Hope yall had an 'eventless' holiday. (I.e. no pages at 2 am on a holiday morning).
Sorry to drop what is possibly just someone misunderstanding something or pulling my leg on the list, but over the holidays I ran into one of my buddies that is also a network admin type and he was griping about mail journalling, which I already do for our corporate email accounts. However, his discussion was in terms of all customer email... Which I said was probably a bad thing to do. His response was there is legislation being pushed in both House and Senate that would require journalling for 2 or 5 years, all mail passing through all of your mail servers.
I've seen nothing, and my google fu has turned up nothing other than corporate requirements, so I ask here. Has anyone heard of such a bill working it's way through either side of congress?
(I am speaking specifically of full email journaling, not just logs, which I do archive for significant amounts of time.)
I also don't want to discuss the pros, cons, merits, costs, goods, or evils of such a requirement, just wanted to know if this is something I should be looking forward towards maybe needing to implement.
Thanks for your attention and may you have a low incident new year.
Based on a some I have received off list it seems no-one has ever heard of such a proposal that has had any serious traction so I assume the gentleman was either mistaken, paranoid, or trying to pull a joke on me.
Thank you for the responses everyone. You can now get back to your regularly scheduled regulatory headaches.
If you search for "email archiving" instead of journaling you'll come
up with a lot more information. It dates back to court rule changes
in 2006.
Most of it is hype because of [largely incorrect] articles like this
one (just one of the first hits):
http://www.itworld.com/security/55954/law-requires-email-archiving
It's really something that you would need a lawyer to give you an
answer on (I am not a lawyer, this is not legal advice, etc).
My [limited] understanding is that if you are required to disclose
whether or not you have any electronic document (including email)
requested as part of the discovery process.
If you do have it, you're required to produce it.
Since it being on some hard drive of an employee computer qualifies as
having it, many larger companies decided to archive centrally. The
rules only require 7 years back (I think), so that's the amount of
time it's generally archived for.
TL;DR you're not required to archive email, but if you need to know
whether or not you have it if asked.
Again, my understanding here is pretty limited. If anyone know for
certain feel free to chime in.
Hi Eric,
The only relatively recent thing I'm aware of in the Congress is the
Protecting Children From Internet Pornographers Act of 2011.
http://thomas.loc.gov/cgi-bin/bdquery/z?d112:h.r.01981:
What it actually says is:
`(1) A commercial provider of an electronic communication service
shall retain for a period of at least one year a log of the
temporarily assigned network addresses the provider assigns to a
subscriber to or customer of such service that enables the
identification of the corresponding customer or subscriber information
under subsection (c)(2) of this section.'
That may mean journaling individual TCP connections in a NAT
environment but it doesn't address content, email or otherwise.
I'd say your friend was confused.
The really odd thing is that the act also says:
`(2) Access to a record or information required to be retained under
this subsection may not be compelled by any person or other entity
that is not a governmental entity.'
What does that mean for the MPAA seeking the identity of a bit torrent user?
Regards,
Bill Herrin
Means they need to get a subpoena (at which point it's the court, a governmental
entity, doing the compelling).
His response was there is legislation being pushed in both
House and Senate that would require journalling for 2 or 5
years, all mail passing through all of your mail servers.
Hi Eric,
The only relatively recent thing I'm aware of in the Congress is the
Protecting Children From Internet Pornographers Act of 2011.
Since you bring it up, I sent this to Eric a few moments ago. Like you, IANAL, and this is not legal advice.
From: Fred Baker <fred@cisco.com>
Date: January 5, 2012 10:46:30 AM PST
To: Eric J Esslinger <eesslinger@fpu-tn.com>
Subject: Re: question regarding US requirements for journaling public email (possible legislation?)
I don't know of anything on email journaling, but you might look into section 4 of the "Protecting Children From Internet Pornographers Act of 2011", which asks you to log IP addresses allocated to subscribers. My guess is that the concern is correct, but the details have morphed into urban legend.
Text of H.R. 1981 (112th): Protecting Children From Internet Pornographers Act of 2011 (Reported by House Committee version) - GovTrack.us
Congress Tries To Hide Massive Data Retention Law By Pretending It's An Anti-Child Porn Law | Techdirt
I'm not sure I see this as shrilly as the techdirt article does, but it is in fact enabling legislation for a part of Article 20 of the COE Cybercrime Convention Full list - Treaty Office. US is a signatory. Article 21 is Lawful Intercept as specified in OCCSSS, FISA, CALEA, and PATRIOT. Article 20 essentially looks for retention of mail/web/etc logs, and in the Danish interpretation, maintaining Netflow records for every subscriber in Denmark along with a mapping between IP address and subscriber identity in a form that can be data mined with an appropriate warrant.
I can't say (I don't know) whether the Danish Police have in fact implemented what they proposed in 2003. What they were looking for at the time was that the netflow records would be kept for something on the order of 6-18 months.
From a US perspective, you might peruse
Data retention - Wikipedia
The Wikipedia article goes on to comment on the forensic value of data retention. I think it is fair to say that the use of telephone numbers in TV shows like CSI ("gee, he called X a lot, maybe we should too") is the comic book version of the use but not far from the mark. A law enforcement official once described it to me as "mapping criminal networks"; if Alice and Bob are known criminals that talk with each other, and both also talk regularly with Carol, Carol may simply be a mutual friend, but she might also be something else. Further, if Alice and Bob are known criminals in one organization, Dick and Jane are known criminals in another, and a change in communication patterns is observed - Alice and Bob don't talk with Dick or Jane for a long period, and then they start talking - it may signal a shift that law enforcement is interested in.
Yah, but that's all "non-content records"; it's a far cry from having to retain the body of every email, which is what he asked about. As far as I know -- and I'm on enough tech policy lists that I probably would know -- nothing like that is being proposed. That said, for a few industries -- finance comes to mind -- companies are required to do things like that by the SEC, but not ISPs per se. See http://www.archivecompliance.com/Laws-governing-email-archiving-compliance.html for some details.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
This is probably not what you want to hear, but you should really read
through EFF's "Best Practices for Online Service Providers."
https://www.eff.org/wp/osp
Specifically:
OSPs cannot be forced to provide data that does not exist. EFF suggests
that OSPs draft an internal policy that states that they collect only
limited information and do not retain any logs of user activity on their
networks for more than a few weeks. If a court order requests data that is
more than a few weeks old, the OSP can simply point to the policy and
explain that it cannot furnish the requested data. Likewise, if unnecessary
PII is regularly deleted, the OSP cannot supply what it does not retain.
This saves the OSP time and money, while also providing the OSP with
sufficient data for its own administrative and business purposes.
I would love to ask the EFF just what you do when you don't log stuff,
and then need to troubleshoot someone causing a DDoS or something from
your network in a hurry.
Not that I'd get any sort of a useful answer from them, beyond random
propaganda that spam filtering is evil, DPI is demoniacal etc etc.
I would love to ask the EFF just what you do when you don't log stuff,
and then need to troubleshoot someone causing a DDoS or something from
your network in a hurry.
What John actually said:
OSPs cannot be forced to provide data that does not exist. EFF suggests
that OSPs draft an internal policy that states that they collect only
limited information and do not retain any logs of user activity on their
networks for more than a few weeks.
You need to track down a miscreant user *right now*? You got the last 48 hours
of logs right at hand. It's been a week? Meh, if somebody's been getting hit by
a DDoS for a week and is just now calling you, the fact they have a DDoS is the
least of their problems. Toss the logs. 
Not that I'd get any sort of a useful answer from them, beyond random
propaganda that spam filtering is evil, DPI is demoniacal etc etc.
Might want to go and actually read Best Practices for Online Service Providers | Electronic Frontier Foundation
before you say that. The PDF version runs to about 15 pages of detailed
and useful info for an OSP.;
There's no shortage of stuff that reaches you 80..90 days after the fact
The UK voluntary retention rules make a lot more sense, compared to "a
few days", which is entirely impractical
The answer from the EFF is the same: retain what *you* have an
operational or administrative need for. This is very different from a
legislative mandate for multiyear retention.
--Steve Bellovin, https://www.cs.columbia.edu/~smb