Fed Bill Would Restrict Web Server Logs

Jon_Kibler · February 14, 2006, 2:47pm

Message: 3
Date: Thu, 09 Feb 2006 00:14:23 -0800
From: Declan McCullagh <declan@well.com>
Subject: [Politech] Delete web server logs, or get fined by the Feds?
Ed Markey's new bill [fs]
To: politech@politechbot.com
Message-ID: <43EAF9DF.2000602@well.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

I've posted the text here:
http://www.politechbot.com/docs/markey.data.deletion.bill.020806.pdf

A summary is here:
http://news.com.com/2100-1028_3-6036951.html
"A bill just announced in Congress would require every Web site operator
to delete information about visitors, including e-mail addresses, if the
data is no longer required for a "legitimate" business purpose.

An open question is whether Rep. Ed Markey's bill would require that
Internet addresses be deleted by default from Apache and other web
server logs. One reading is that it would be. But it's not clear whether
an IP address falls under the definition of personal information.

This bill applies to anyone running a web site, including individuals
and bloggers. So it's not just companies that have to worry.

Original posting from Declan McCullagh's PoliTech mailing list. Thought NANOGers would be interested since, if this bill passes, it would impact almost all of us. Just imagine the impact on security of not being able to login IP address and referring page of all web server connections!

Jon Kibler

Suresh_Ramasubramani · February 14, 2006, 2:59pm

"When no longer required for business purposes"

Your syslog's logrotate function does that for you already, for all
reasonable purposes .. blows away logs that are say a week old.

Email addresses etc - I guess that's cookie data etc. Or any other
data that you gather but dont state a purpose for .. if you gather
data saying you want to market to them, fine. If you gather data like
that as part of a profile on a blog, fine. No hassles that I can see
there.

This kind of checks privacy violations / abuse that goes on when data
is collected without your knowledge, or used for purposes you didnt
intend it to be used for but didnt read fine print, or the people
collecting your data dont care about reselling it to others.

David_Andersen · February 14, 2006, 3:33pm

On Tue, Feb 14, 2006 at 09:47:50AM -0500, Jon R. Kibler scribed:

>
> http://www.politechbot.com/docs/markey.data.deletion.bill.020806.pdf
>
> to delete information about visitors, including e-mail addresses, if the
> data is no longer required for a "legitimate" business purpose.
>

Original posting from Declan McCullagh's PoliTech mailing list. Thought
NANOGers would be interested since, if this bill passes, it would impact
almost all of us. Just imagine the impact on security of not being able
to login IP address and referring page of all web server connections!

Call me weird, but I fail to see where the scary teeth lie in such
a bill. First of all, it's phrased very abstractly and would hopefully
have its language clarified by the time it escapes a committee. Second,
the bill is fairly clear about the meaning of personal information, and
it doesn't include things like IP addresses in its examples; the latter
would be a matter for a court to decide, and it's not clear cut at all:

  "... that allows a living person to be identified individually,
   including ... : first and last name, home or physical
   address, ... "

Third, it says nothing at all about restricting what you can log:

  "An owner of an Internet website shall destroy, within
   a reasonable period of time, any data containing personal
   information if the information is no longer necessary for
   the purpose for which it was collected or any other legitimate
   business purpose."

If you need IP address logging to ensure the security of your website,
then that sounds like a pretty legitimate business practice. The more
interesting question is how _long_ you need to keep the personal
information around for your for your legitimate business purposes.
A week? A month? A year? Ultimately, it would probably boil down to
a dash of best practices and a pinch of CYA. But there's nothing
in there to freak out about for day to day operations. The worry
is more that you'd probably have to ensure that your logs get blasted or
sanitized according to a well-defined schedule. Which, when you
think about it, might not be a bad thing at all.

-Dave

Frank_Louwers · February 14, 2006, 3:38pm

Strange thing is that we have exact the opposite here in Europe. There
is a new bill that has been passed that forces us to keep al logs (mail
and web) for at least 1 or 2 years.

Vriendelijke groeten,
Frank Louwers

Suresh_Ramasubramani · February 14, 2006, 3:44pm

6 months to 2 years I think.

http://blogs.iht.com/tribtalk/technology/2006/02/09/subpoena_disclosures_to_protec/

--srs

Mark_Borchers1 · February 14, 2006, 3:44pm

Strange thing is that we have exact the opposite here in Europe. There
is a new bill that has been passed that forces us to keep al
logs (mail and web) for at least 1 or 2 years.

Vriendelijke groeten,
Frank Louwers

That is far scarier.

Andy_Davidson · February 14, 2006, 4:14pm

Suresh Ramasubramanian wrote:

"A bill just announced in Congress would require every Web site operator
to delete information about visitors, including e-mail addresses, if the
data is no longer required for a "legitimate" business purpose.

Original posting from Declan McCullagh's PoliTech mailing list. Thought

"When no longer required for business purposes"
Your syslog's logrotate function does that for you already, for all
reasonable purposes .. blows away logs that are say a week old.

Speaking with my e-commerce vendor hat on, server logs (apache, mail, application audit logs) and other information about visitors (especially those who have conducted a purchase transaction with us, or signed up to our newsletter) never stop having a business purpose - it's called referential integrity.

We want to use them to track the behaviour fraudulent users for example.

We also want to learn about how people use our site to make it easier. We want to ensure our mail systems are not approaching capacity. We want to know if our spam filtering is working, and how its use changes over time. etc.,etc.,etc.

These are all business purposes.

It's interesting that the US government is requiring less user data is stored when European politicians are calling for greater data and log retention rules.

Jeff_Shultz2 · February 14, 2006, 4:20pm

Mark Borchers wrote:

Strange thing is that we have exact the opposite here in Europe. There
is a new bill that has been passed that forces us to keep al logs (mail and web) for at least 1 or 2 years.

Vriendelijke groeten,
Frank Louwers

That is far scarier.

Which hard drive vendor wrote that law? They're the only people who will benefit from it.

Valdis_Kletnieks · February 14, 2006, 4:31pm

Obviously, none of the Total Info Awareness proponents were able to get
their tentacles involved here...

Alex_H_Ryu · February 14, 2006, 4:38pm

I guess the question is how to read "legitimate" word. ^.^
I guess the bill was written in mind of privacy concern.
But also there is some requirement for security/law-enforcement viewpoint.
I received the request from some law-enforcement about actual user of IP
address 3 year ago or older.
Without all log info, how can I tell it?
It seems this bill will bring more ISP/ASP to the court to clarify what
is legitimate or not.

From privacy viewpoint, I guess people wants to remove all their trace

from the Internet.
But from security and practical concerns from ISP/ASP, they want to have
all traces from the people.

I think the government needs to enforce ISP/ASP to keep all trace for
certain level, but with more stricted access method.

I'm really curious whether this was a kind of post-action to the
cell-phone use log business such as locatecell.com or something like that.

Hyun

Jon R. Kibler wrote:

Steven_Bellovin · February 14, 2006, 4:51pm

This is a pro-privacy bill that would regulate business, and it's been
introduced by a Democrat in a Republican-controlled Congress with a
Republican president, at a time when privacy is out of favor. It's not
going to pass. (To me, of course, that's a bug, especially since I'd
rather that stronger privacy legislation were passed. But I'm not
holding my breath.)

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

Bill_Nash2 · February 14, 2006, 5:20pm

I guess the question is how to read "legitimate" word. ^.^
I guess the bill was written in mind of privacy concern.
But also there is some requirement for security/law-enforcement viewpoint.
I received the request from some law-enforcement about actual user of IP
address 3 year ago or older.
Without all log info, how can I tell it?

In the context of the legislation in question, if the user is still a current customer, you have a legitimate business use for the data. If the user was no longer a customer, I would surmise that you should have purged it, as you would no longer have a need for that user's personal data.

I'm really curious whether this was a kind of post-action to the
cell-phone use log business such as locatecell.com or something like that.

An exploration of the side effects would be interesting. I think it'll provide a legal cudgel for mailing lists and opt-in tracking, as well as ensuring that your information is purged when/if you opt-out. It may also have dampening effects on the sale/trade of personal information, as it would now be questionably criminal to possess the personally identifying information of a person you have engaged in zero business with.

From the text of the bill, there are some pretty loose points that'll give

lawyers a lot of vine to swing from, including the definition of 'legitimate business practice'. Associating all of it to 'Internet website', as defined, is another loophole waiting to happen.

I think the single best element of the bill is the declaration that consumers have an ownership in interest in their personal information. Owndership implies control, and by extension, some amount of control in who gets to have it. I'd like to see what happens when the final bill is mated with US Federal CAN-SPAM law.

- billn

bill3 · February 14, 2006, 7:07pm

Hum... tentacles...

http://www.cthulhu.org/cthulhu/index.html

--bill
unsigned email is a sign of plausable deniability...

Florian_Weimer · February 14, 2006, 7:15pm

* Frank Louwers:

Strange thing is that we have exact the opposite here in Europe. There
is a new bill that has been passed that forces us to keep al logs (mail
and web) for at least 1 or 2 years.

It's not a bill, it's a EU directive which still has to be implemented
in national law. Nothing in the directive requires that operators of
non-interactive web sites (the vast majority) retain any data. Only
if you identify your users, you might be required to keep some logs.
Implementation in national law might change that, especially since the
directive is remarkably unclear about the selection criteria used for
mapping communication events to individuals.

Owen_DeLong · February 15, 2006, 3:11am

Original posting from Declan McCullagh's PoliTech mailing list. Thought
NANOGers would be interested since, if this bill passes, it would impact
almost all of us. Just imagine the impact on security of not being able
to login IP address and referring page of all web server connections!

Seems to me that security would be a "legitimate business purpose" for
keeping
the information around.

Owen