Friday, November 05, 2004

How to not be a law enforcement tool ...

The Electronic Frontier Foundation (EFF) has released a document entitled Best Practices for Online Service Providers. In response to Online Service Providers being continually subjected to subpoenas and warrants for log files, EFF argues that unless there is a legislated or reguatory need to archive data, OSPs should not keep any user info they don't need.

Best Practices for Online Service Providers: "...The best way to protect against the risk of log artifacts on disk is to never create any user logs in the first place. This is the ideal and safest solution even though it is often impractical. By reconfiguring the logging preferences in server applications, one can easily change the log level to record nothing about network events. But for most OSPs, these logs are necessary for network troubleshooting and security precautions. This is also virtually impossible for large, for-profit providers that need to maintain billing and subscriber contact information. Thus, the best tactic for an OSP is to come up with a safe and sane network policy in which logs are retained for the shortest possible time..."

Under Canadian privacy laws (at least until retention requirements are imposed under lawful access guidelines), ISPs/OPSs should only be collecting for reasonable purposes and keeping it for only as long as is reasonably necessary for the purposes for which it was collected. I know of at least one ISP that keeps their log files indefinitely because they enjoy their friendly relationship with law enforcement. They still require a warrant, but the cops know that it is all kept. Some organizations want to minimise the muss and fuss of being dragged into court being asked to provide user info. If they simply don't have the info that is being sought, they say so and avoid the issue. (This issue has also come to the fore in public libraries, where privacy aware librarians have changed practices to delete the history of borrowers after books are returned undamaged.)

Thanks to the ever-informative, always useful BeSpacific for the link.

No comments: