Re: question regarding US requirements for journaling public email (possible legislation?)

[Steven Bellovin]

On Jan 5, 2012, at 11:05 37PM, Suresh Ramasubramanian wrote:

> There's no shortage of stuff that reaches you 80..90 days after the fact
> 
> The UK voluntary retention rules make a lot more sense, compared to "a
> few days", which is entirely impractical
> 
> On Fri, Jan 6, 2012 at 9:30 AM,   wrote:
>> 
>> You need to track down a miscreant user *right now*? You got the last 48 
>> hours
>> of logs right at hand.  It's been a week? Meh, if somebody's been getting 
>> hit by
>> a DDoS for a week and is just now calling you, the fact they have a DDoS is 
>> the
>> least of their problems. Toss the logs. :)


The answer from the EFF is the same: retain what *you* have an
operational or administrative need for.  This is very different from a
legislative mandate for multiyear retention.


--Steve Bellovin, https://www.cs.columbia.edu/~smb

Re: question regarding US requirements for journaling public email (possible legislation?)

[Suresh Ramasubramanian]

There's no shortage of stuff that reaches you 80..90 days after the fact

The UK voluntary retention rules make a lot more sense, compared to "a
few days", which is entirely impractical

On Fri, Jan 6, 2012 at 9:30 AM,   wrote:
>
> You need to track down a miscreant user *right now*? You got the last 48 hours
> of logs right at hand.  It's been a week? Meh, if somebody's been getting hit 
> by
> a DDoS for a week and is just now calling you, the fact they have a DDoS is 
> the
> least of their problems. Toss the logs. :)



-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: question regarding US requirements for journaling public email (possible legislation?)

[Valdis . Kletnieks]

On Fri, 06 Jan 2012 09:11:30 +0530, Suresh Ramasubramanian said:
> I would love to ask the EFF just what you do when you don't log stuff,
> and then need to troubleshoot someone causing a DDoS or something from
> your network in a hurry.

What John actually said:
> OSPs cannot be forced to provide data that does not exist. EFF suggests
> that OSPs draft an internal policy that states that they collect only
> limited information and do not retain any logs of user activity on their
> networks for more than a few weeks.

You need to track down a miscreant user *right now*? You got the last 48 hours
of logs right at hand.  It's been a week? Meh, if somebody's been getting hit by
a DDoS for a week and is just now calling you, the fact they have a DDoS is the
least of their problems. Toss the logs. :)

> Not that I'd get any sort of a useful answer from them, beyond random
> propaganda that spam filtering is evil, DPI is demoniacal etc etc.

Might want to go and actually read https://www.eff.org/wp/osp
before you say that. The PDF version runs to about 15 pages of detailed
and useful info for an OSP.;


pgptjoR0n6HGp.pgp
Description: PGP signature

Re: question regarding US requirements for journaling public email (possible legislation?)

[Suresh Ramasubramanian]

I would love to ask the EFF just what you do when you don't log stuff,
and then need to troubleshoot someone causing a DDoS or something from
your network in a hurry.

Not that I'd get any sort of a useful answer from them, beyond random
propaganda that spam filtering is evil, DPI is demoniacal etc etc.

On Fri, Jan 6, 2012 at 3:54 AM, John Adams  wrote:
>
> OSPs cannot be forced to provide data that does not exist. EFF suggests
> that OSPs draft an internal policy that states that they collect only
> limited information and do not retain any logs of user activity on their
> networks for more than a few weeks. If a court order requests data that is
> more than a few weeks old, the OSP can simply point to the policy and
> explain that it cannot furnish the requested data. Likewise, if unnecessary
> PII is regularly deleted, the OSP cannot supply what it does not retain.
> This saves the OSP time and money, while also providing the OSP with
> sufficient data for its own administrative and business purposes.



-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: question regarding US requirements for journaling public email (possible legislation?)

[John Adams]

On Thu, Jan 5, 2012 at 7:56 AM, Eric J Esslinger wrote:

>
> (I am speaking specifically of full email journaling, not just logs, which
> I do archive for significant amounts of time.)
>
> I also don't want to discuss the pros, cons, merits, costs, goods, or
> evils of such a requirement, just wanted to know if this is something I
> should be looking forward towards maybe needing to implement.
>

This is probably not what you want to hear, but you should really read
through EFF's "Best Practices for Online Service Providers."

https://www.eff.org/wp/osp

Specifically:

OSPs cannot be forced to provide data that does not exist. EFF suggests
that OSPs draft an internal policy that states that they collect only
limited information and do not retain any logs of user activity on their
networks for more than a few weeks. If a court order requests data that is
more than a few weeks old, the OSP can simply point to the policy and
explain that it cannot furnish the requested data. Likewise, if unnecessary
PII is regularly deleted, the OSP cannot supply what it does not retain.
This saves the OSP time and money, while also providing the OSP with
sufficient data for its own administrative and business purposes.

Re: question regarding US requirements for journaling public email (possible legislation?)

[Steven Bellovin]

On Jan 5, 2012, at 2:16 PM, Fred Baker wrote:

> 
> On Jan 5, 2012, at 10:42 AM, William Herrin wrote:
> 
>> On Thu, Jan 5, 2012 at 10:56 AM, Eric J Esslinger  
>> wrote:
>>> His response was there is legislation being pushed in both
>>> House and Senate that would require journalling for 2 or 5
>>> years, all mail passing through all of your mail servers.
>> 
>> Hi Eric,
>> 
>> The only relatively recent thing I'm aware of in the Congress is the
>> Protecting Children From Internet Pornographers Act of 2011.
> 
> Since you bring it up, I sent this to Eric a few moments ago. Like you, 
> IANAL, and this is not legal advice.
> 
>> From: Fred Baker 
>> Date: January 5, 2012 10:46:30 AM PST
>> To: Eric J Esslinger 
>> Subject: Re: question regarding US requirements for journaling public email 
>> (possible legislation?)
>> 
>> I don't know of anything on email journaling, but you might look into 
>> section 4 of the "Protecting Children From Internet Pornographers Act of 
>> 2011", which asks you to log IP addresses allocated to subscribers. My guess 
>> is that the concern is correct, but the details have morphed into urban 
>> legend.
>> 
>> http://www.govtrack.us/congress/billtext.xpd?bill=h112-1981
>> http://www.techdirt.com/articles/20110707/04402514995/congress-tries-to-hide-massive-data-retention-law-pretending-its-anti-child-porn-law.shtml
>> 
>> I'm not sure I see this as shrilly as the techdirt article does, but it is 
>> in fact enabling legislation for a part of Article 20 of the COE Cybercrime 
>> Convention http://conventions.coe.int/Treaty/en/Treaties/html/185.htm. US is 
>> a signatory. Article 21 is Lawful Intercept as specified in OCCSSS, FISA, 
>> CALEA, and PATRIOT. Article 20 essentially looks for retention of 
>> mail/web/etc logs, and in the Danish interpretation, maintaining Netflow 
>> records for every subscriber in Denmark along with a mapping between IP 
>> address and subscriber identity in a form that can be data mined with an 
>> appropriate warrant.
> 
> I can't say (I don't know) whether the Danish Police have in fact implemented 
> what they proposed in 2003. What they were looking for at the time was that 
> the netflow records would be kept for something on the order of 6-18 months. 
> 
> From a US perspective, you might peruse
> 
>
> http://en.wikipedia.org/wiki/Telecommunications_data_retention#United_States
> 
> The Wikipedia article goes on to comment on the forensic value of data 
> retention. I think it is fair to say that the use of telephone numbers in TV 
> shows like CSI ("gee, he called X a lot, maybe we should too") is the comic 
> book version of the use but not far from the mark. A law enforcement official 
> once described it to me as "mapping criminal networks"; if Alice and Bob are 
> known criminals that talk with each other, and both also talk regularly with 
> Carol, Carol may simply be a mutual friend, but she might also be something 
> else. Further, if Alice and Bob are known criminals in one organization, Dick 
> and Jane are known criminals in another, and a change in communication 
> patterns is observed - Alice and Bob don't talk with Dick or Jane for a long 
> period, and then they start talking - it may signal a shift that law 
> enforcement is interested in.
> 
Yah, but that's all "non-content records"; it's a far cry from having to retain 
the body of every email, which is what he asked about.  As far as I know -- and 
I'm on enough tech policy lists that I probably would know -- nothing like that 
is being proposed.  That said, for a few industries -- finance comes to mind -- 
companies are required to do things like that by the SEC, but not ISPs per se.  
See 
http://www.archivecompliance.com/Laws-governing-email-archiving-compliance.html 
for some details.


--Steve Bellovin, https://www.cs.columbia.edu/~smb

Re: question regarding US requirements for journaling public email (possible legislation?)

[Fred Baker]

On Jan 5, 2012, at 10:42 AM, William Herrin wrote:

> On Thu, Jan 5, 2012 at 10:56 AM, Eric J Esslinger  
> wrote:
>> His response was there is legislation being pushed in both
>> House and Senate that would require journalling for 2 or 5
>> years, all mail passing through all of your mail servers.
> 
> Hi Eric,
> 
> The only relatively recent thing I'm aware of in the Congress is the
> Protecting Children From Internet Pornographers Act of 2011.

Since you bring it up, I sent this to Eric a few moments ago. Like you, IANAL, 
and this is not legal advice.

> From: Fred Baker 
> Date: January 5, 2012 10:46:30 AM PST
> To: Eric J Esslinger 
> Subject: Re: question regarding US requirements for journaling public email 
> (possible legislation?)
> 
> I don't know of anything on email journaling, but you might look into section 
> 4 of the "Protecting Children From Internet Pornographers Act of 2011", which 
> asks you to log IP addresses allocated to subscribers. My guess is that the 
> concern is correct, but the details have morphed into urban legend.
> 
> http://www.govtrack.us/congress/billtext.xpd?bill=h112-1981
> http://www.techdirt.com/articles/20110707/04402514995/congress-tries-to-hide-massive-data-retention-law-pretending-its-anti-child-porn-law.shtml
> 
> I'm not sure I see this as shrilly as the techdirt article does, but it is in 
> fact enabling legislation for a part of Article 20 of the COE Cybercrime 
> Convention http://conventions.coe.int/Treaty/en/Treaties/html/185.htm. US is 
> a signatory. Article 21 is Lawful Intercept as specified in OCCSSS, FISA, 
> CALEA, and PATRIOT. Article 20 essentially looks for retention of 
> mail/web/etc logs, and in the Danish interpretation, maintaining Netflow 
> records for every subscriber in Denmark along with a mapping between IP 
> address and subscriber identity in a form that can be data mined with an 
> appropriate warrant.

I can't say (I don't know) whether the Danish Police have in fact implemented 
what they proposed in 2003. What they were looking for at the time was that the 
netflow records would be kept for something on the order of 6-18 months. 

From a US perspective, you might peruse

http://en.wikipedia.org/wiki/Telecommunications_data_retention#United_States

The Wikipedia article goes on to comment on the forensic value of data 
retention. I think it is fair to say that the use of telephone numbers in TV 
shows like CSI ("gee, he called X a lot, maybe we should too") is the comic 
book version of the use but not far from the mark. A law enforcement official 
once described it to me as "mapping criminal networks"; if Alice and Bob are 
known criminals that talk with each other, and both also talk regularly with 
Carol, Carol may simply be a mutual friend, but she might also be something 
else. Further, if Alice and Bob are known criminals in one organization, Dick 
and Jane are known criminals in another, and a change in communication patterns 
is observed - Alice and Bob don't talk with Dick or Jane for a long period, and 
then they start talking - it may signal a shift that law enforcement is 
interested in.

Re: question regarding US requirements for journaling public email (possible legislation?)

[Valdis . Kletnieks]

On Thu, 05 Jan 2012 13:42:50 EST, William Herrin said:
> The really odd thing is that the act also says:
>
> `(2) Access to a record or information required to be retained under
> this subsection may not be compelled by any person or other entity
> that is not a governmental entity.'
>
> What does that mean for the MPAA seeking the identity of a bit torrent user?

Means they need to get a subpoena (at which point it's the court, a governmental
entity, doing the compelling).


pgpApn49FNCgw.pgp
Description: PGP signature

Re: question regarding US requirements for journaling public email (possible legislation?)

[William Herrin]

On Thu, Jan 5, 2012 at 10:56 AM, Eric J Esslinger  wrote:
>  His response was there is legislation being pushed in both
> House and Senate that would require journalling for 2 or 5
> years, all mail passing through all of your mail servers.

Hi Eric,

The only relatively recent thing I'm aware of in the Congress is the
Protecting Children From Internet Pornographers Act of 2011.

http://thomas.loc.gov/cgi-bin/bdquery/z?d112:h.r.01981:

What it actually says is:

`(1) A commercial provider of an electronic communication service
shall retain for a period of at least one year a log of the
temporarily assigned network addresses the provider assigns to a
subscriber to or customer of such service that enables the
identification of the corresponding customer or subscriber information
under subsection (c)(2) of this section.'

That may mean journaling individual TCP connections in a NAT
environment but it doesn't address content, email or otherwise.

I'd say your friend was confused.



The really odd thing is that the act also says:

`(2) Access to a record or information required to be retained under
this subsection may not be compelled by any person or other entity
that is not a governmental entity.'

What does that mean for the MPAA seeking the identity of a bit torrent user?


Regards,
Bill Herrin



-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

Re: question regarding US requirements for journaling public email (possible legislation?)

[Ray Soucy]

If you search for "email archiving" instead of journaling you'll come
up with a lot more information.  It dates back to court rule changes
in 2006.

Most of it is hype because of [largely incorrect] articles like this
one (just one of the first hits):

http://www.itworld.com/security/55954/law-requires-email-archiving

It's really something that you would need a lawyer to give you an
answer on (I am not a lawyer, this is not legal advice, etc).

My [limited] understanding is that if you are required to disclose
whether or not you have any electronic document (including email)
requested as part of the discovery process.

If you do have it, you're required to produce it.

Since it being on some hard drive of an employee computer qualifies as
having it, many larger companies decided to archive centrally.  The
rules only require 7 years back (I think), so that's the amount of
time it's generally archived for.

TL;DR you're not required to archive email, but if you need to know
whether or not you have it if asked.

Again, my understanding here is pretty limited.  If anyone know for
certain feel free to chime in.




On Thu, Jan 5, 2012 at 12:54 PM, Eric J Esslinger  wrote:
> Based on a some I have received off list it seems no-one has ever heard of 
> such a proposal that has had any serious traction so I assume the gentleman 
> was either mistaken, paranoid, or trying to pull a joke on me.
>
> Thank you for the responses everyone. You can now get back to your regularly 
> scheduled regulatory headaches.
>
> __
> Eric Esslinger
> Information Services Manager - Fayetteville Public Utilities
> http://www.fpu-tn.com/
> (931)433-1522 ext 165
>
>
>
>> -Original Message-
>> From: Eric J Esslinger [mailto:eesslin...@fpu-tn.com]
>> Sent: Thursday, January 05, 2012 9:57 AM
>> To: 'nanog@nanog.org'
>> Subject: question regarding US requirements for journaling
>> public email (possible legislation?)
>>
>>
>> Hope yall had an 'eventless' holiday. (I.e. no pages at 2 am
>> on a holiday morning). Sorry to drop what is possibly just
>> someone misunderstanding something or pulling my leg on the
>> list, but over the holidays I ran into one of my buddies that
>> is also a network admin type and he was griping about mail
>> journalling, which I already do for our corporate email
>> accounts. However, his discussion was in terms of all
>> customer email... Which I said was probably a bad thing to
>> do. His response was there is legislation being pushed in
>> both House and Senate that would require journalling for 2 or
>> 5 years, all mail passing through all of your mail servers.
>>
>> I've seen nothing, and my google fu has turned up nothing
>> other than corporate requirements, so I ask here. Has anyone
>> heard of such a bill working it's way through either side of congress?
>>
>> (I am speaking specifically of full email journaling, not
>> just logs, which I do archive for significant amounts of time.)
>>
>> I also don't want to discuss the pros, cons, merits, costs,
>> goods, or evils of such a requirement, just wanted to know if
>> this is something I should be looking forward towards maybe
>> needing to implement.
>>
>> Thanks for your attention and may you have a low incident new
>> year. __ Eric Esslinger Information
>> Services Manager - Fayetteville Public Utilities
>> http://www.fpu-tn.com/ (931)433-1522 ext 165
>>
>> This message may contain confidential and/or proprietary
>> information and is intended for the person/entity to whom it
>> was originally addressed. Any use by others is strictly prohibited.
>>
>>
>
> This message may contain confidential and/or proprietary information and is 
> intended for the person/entity to whom it was originally addressed. Any use 
> by others is strictly prohibited.
>



-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/

RE: question regarding US requirements for journaling public email (possible legislation?)

[Eric J Esslinger]

Based on a some I have received off list it seems no-one has ever heard of such 
a proposal that has had any serious traction so I assume the gentleman was 
either mistaken, paranoid, or trying to pull a joke on me.

Thank you for the responses everyone. You can now get back to your regularly 
scheduled regulatory headaches.

__
Eric Esslinger
Information Services Manager - Fayetteville Public Utilities
http://www.fpu-tn.com/
(931)433-1522 ext 165



> -Original Message-
> From: Eric J Esslinger [mailto:eesslin...@fpu-tn.com]
> Sent: Thursday, January 05, 2012 9:57 AM
> To: 'nanog@nanog.org'
> Subject: question regarding US requirements for journaling
> public email (possible legislation?)
>
>
> Hope yall had an 'eventless' holiday. (I.e. no pages at 2 am
> on a holiday morning). Sorry to drop what is possibly just
> someone misunderstanding something or pulling my leg on the
> list, but over the holidays I ran into one of my buddies that
> is also a network admin type and he was griping about mail
> journalling, which I already do for our corporate email
> accounts. However, his discussion was in terms of all
> customer email... Which I said was probably a bad thing to
> do. His response was there is legislation being pushed in
> both House and Senate that would require journalling for 2 or
> 5 years, all mail passing through all of your mail servers.
>
> I've seen nothing, and my google fu has turned up nothing
> other than corporate requirements, so I ask here. Has anyone
> heard of such a bill working it's way through either side of congress?
>
> (I am speaking specifically of full email journaling, not
> just logs, which I do archive for significant amounts of time.)
>
> I also don't want to discuss the pros, cons, merits, costs,
> goods, or evils of such a requirement, just wanted to know if
> this is something I should be looking forward towards maybe
> needing to implement.
>
> Thanks for your attention and may you have a low incident new
> year. __ Eric Esslinger Information
> Services Manager - Fayetteville Public Utilities
> http://www.fpu-tn.com/ (931)433-1522 ext 165
>
> This message may contain confidential and/or proprietary
> information and is intended for the person/entity to whom it
> was originally addressed. Any use by others is strictly prohibited.
>
>

This message may contain confidential and/or proprietary information and is 
intended for the person/entity to whom it was originally addressed. Any use by 
others is strictly prohibited.

question regarding US requirements for journaling public email (possible legislation?)

[Eric J Esslinger]

Hope yall had an 'eventless' holiday. (I.e. no pages at 2 am on a holiday 
morning).
Sorry to drop what is possibly just someone misunderstanding something or 
pulling my leg on the list, but over the holidays I ran into one of my buddies 
that is also a network admin type and he was griping about mail journalling, 
which I already do for our corporate email accounts. However, his discussion 
was in terms of all customer email... Which I said was probably a bad thing to 
do. His response was there is legislation being pushed in both House and Senate 
that would require journalling for 2 or 5 years, all mail passing through all 
of your mail servers.

I've seen nothing, and my google fu has turned up nothing other than corporate 
requirements, so I ask here. Has anyone heard of such a bill working it's way 
through either side of congress?

(I am speaking specifically of full email journaling, not just logs, which I do 
archive for significant amounts of time.)

I also don't want to discuss the pros, cons, merits, costs, goods, or evils of 
such a requirement, just wanted to know if this is something I should be 
looking forward towards maybe needing to implement.

Thanks for your attention and may you have a low incident new year.
__
Eric Esslinger
Information Services Manager - Fayetteville Public Utilities
http://www.fpu-tn.com/
(931)433-1522 ext 165

This message may contain confidential and/or proprietary information and is 
intended for the person/entity to whom it was originally addressed. Any use by 
others is strictly prohibited.