[88624] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Fed Bill Would Restrict Web Server Logs

daemon@ATHENA.MIT.EDU (Andy Davidson)
Tue Feb 14 11:14:53 2006

Date: Tue, 14 Feb 2006 16:14:11 +0000
From: Andy Davidson <andy@nosignal.org>
To: Suresh Ramasubramanian <ops.lists@gmail.com>
Cc: nanog@nanog.org
In-Reply-To: <bb0e440a0602140659p351ec8b8m1cfb6915191569fa@mail.gmail.com>
X-SA-Exim-Mail-From: andy@nosignal.org
Errors-To: owner-nanog@merit.edu


Suresh Ramasubramanian wrote:
> On 2/14/06, Jon R. Kibler <Jon.Kibler@aset.com> wrote:
>>>"A bill just announced in Congress would require every Web site operator
>>>to delete information about visitors, including e-mail addresses, if the
>>>data is no longer required for a "legitimate" business purpose.
>>Original posting from Declan McCullagh's PoliTech mailing list. Thought
> "When no longer required for business purposes"
> Your syslog's logrotate function does that for you already, for all
> reasonable purposes .. blows away logs that are say a week old.

Speaking with my e-commerce vendor hat on, server logs (apache, mail, 
application audit logs) and other information about visitors (especially 
those who have conducted a purchase transaction with us, or signed up to 
our newsletter) never stop having a business purpose - it's called 
referential integrity.

We want to use them to track the behaviour fraudulent users for example.

We also want to learn about how people use our site to make it easier. 
We want to ensure our mail systems are not approaching capacity.  We 
want to know if our spam filtering is working, and how its use changes 
over time.  etc.,etc.,etc.

These are all business purposes.


It's interesting that the US government is requiring less user data is 
stored when European politicians are calling for greater data and log 
retention rules.


home help back first fref pref prev next nref lref last post