Fed Bill Would Restrict Web Server Logs
Message: 3 Date: Thu, 09 Feb 2006 00:14:23 -0800 From: Declan McCullagh <declan@well.com> Subject: [Politech] Delete web server logs, or get fined by the Feds? Ed Markey's new bill [fs] To: politech@politechbot.com Message-ID: <43EAF9DF.2000602@well.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
I've posted the text here: http://www.politechbot.com/docs/markey.data.deletion.bill.020806.pdf
A summary is here: http://news.com.com/2100-1028_3-6036951.html "A bill just announced in Congress would require every Web site operator to delete information about visitors, including e-mail addresses, if the data is no longer required for a "legitimate" business purpose.
An open question is whether Rep. Ed Markey's bill would require that Internet addresses be deleted by default from Apache and other web server logs. One reading is that it would be. But it's not clear whether an IP address falls under the definition of personal information.
This bill applies to anyone running a web site, including individuals and bloggers. So it's not just companies that have to worry.
Original posting from Declan McCullagh's PoliTech mailing list. Thought NANOGers would be interested since, if this bill passes, it would impact almost all of us. Just imagine the impact on security of not being able to login IP address and referring page of all web server connections! Jon Kibler -- Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
On 2/14/06, Jon R. Kibler <Jon.Kibler@aset.com> wrote:
"A bill just announced in Congress would require every Web site operator to delete information about visitors, including e-mail addresses, if the data is no longer required for a "legitimate" business purpose.
Original posting from Declan McCullagh's PoliTech mailing list. Thought
"When no longer required for business purposes" Your syslog's logrotate function does that for you already, for all reasonable purposes .. blows away logs that are say a week old. Email addresses etc - I guess that's cookie data etc. Or any other data that you gather but dont state a purpose for .. if you gather data saying you want to market to them, fine. If you gather data like that as part of a profile on a blog, fine. No hassles that I can see there. This kind of checks privacy violations / abuse that goes on when data is collected without your knowledge, or used for purposes you didnt intend it to be used for but didnt read fine print, or the people collecting your data dont care about reselling it to others. -- Suresh Ramasubramanian (ops.lists@gmail.com)
Suresh Ramasubramanian wrote:
On 2/14/06, Jon R. Kibler <Jon.Kibler@aset.com> wrote:
"A bill just announced in Congress would require every Web site operator to delete information about visitors, including e-mail addresses, if the data is no longer required for a "legitimate" business purpose. Original posting from Declan McCullagh's PoliTech mailing list. Thought "When no longer required for business purposes" Your syslog's logrotate function does that for you already, for all reasonable purposes .. blows away logs that are say a week old.
Speaking with my e-commerce vendor hat on, server logs (apache, mail, application audit logs) and other information about visitors (especially those who have conducted a purchase transaction with us, or signed up to our newsletter) never stop having a business purpose - it's called referential integrity. We want to use them to track the behaviour fraudulent users for example. We also want to learn about how people use our site to make it easier. We want to ensure our mail systems are not approaching capacity. We want to know if our spam filtering is working, and how its use changes over time. etc.,etc.,etc. These are all business purposes. It's interesting that the US government is requiring less user data is stored when European politicians are calling for greater data and log retention rules.
On Tue, 14 Feb 2006 16:14:11 GMT, Andy Davidson said:
It's interesting that the US government is requiring less user data is stored when European politicians are calling for greater data and log retention rules.
Obviously, none of the Total Info Awareness proponents were able to get their tentacles involved here...
On Tue, Feb 14, 2006 at 11:31:48AM -0500, Valdis.Kletnieks@vt.edu wrote:
On Tue, 14 Feb 2006 16:14:11 GMT, Andy Davidson said:
It's interesting that the US government is requiring less user data is stored when European politicians are calling for greater data and log retention rules.
Obviously, none of the Total Info Awareness proponents were able to get their tentacles involved here...
Hum... tentacles... http://www.cthulhu.org/cthulhu/index.html --bill unsigned email is a sign of plausable deniability...
On Tue, Feb 14, 2006 at 09:47:50AM -0500, Jon R. Kibler scribed:
http://www.politechbot.com/docs/markey.data.deletion.bill.020806.pdf
to delete information about visitors, including e-mail addresses, if the data is no longer required for a "legitimate" business purpose.
Original posting from Declan McCullagh's PoliTech mailing list. Thought NANOGers would be interested since, if this bill passes, it would impact almost all of us. Just imagine the impact on security of not being able to login IP address and referring page of all web server connections!
Call me weird, but I fail to see where the scary teeth lie in such a bill. First of all, it's phrased very abstractly and would hopefully have its language clarified by the time it escapes a committee. Second, the bill is fairly clear about the meaning of personal information, and it doesn't include things like IP addresses in its examples; the latter would be a matter for a court to decide, and it's not clear cut at all: "... that allows a living person to be identified individually, including ... : first and last name, home or physical address, ... " Third, it says nothing at all about restricting what you can log: "An owner of an Internet website shall destroy, within a reasonable period of time, any data containing personal information if the information is no longer necessary for the purpose for which it was collected or any other legitimate business purpose." If you need IP address logging to ensure the security of your website, then that sounds like a pretty legitimate business practice. The more interesting question is how _long_ you need to keep the personal information around for your for your legitimate business purposes. A week? A month? A year? Ultimately, it would probably boil down to a dash of best practices and a pinch of CYA. But there's nothing in there to freak out about for day to day operations. The worry is more that you'd probably have to ensure that your logs get blasted or sanitized according to a well-defined schedule. Which, when you think about it, might not be a bad thing at all. -Dave -- Dave Andersen dga@cs.cmu.edu Assistant Professor 412.268.3064 Carnegie Mellon University http://www.cs.cmu.edu/~dga
On Tue, Feb 14, 2006 at 10:33:19AM -0500, David G. Andersen wrote:
On Tue, Feb 14, 2006 at 09:47:50AM -0500, Jon R. Kibler scribed:
http://www.politechbot.com/docs/markey.data.deletion.bill.020806.pdf
to delete information about visitors, including e-mail addresses, if the data is no longer required for a "legitimate" business purpose.
Original posting from Declan McCullagh's PoliTech mailing list. Thought NANOGers would be interested since, if this bill passes, it would impact almost all of us. Just imagine the impact on security of not being able to login IP address and referring page of all web server connections!
Call me weird, but I fail to see where the scary teeth lie in such a bill. First of all, it's phrased very abstractly and would hopefully have its language clarified by the time it escapes a committee. Second, the bill is fairly clear about the meaning of personal information, and it doesn't include things like IP addresses in its examples; the latter would be a matter for a court to decide, and it's not clear cut at all:
Strange thing is that we have exact the opposite here in Europe. There is a new bill that has been passed that forces us to keep al logs (mail and web) for at least 1 or 2 years. Vriendelijke groeten, Frank Louwers -- Openminds bvba www.openminds.be Tweebruggenstraat 16 - 9000 Gent - Belgium
On 2/14/06, Frank Louwers <frank@openminds.be> wrote:
Strange thing is that we have exact the opposite here in Europe. There is a new bill that has been passed that forces us to keep al logs (mail and web) for at least 1 or 2 years.
6 months to 2 years I think. http://blogs.iht.com/tribtalk/technology/2006/02/09/subpoena_disclosures_to_... --srs -- Suresh Ramasubramanian (ops.lists@gmail.com)
Mark Borchers wrote:
Strange thing is that we have exact the opposite here in Europe. There is a new bill that has been passed that forces us to keep al logs (mail and web) for at least 1 or 2 years.
Vriendelijke groeten, Frank Louwers
That is far scarier.
Which hard drive vendor wrote that law? They're the only people who will benefit from it. -- Jeff Shultz
* Frank Louwers:
Strange thing is that we have exact the opposite here in Europe. There is a new bill that has been passed that forces us to keep al logs (mail and web) for at least 1 or 2 years.
It's not a bill, it's a EU directive which still has to be implemented in national law. Nothing in the directive requires that operators of non-interactive web sites (the vast majority) retain any data. Only if you identify your users, you might be required to keep some logs. Implementation in national law might change that, especially since the directive is remarkably unclear about the selection criteria used for mapping communication events to individuals.
I guess the question is how to read "legitimate" word. ^.^ I guess the bill was written in mind of privacy concern. But also there is some requirement for security/law-enforcement viewpoint. I received the request from some law-enforcement about actual user of IP address 3 year ago or older. Without all log info, how can I tell it? It seems this bill will bring more ISP/ASP to the court to clarify what is legitimate or not.
From privacy viewpoint, I guess people wants to remove all their trace from the Internet. But from security and practical concerns from ISP/ASP, they want to have all traces from the people.
I think the government needs to enforce ISP/ASP to keep all trace for certain level, but with more stricted access method. I'm really curious whether this was a kind of post-action to the cell-phone use log business such as locatecell.com or something like that. Hyun Jon R. Kibler wrote:
Message: 3 Date: Thu, 09 Feb 2006 00:14:23 -0800 From: Declan McCullagh <declan@well.com> Subject: [Politech] Delete web server logs, or get fined by the Feds? Ed Markey's new bill [fs] To: politech@politechbot.com Message-ID: <43EAF9DF.2000602@well.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
I've posted the text here: http://www.politechbot.com/docs/markey.data.deletion.bill.020806.pdf
A summary is here: http://news.com.com/2100-1028_3-6036951.html "A bill just announced in Congress would require every Web site operator to delete information about visitors, including e-mail addresses, if the data is no longer required for a "legitimate" business purpose.
An open question is whether Rep. Ed Markey's bill would require that Internet addresses be deleted by default from Apache and other web server logs. One reading is that it would be. But it's not clear whether an IP address falls under the definition of personal information.
This bill applies to anyone running a web site, including individuals and bloggers. So it's not just companies that have to worry.
Original posting from Declan McCullagh's PoliTech mailing list. Thought NANOGers would be interested since, if this bill passes, it would impact almost all of us. Just imagine the impact on security of not being able to login IP address and referring page of all web server connections!
Jon Kibler
On Tue, 14 Feb 2006, Hyunseog Ryu wrote:
I guess the question is how to read "legitimate" word. ^.^ I guess the bill was written in mind of privacy concern. But also there is some requirement for security/law-enforcement viewpoint. I received the request from some law-enforcement about actual user of IP address 3 year ago or older. Without all log info, how can I tell it?
In the context of the legislation in question, if the user is still a current customer, you have a legitimate business use for the data. If the user was no longer a customer, I would surmise that you should have purged it, as you would no longer have a need for that user's personal data.
I'm really curious whether this was a kind of post-action to the cell-phone use log business such as locatecell.com or something like that.
An exploration of the side effects would be interesting. I think it'll provide a legal cudgel for mailing lists and opt-in tracking, as well as ensuring that your information is purged when/if you opt-out. It may also have dampening effects on the sale/trade of personal information, as it would now be questionably criminal to possess the personally identifying information of a person you have engaged in zero business with.
From the text of the bill, there are some pretty loose points that'll give lawyers a lot of vine to swing from, including the definition of 'legitimate business practice'. Associating all of it to 'Internet website', as defined, is another loophole waiting to happen.
I think the single best element of the bill is the declaration that consumers have an ownership in interest in their personal information. Owndership implies control, and by extension, some amount of control in who gets to have it. I'd like to see what happens when the final bill is mated with US Federal CAN-SPAM law. - billn
This is a pro-privacy bill that would regulate business, and it's been introduced by a Democrat in a Republican-controlled Congress with a Republican president, at a time when privacy is out of favor. It's not going to pass. (To me, of course, that's a bug, especially since I'd rather that stronger privacy legislation were passed. But I'm not holding my breath.) --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Original posting from Declan McCullagh's PoliTech mailing list. Thought NANOGers would be interested since, if this bill passes, it would impact almost all of us. Just imagine the impact on security of not being able to login IP address and referring page of all web server connections!
Seems to me that security would be a "legitimate business purpose" for keeping the information around. Owen -- If it wasn't crypto-signed, it probably didn't come from me.
participants (14)
-
Andy Davidson
-
Bill Nash
-
bmanning@vacation.karoshi.com
-
David G. Andersen
-
Florian Weimer
-
Frank Louwers
-
Hyunseog Ryu
-
Jeff Shultz
-
Jon R. Kibler
-
Mark Borchers
-
Owen DeLong
-
Steven M. Bellovin
-
Suresh Ramasubramanian
-
Valdis.Kletnieks@vt.edu