question regarding US requirements for journaling public email (possible legislation?)
jna at retina.net
Thu Jan 5 16:24:49 CST 2012
On Thu, Jan 5, 2012 at 7:56 AM, Eric J Esslinger <eesslinger at fpu-tn.com>wrote:
> (I am speaking specifically of full email journaling, not just logs, which
> I do archive for significant amounts of time.)
> I also don't want to discuss the pros, cons, merits, costs, goods, or
> evils of such a requirement, just wanted to know if this is something I
> should be looking forward towards maybe needing to implement.
This is probably not what you want to hear, but you should really read
through EFF's "Best Practices for Online Service Providers."
OSPs cannot be forced to provide data that does not exist. EFF suggests
that OSPs draft an internal policy that states that they collect only
limited information and do not retain any logs of user activity on their
networks for more than a few weeks. If a court order requests data that is
more than a few weeks old, the OSP can simply point to the policy and
explain that it cannot furnish the requested data. Likewise, if unnecessary
PII is regularly deleted, the OSP cannot supply what it does not retain.
This saves the OSP time and money, while also providing the OSP with
sufficient data for its own administrative and business purposes.
More information about the NANOG