Fed Bill Would Restrict Web Server Logs

Bill Nash billn at odyssey.billn.net
Tue Feb 14 17:20:25 UTC 2006

On Tue, 14 Feb 2006, Hyunseog Ryu wrote:

> I guess the question is how to read "legitimate" word. ^.^
> I guess the bill was written in mind of privacy concern.
> But also there is some requirement for security/law-enforcement viewpoint.
> I received the request from some law-enforcement about actual user of IP
> address 3 year ago or older.
> Without all log info, how can I tell it?

In the context of the legislation in question, if the user is still a 
current customer, you have a legitimate business use for the data. If the 
user was no longer a customer, I would surmise that you should have purged 
it, as you would no longer have a need for that user's personal data.

> I'm really curious whether this was a kind of post-action to the
> cell-phone use log business such as locatecell.com or something like that.

An exploration of the side effects would be interesting. I think it'll 
provide a legal cudgel for mailing lists and opt-in tracking, as well as 
ensuring that your information is purged when/if you opt-out. It may also 
have dampening effects on the sale/trade of personal information, as it 
would now be questionably criminal to possess the personally identifying 
information of a person you have engaged in zero business with.

>From the text of the bill, there are some pretty loose points that'll give 
lawyers a lot of vine to swing from, including the definition of 
'legitimate business practice'. Associating all of it to 'Internet 
website', as defined, is another loophole waiting to happen.

I think the single best element of the bill is the declaration that 
consumers have an ownership in interest in their personal information. 
Owndership implies control, and by extension, some amount of control in 
who gets to have it. I'd like to see what happens when the final bill is 
mated with US Federal CAN-SPAM law.

- billn

More information about the NANOG mailing list