[148225] in North American Network Operators' Group
Re: question regarding US requirements for journaling public email
daemon@ATHENA.MIT.EDU (John Adams)
Thu Jan 5 17:25:38 2012
In-Reply-To: <D2D37F15EBBD524693E9F3CB32D02080430C79A5C9@exchange.corp.fpu-tn.com>
Date: Thu, 5 Jan 2012 14:24:49 -0800
From: John Adams <jna@retina.net>
To: Eric J Esslinger <eesslinger@fpu-tn.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Jan 5, 2012 at 7:56 AM, Eric J Esslinger <eesslinger@fpu-tn.com>wrote:
>
> (I am speaking specifically of full email journaling, not just logs, which
> I do archive for significant amounts of time.)
>
> I also don't want to discuss the pros, cons, merits, costs, goods, or
> evils of such a requirement, just wanted to know if this is something I
> should be looking forward towards maybe needing to implement.
>
This is probably not what you want to hear, but you should really read
through EFF's "Best Practices for Online Service Providers."
https://www.eff.org/wp/osp
Specifically:
OSPs cannot be forced to provide data that does not exist. EFF suggests
that OSPs draft an internal policy that states that they collect only
limited information and do not retain any logs of user activity on their
networks for more than a few weeks. If a court order requests data that is
more than a few weeks old, the OSP can simply point to the policy and
explain that it cannot furnish the requested data. Likewise, if unnecessary
PII is regularly deleted, the OSP cannot supply what it does not retain.
This saves the OSP time and money, while also providing the OSP with
sufficient data for its own administrative and business purposes.
