[Dshield] Fed Bill Would Restrict Web Server Logs

Jon R. Kibler Jon.Kibler at aset.com
Tue Feb 14 20:13:28 GMT 2006

Laura Vance wrote:
> Reading just that passage almost makes it seem like you can still use
> your data as you see fit, but you can't just store the logs forever.  To
> me, a reasonable amount of time is the amount of time it takes for
> someone to realize that something happened.  I figure giving them about
> 4 weeks is good, so my logs have 4 weeks worth of rotation then they go
> bye-bye.  

But, what is a reasonable length of time? And who is to determine if a 'business purpose' is legitimate? 

While I am all for privacy legislation, this bill introduces a BIG can of worms!

For example: 
   1) The EU requires the retention of logs for an extended period of time. I think the minimum is 1 year and individual countries can mandate longer. So, by whose rules does an international company with a distributed web presence play?
   2) Some businesses -- especially those dealing with credit -- are under the perception that they must retain all business records for 7 years past the tax year during which associated business was last conducted. For example, I know of at least one national hotel chain that keeps all the original paperwork associated with your registration for that long -- including your credit card imprint. I am told that this also includes all online reservation records too.

The other issue is that, like so much computer-related law, the bill is vague and overly subject to interpretation. Who knows how the bill would be twisted by some prosecutor should it become law? Laws should be written so that you know EXACTLY what is and is not legal. This bill CLEARLY fails that minimal test of reasonableness.

Jon Kibler
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214

Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

More information about the list mailing list