Protect Your OSP with logfinderby Richard Koman
Online service providers are increasingly being served with subpoenas from both companies and government to hand over personal data about their users' activities. In October 2004, the Electronic Frontier Foundation issued a white paper on best practices for online service providers (OSPs), and last week EFF released a software tool called logfinder to help OSPs locate and identify log files they may not even know they have.
OSPs, as defined in the DMCA and the Patriot Act, encompass far more than Internet service providers or online communities. OSPs may include web site operators and even bloggers who allow visitors to post their own blogs. "Virtually any web site or access intermediary, not just established subscriber-based businesses, can be considered an OSP under the law," according to EFF's white paper on the subject. "Indeed, even individuals may be accidental OSPs, if they set up WiFi access points to share Internet connectivity with friends and neighbors."
The risk is not theoretical, says Seth Schoen, staff technologist for EFF. "Organizations with records are getting more and more compliance requests over time," mostly from private parties, he said. As for the increased powers the Patriot Act affords government, "There's a perception that there are more Patriot Act requests. A lot of those powers are exercised in secret, and those who receive requests are often not allowed to tell anyone, so it's hard to get accurate information about it," he said. EFF recently filed a Freedom of Information Act request to try to get more details on Patriot Act-related subpoenas.
EFF's core suggestion is that OSPs do not keep records of user activity, and if they do keep records, to limit the number of records they keep, perhaps by deleting all records after a few weeks. The idea is that no one can demand something from you that you don't have. At least that's the case in the United States.
"It's not true everywhere that people have as much discretion as they do in the U.S.," said Schoen, "but our interpretation is that for most people who retain records, you have discretion to decide which records to maintain, and you can't be punished for not having kept records."
While there are exceptions, such as the financial and health industries, which are specifically regulated, Schoen said, "It's not true for web publishers; they're not required to know who their readers are. If they do know, they're not required to keep records."
"We want to remind people they have the ability to set a policy, and if you're collecting information you should set a policy," Schoen said. "Given the increase in subpoena activity, the practice of logging everything is a bad practice. It might be tempting for someone to try to get all that data from you."
To help OSPs protect themselves, EFF released a tool last week, logfinder, to identify the logs that might be hiding on your system. "It's an illustrative means of becoming aware of the locations of logs on a system," said Schoen, the author of the tool. "It's not exhaustive, but it should give you an idea. There may be cases where system administrators are not even aware of what's being logged," since many tools log by default.
"We're not saying this program is guaranteed to find all the personal information on your system, but it is useful as one thing that sysadmins can do," Schoen said.
The idea of deleting logs doesn't come naturally to system administrators, Schoen said. "The idea of a user data retention policy is familiar to corporate lawyers; they understand the liability risks in keeping everything forever. Sysadmins as a profession haven't taken this to heart yet. Depending on the size of an organization, sysadmins may or may not be responsible for policy."
The bottom line: if your organization doesn't have a policy on retaining personally identifiable information, set one. And when you set your policy, keep as few records as possible and retain them for as short a time as possible. For instance, compile the general usage statistics useful for your business needs and then delete the raw logs. In addition, as EFF's white paper points out, organizations can obscure personally identifying information in order to compile general statistics. In all cases, when useful information has been gleaned from the logs, delete them.
Return to the Policy DevCenter.