian Weimer (Feb 14)
- Re: Fed Bill Would Restrict Web Server Logs Frank Louwers (Feb 14)
- Re: Fed Bill Would Restrict Web Server Logs Bill Nash (Feb 14)
- <Possible follow-ups>
- RE: Fed Bill Would Restrict Web Server Logs David Hubbard (Feb 14)