[Dshield] Fed Bill Would Restrict Web Server Logs

Laura Vance vancel at winfreeacademy.com
Tue Feb 14 19:30:25 GMT 2006

Paul Marsh wrote:

>I'd love to know what got Mr. Markeys pants all in a bunch?  I'm not a
>lawyer and nope I don't play one on TV but it looks a little weak. 
>An owner of an Internet website shall destroy, within
>a reasonable period of time, any data containing personal
>information if the information is no longer necessary for
>the purpose for which it was collected or any other legiti
>mate business purpose, or there are no pending requests
>or orders for access to such information pursuant to a
>court order.
>What's "reasonable period of time"?
>Who determines when "the information is no longer necessary for the
>purpose for which it was collected"?
>Thanx, Paul
Reading just that passage almost makes it seem like you can still use 
your data as you see fit, but you can't just store the logs forever.  To 
me, a reasonable amount of time is the amount of time it takes for 
someone to realize that something happened.  I figure giving them about 
4 weeks is good, so my logs have 4 weeks worth of rotation then they go 
bye-bye.  If your web site has more data that may not be noticed for a 
year, then I'm sure you could keep your logs for a year.  I'm also 
pretty sure that if it's documented in your data/backup policy manual 
and you state the reason for the extensive backups, you'd have 
absolutely no worries.

Then the clause that says "the purpose for which it was collected" could 
easily be "we collect the web server logs for historical statistical 
data so that we can determine how our web site was used since its 
creation."  Then you'd be allowed to keep your logs forever. :)

But then how many web servers collect personally identifiable 
information and put it into their logs?  I'm talking about information 
that could be used for identity theft as what meets the criteria for 
"personal information", and that's probably what they want to prevent.

Laura Vance
Systems Engineer
Winfree Academy Charter Schools

More information about the list mailing list