Fed Bill Would Restrict Web Server Logs

David G. Andersen dga+ at cs.cmu.edu
Tue Feb 14 15:33:19 UTC 2006

On Tue, Feb 14, 2006 at 09:47:50AM -0500, Jon R. Kibler scribed:
> > 
> > http://www.politechbot.com/docs/markey.data.deletion.bill.020806.pdf
> > 
> > to delete information about visitors, including e-mail addresses, if the 
> > data is no longer required for a "legitimate" business purpose.
> > 
> Original posting from Declan McCullagh's PoliTech mailing list. Thought
> NANOGers would be interested since, if this bill passes, it would impact
> almost all of us. Just imagine the impact on security of not being able
> to login IP address and referring page of all web server connections!

Call me weird, but I fail to see where the scary teeth lie in such
a bill.  First of all, it's phrased very abstractly and would hopefully
have its language clarified by the time it escapes a committee.  Second,
the bill is fairly clear about the meaning of personal information, and
it doesn't include things like IP addresses in its examples; the latter
would be a matter for a court to decide, and it's not clear cut at all:

  "... that allows a living person to be identified individually,
   including ... : first and last name, home or physical
   address, ... "

Third, it says nothing at all about restricting what you can log:

  "An owner of an Internet website shall destroy, within
   a reasonable period of time, any data containing personal
   information if the information is no longer necessary for
   the purpose for which it was collected or any other legitimate
   business purpose."

If you need IP address logging to ensure the security of your website,
then that sounds like a pretty legitimate business practice.  The more
interesting question is how _long_ you need to keep the personal
information around for your for your legitimate business purposes.
A week?  A month?  A year?  Ultimately, it would probably boil down to
a dash of best practices and a pinch of CYA.  But there's nothing
in there to freak out about for day to day operations.  The worry
is more that you'd probably have to ensure that your logs get blasted or
sanitized according to a well-defined schedule.  Which, when you
think about it, might not be a bad thing at all.


Dave Andersen                                 dga at cs.cmu.edu
Assistant Professor                           412.268.3064
Carnegie Mellon University                    http://www.cs.cmu.edu/~dga

More information about the NANOG mailing list