[Dshield] Problems with the Markey bill-Legitimate Business Purpose- SANS comments

L. Ruiz dianalucy00-sans at yahoo.com
Wed Feb 15 21:07:53 GMT 2006

I have a few comments about this article from SANS NewsBites Vol. 8 Num. 13
-- snip --
--Proposed Legislation Would Require Web Sites to Purge Obsolete Personal Data
(8 February 2006)
US Congressman Ed Markey (D-MA) has introduced legislation that would "require
owners of Internet websites to destroy obsolete data containing personal
information."  The Eliminate Warehousing of Consumer Internet Data Act of 2006
would apply to all web site operators, including non-profits, bloggers,
charities and individuals.  Sites would be allowed to retain data for "a
legitimate business purpose," but some have expressed concern that the bill
gives the federal government the power to determine what constitutes a
legitimate purpose.  The bill is designed to address data theft issues as well
as privacy issues akin to those raised by Google's refusal to comply with a
subpoena from the Department of Justice requesting data about customer
[Editor's Note (Schultz): Despite any apparent limitations, if passed this
legislation would yield many benefits to the American public. The threat of
identity theft has never been greater; this proposed legislation aims to lower
the probability of the occurrence of this kind of crime.
(Murray): Legislate in haste, repent at leisure]
-- snip --

IANAL - but I'll try playing one on TV: 
I have to disagree with Mr. Schultz.  The legislation does nothing to address
ChoicePoint, and any data broker from compiling data and keeping such data as
long as they like - these entities by definition have a 'legitimate' business
interest.  That's why they exist.  Databases are not affected by this
legislation - only web pages with a specific URL - as per the legislation's

A legitimate business purpose encompasses medical information, insurance
information, etc and therefore this bill would Not require those entities to
dispose of this information once it no longer served it's purpose.  A business
could argue that outdated data is still useful for data mining and competitive
advantage (legitimate business purpose).  

The bill attempts to state that such threats to privacy are the reason the bill
is necessary - the findings section.  However this bill will not impose any
penalties when data theft occurs at brokers/banks/medical/etc, where the
majority of incidents have occurred.  In essence doing nothing to address one
of the purposes of the bill (finding #6 - fair information practices,

The real effect of this bill will be:
(1) It will allow the government to issue 'take down' notices similar to the
DMCA to private citizens and organizations.  The bill in effect curtails free
speech as names of people are defined as 'personal information' and are subject
to the requirement for deletion.  

(2) This bill also will impact historical records - a historical record is not
a required use, nor is it a legitimate business purpose.  The bill would affect
cached pages (historical records) at both search engines and archive sites -
any page that includes any of the defined personal information (names, phone
numbers, etc).  This unintented consequence reminds me of book burning - the
electronic version.

Linda Ruiz :(

For my non-geek friends:
Friends don't email friends .exe or .com files.  So don't open those types of attachments!!
For my geek friends:
Adopt a newbie....

More information about the list mailing list