On Tue, Feb 14, 2006 at 09:47:50AM -0500, Jon R. Kibler scribed:
http://www.politechbot.com/docs/markey.data.deletion.bill.020806.pdf
to delete information about visitors, including e-mail addresses, if the data is no longer required for a "legitimate" business purpose.
Original posting from Declan McCullagh's PoliTech mailing list. Thought NANOGers would be interested since, if this bill passes, it would impact almost all of us. Just imagine the impact on security of not being able to login IP address and referring page of all web server connections!
Call me weird, but I fail to see where the scary teeth lie in such a bill. First of all, it's phrased very abstractly and would hopefully have its language clarified by the time it escapes a committee. Second, the bill is fairly clear about the meaning of personal information, and it doesn't include things like IP addresses in its examples; the latter would be a matter for a court to decide, and it's not clear cut at all: "... that allows a living person to be identified individually, including ... : first and last name, home or physical address, ... " Third, it says nothing at all about restricting what you can log: "An owner of an Internet website shall destroy, within a reasonable period of time, any data containing personal information if the information is no longer necessary for the purpose for which it was collected or any other legitimate business purpose." If you need IP address logging to ensure the security of your website, then that sounds like a pretty legitimate business practice. The more interesting question is how _long_ you need to keep the personal information around for your for your legitimate business purposes. A week? A month? A year? Ultimately, it would probably boil down to a dash of best practices and a pinch of CYA. But there's nothing in there to freak out about for day to day operations. The worry is more that you'd probably have to ensure that your logs get blasted or sanitized according to a well-defined schedule. Which, when you think about it, might not be a bad thing at all. -Dave -- Dave Andersen dga@cs.cmu.edu Assistant Professor 412.268.3064 Carnegie Mellon University http://www.cs.cmu.edu/~dga