Fed Bill Would Restrict Web Server Logs
Message: 3 Date: Thu, 09 Feb 2006 00:14:23 -0800 From: Declan McCullagh declan@well.com Subject: [Politech] Delete web server logs, or get fined by the Feds? Ed Markey's new bill [fs] To: politech@politechbot.com Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed I've posted the text here: http://www.politechbot.com/docs/markey.data.deletion.bill.020806.pdf A summary is here: http://news.com.com/2100-1028_3-6036951.html A bill just announced in Congress would require every Web site operator to delete information about visitors, including e-mail addresses, if the data is no longer required for a legitimate business purpose. An open question is whether Rep. Ed Markey's bill would require that Internet addresses be deleted by default from Apache and other web server logs. One reading is that it would be. But it's not clear whether an IP address falls under the definition of personal information. This bill applies to anyone running a web site, including individuals and bloggers. So it's not just companies that have to worry. Original posting from Declan McCullagh's PoliTech mailing list. Thought NANOGers would be interested since, if this bill passes, it would impact almost all of us. Just imagine the impact on security of not being able to login IP address and referring page of all web server connections! Jon Kibler -- Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Re: Fed Bill Would Restrict Web Server Logs
On 2/14/06, Jon R. Kibler [EMAIL PROTECTED] wrote: A bill just announced in Congress would require every Web site operator to delete information about visitors, including e-mail addresses, if the data is no longer required for a legitimate business purpose. Original posting from Declan McCullagh's PoliTech mailing list. Thought When no longer required for business purposes Your syslog's logrotate function does that for you already, for all reasonable purposes .. blows away logs that are say a week old. Email addresses etc - I guess that's cookie data etc. Or any other data that you gather but dont state a purpose for .. if you gather data saying you want to market to them, fine. If you gather data like that as part of a profile on a blog, fine. No hassles that I can see there. This kind of checks privacy violations / abuse that goes on when data is collected without your knowledge, or used for purposes you didnt intend it to be used for but didnt read fine print, or the people collecting your data dont care about reselling it to others. -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Fed Bill Would Restrict Web Server Logs
On Tue, Feb 14, 2006 at 09:47:50AM -0500, Jon R. Kibler scribed: http://www.politechbot.com/docs/markey.data.deletion.bill.020806.pdf to delete information about visitors, including e-mail addresses, if the data is no longer required for a legitimate business purpose. Original posting from Declan McCullagh's PoliTech mailing list. Thought NANOGers would be interested since, if this bill passes, it would impact almost all of us. Just imagine the impact on security of not being able to login IP address and referring page of all web server connections! Call me weird, but I fail to see where the scary teeth lie in such a bill. First of all, it's phrased very abstractly and would hopefully have its language clarified by the time it escapes a committee. Second, the bill is fairly clear about the meaning of personal information, and it doesn't include things like IP addresses in its examples; the latter would be a matter for a court to decide, and it's not clear cut at all: ... that allows a living person to be identified individually, including ... : first and last name, home or physical address, ... Third, it says nothing at all about restricting what you can log: An owner of an Internet website shall destroy, within a reasonable period of time, any data containing personal information if the information is no longer necessary for the purpose for which it was collected or any other legitimate business purpose. If you need IP address logging to ensure the security of your website, then that sounds like a pretty legitimate business practice. The more interesting question is how _long_ you need to keep the personal information around for your for your legitimate business purposes. A week? A month? A year? Ultimately, it would probably boil down to a dash of best practices and a pinch of CYA. But there's nothing in there to freak out about for day to day operations. The worry is more that you'd probably have to ensure that your logs get blasted or sanitized according to a well-defined schedule. Which, when you think about it, might not be a bad thing at all. -Dave -- Dave Andersen [EMAIL PROTECTED] Assistant Professor 412.268.3064 Carnegie Mellon Universityhttp://www.cs.cmu.edu/~dga
Re: Fed Bill Would Restrict Web Server Logs
On Tue, Feb 14, 2006 at 10:33:19AM -0500, David G. Andersen wrote: On Tue, Feb 14, 2006 at 09:47:50AM -0500, Jon R. Kibler scribed: http://www.politechbot.com/docs/markey.data.deletion.bill.020806.pdf to delete information about visitors, including e-mail addresses, if the data is no longer required for a legitimate business purpose. Original posting from Declan McCullagh's PoliTech mailing list. Thought NANOGers would be interested since, if this bill passes, it would impact almost all of us. Just imagine the impact on security of not being able to login IP address and referring page of all web server connections! Call me weird, but I fail to see where the scary teeth lie in such a bill. First of all, it's phrased very abstractly and would hopefully have its language clarified by the time it escapes a committee. Second, the bill is fairly clear about the meaning of personal information, and it doesn't include things like IP addresses in its examples; the latter would be a matter for a court to decide, and it's not clear cut at all: Strange thing is that we have exact the opposite here in Europe. There is a new bill that has been passed that forces us to keep al logs (mail and web) for at least 1 or 2 years. Vriendelijke groeten, Frank Louwers -- Openminds bvbawww.openminds.be Tweebruggenstraat 16 - 9000 Gent - Belgium
Re: Fed Bill Would Restrict Web Server Logs
On 2/14/06, Frank Louwers [EMAIL PROTECTED] wrote: Strange thing is that we have exact the opposite here in Europe. There is a new bill that has been passed that forces us to keep al logs (mail and web) for at least 1 or 2 years. 6 months to 2 years I think. http://blogs.iht.com/tribtalk/technology/2006/02/09/subpoena_disclosures_to_protec/ --srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
RE: Fed Bill Would Restrict Web Server Logs
Strange thing is that we have exact the opposite here in Europe. There is a new bill that has been passed that forces us to keep al logs (mail and web) for at least 1 or 2 years. Vriendelijke groeten, Frank Louwers That is far scarier.
Re: Fed Bill Would Restrict Web Server Logs
Suresh Ramasubramanian wrote: On 2/14/06, Jon R. Kibler [EMAIL PROTECTED] wrote: A bill just announced in Congress would require every Web site operator to delete information about visitors, including e-mail addresses, if the data is no longer required for a legitimate business purpose. Original posting from Declan McCullagh's PoliTech mailing list. Thought When no longer required for business purposes Your syslog's logrotate function does that for you already, for all reasonable purposes .. blows away logs that are say a week old. Speaking with my e-commerce vendor hat on, server logs (apache, mail, application audit logs) and other information about visitors (especially those who have conducted a purchase transaction with us, or signed up to our newsletter) never stop having a business purpose - it's called referential integrity. We want to use them to track the behaviour fraudulent users for example. We also want to learn about how people use our site to make it easier. We want to ensure our mail systems are not approaching capacity. We want to know if our spam filtering is working, and how its use changes over time. etc.,etc.,etc. These are all business purposes. It's interesting that the US government is requiring less user data is stored when European politicians are calling for greater data and log retention rules.
RE: Fed Bill Would Restrict Web Server Logs
From: Andy Davidson Speaking with my e-commerce vendor hat on, server logs (apache, mail, application audit logs) and other information about visitors (especially those who have conducted a purchase transaction with us, or signed up to our newsletter) never stop having a business purpose - it's called referential integrity. We want to use them to track the behaviour fraudulent users for example. Anyone who runs mailing lists has to keep that info to be able to prove how and when someone opted in. David
Re: Fed Bill Would Restrict Web Server Logs
Mark Borchers wrote: Strange thing is that we have exact the opposite here in Europe. There is a new bill that has been passed that forces us to keep al logs (mail and web) for at least 1 or 2 years. Vriendelijke groeten, Frank Louwers That is far scarier. Which hard drive vendor wrote that law? They're the only people who will benefit from it. -- Jeff Shultz
Re: Fed Bill Would Restrict Web Server Logs
On Tue, 14 Feb 2006 16:14:11 GMT, Andy Davidson said: It's interesting that the US government is requiring less user data is stored when European politicians are calling for greater data and log retention rules. Obviously, none of the Total Info Awareness proponents were able to get their tentacles involved here... pgp0EPyQw2MJj.pgp Description: PGP signature
RE: Fed Bill Would Restrict Web Server Logs
On Tue, 14 Feb 2006, David Hubbard wrote: From: Andy Davidson Speaking with my e-commerce vendor hat on, server logs (apache, mail, application audit logs) and other information about visitors (especially those who have conducted a purchase transaction with us, or signed up to our newsletter) never stop having a business purpose - it's called referential integrity. We want to use them to track the behaviour fraudulent users for example. Anyone who runs mailing lists has to keep that info to be able to prove how and when someone opted in. Have you ever tried getting opt-in information out of someone, especially when they know they've screwed up? You practically need a subpeona to do it. In many cases (I went through this recently with ZDnet) you literally have to play the escalation game just to rattle enough cages to get people to realize you're a: serious and b: not a kook. Oddly enough, I have the hardest time with the latter. ;) It'll be interesting to see what this legislation looks like when/if it gets signed. Maybe it'll finally be the extra kick I need to get some of our larger databases purged. - billn
Re: Fed Bill Would Restrict Web Server Logs
I guess the question is how to read legitimate word. ^.^ I guess the bill was written in mind of privacy concern. But also there is some requirement for security/law-enforcement viewpoint. I received the request from some law-enforcement about actual user of IP address 3 year ago or older. Without all log info, how can I tell it? It seems this bill will bring more ISP/ASP to the court to clarify what is legitimate or not. From privacy viewpoint, I guess people wants to remove all their trace from the Internet. But from security and practical concerns from ISP/ASP, they want to have all traces from the people. I think the government needs to enforce ISP/ASP to keep all trace for certain level, but with more stricted access method. I'm really curious whether this was a kind of post-action to the cell-phone use log business such as locatecell.com or something like that. Hyun Jon R. Kibler wrote: Message: 3 Date: Thu, 09 Feb 2006 00:14:23 -0800 From: Declan McCullagh declan@well.com Subject: [Politech] Delete web server logs, or get fined by the Feds? Ed Markey's new bill [fs] To: politech@politechbot.com Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed I've posted the text here: http://www.politechbot.com/docs/markey.data.deletion.bill.020806.pdf A summary is here: http://news.com.com/2100-1028_3-6036951.html A bill just announced in Congress would require every Web site operator to delete information about visitors, including e-mail addresses, if the data is no longer required for a legitimate business purpose. An open question is whether Rep. Ed Markey's bill would require that Internet addresses be deleted by default from Apache and other web server logs. One reading is that it would be. But it's not clear whether an IP address falls under the definition of personal information. This bill applies to anyone running a web site, including individuals and bloggers. So it's not just companies that have to worry. Original posting from Declan McCullagh's PoliTech mailing list. Thought NANOGers would be interested since, if this bill passes, it would impact almost all of us. Just imagine the impact on security of not being able to login IP address and referring page of all web server connections! Jon Kibler
Re: Fed Bill Would Restrict Web Server Logs
Date: Tue, 14 Feb 2006 09:47:50 -0500 From: Jon R. Kibler [EMAIL PROTECTED] Date: Thu, 09 Feb 2006 00:14:23 -0800 From: Declan McCullagh declan@well.com I've posted the text here: http://www.politechbot.com/docs/markey.data.deletion.bill.020806.pdf A summary is here: http://news.com.com/2100-1028_3-6036951.html A bill just announced in Congress would require every Web site operator to delete information about visitors, including e-mail addresses, if the data is no longer required for a legitimate business purpose. An open question is whether Rep. Ed Markey's bill would require that Internet addresses be deleted by default from Apache and other web server logs. One reading is that it would be. But it's not clear whether an IP address falls under the definition of personal information. This bill applies to anyone running a web site, including individuals and bloggers. So it's not just companies that have to worry. Original posting from Declan McCullagh's PoliTech mailing list. Thought NANOGers would be interested since, if this bill passes, it would impact almost all of us. Just imagine the impact on security of not being able to login IP address and referring page of all web server connections! Jon: The proposed bill states to delete when data is no longer required for legitimate business purposes. If you business model requires that you keep the logs for some tracking function, then keep them. As long as the logs are required for business purposes. Once the business purpose finishes, then delete them. How is this different that the way we operate now? Except that, if the bill passes, then - possible/probably - our privacy policy (such as they are) will have to state the business purposes... IANAL, but my $0.002 worth. Regards, Gregory Hicks --- Gregory Hicks| Principal Systems Engineer Cadence Design Systems | Direct: 408.576.3609 555 River Oaks Pkwy M/S 6B1 San Jose, CA 95134 I am perfectly capable of learning from my mistakes. I will surely learn a great deal today. A democracy is a sheep and two wolves deciding on what to have for lunch. Freedom is a well armed sheep contesting the results of the decision. - Benjamin Franklin The best we can hope for concerning the people at large is that they be properly armed. --Alexander Hamilton
Re: Fed Bill Would Restrict Web Server Logs
This is a pro-privacy bill that would regulate business, and it's been introduced by a Democrat in a Republican-controlled Congress with a Republican president, at a time when privacy is out of favor. It's not going to pass. (To me, of course, that's a bug, especially since I'd rather that stronger privacy legislation were passed. But I'm not holding my breath.) --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Re: Fed Bill Would Restrict Web Server Logs
On Tue, 14 Feb 2006, Hyunseog Ryu wrote: I guess the question is how to read legitimate word. ^.^ I guess the bill was written in mind of privacy concern. But also there is some requirement for security/law-enforcement viewpoint. I received the request from some law-enforcement about actual user of IP address 3 year ago or older. Without all log info, how can I tell it? In the context of the legislation in question, if the user is still a current customer, you have a legitimate business use for the data. If the user was no longer a customer, I would surmise that you should have purged it, as you would no longer have a need for that user's personal data. I'm really curious whether this was a kind of post-action to the cell-phone use log business such as locatecell.com or something like that. An exploration of the side effects would be interesting. I think it'll provide a legal cudgel for mailing lists and opt-in tracking, as well as ensuring that your information is purged when/if you opt-out. It may also have dampening effects on the sale/trade of personal information, as it would now be questionably criminal to possess the personally identifying information of a person you have engaged in zero business with. From the text of the bill, there are some pretty loose points that'll give lawyers a lot of vine to swing from, including the definition of 'legitimate business practice'. Associating all of it to 'Internet website', as defined, is another loophole waiting to happen. I think the single best element of the bill is the declaration that consumers have an ownership in interest in their personal information. Owndership implies control, and by extension, some amount of control in who gets to have it. I'd like to see what happens when the final bill is mated with US Federal CAN-SPAM law. - billn
Re: Fed Bill Would Restrict Web Server Logs
On Tue, Feb 14, 2006 at 11:31:48AM -0500, [EMAIL PROTECTED] wrote: On Tue, 14 Feb 2006 16:14:11 GMT, Andy Davidson said: It's interesting that the US government is requiring less user data is stored when European politicians are calling for greater data and log retention rules. Obviously, none of the Total Info Awareness proponents were able to get their tentacles involved here... Hum... tentacles... http://www.cthulhu.org/cthulhu/index.html --bill unsigned email is a sign of plausable deniability...
Re: Fed Bill Would Restrict Web Server Logs
* Frank Louwers: Strange thing is that we have exact the opposite here in Europe. There is a new bill that has been passed that forces us to keep al logs (mail and web) for at least 1 or 2 years. It's not a bill, it's a EU directive which still has to be implemented in national law. Nothing in the directive requires that operators of non-interactive web sites (the vast majority) retain any data. Only if you identify your users, you might be required to keep some logs. Implementation in national law might change that, especially since the directive is remarkably unclear about the selection criteria used for mapping communication events to individuals.
Re: Fed Bill Would Restrict Web Server Logs
Original posting from Declan McCullagh's PoliTech mailing list. Thought NANOGers would be interested since, if this bill passes, it would impact almost all of us. Just imagine the impact on security of not being able to login IP address and referring page of all web server connections! Seems to me that security would be a legitimate business purpose for keeping the information around. Owen -- If it wasn't crypto-signed, it probably didn't come from me. pgpnpH8YSLGet.pgp Description: PGP signature
