Today EFF released a revised white paper on Best Practices for Online Service Providers, an update of the 2004 OSP Best Practices white paper. In the white paper, EFF offers some suggestions, both legal and technical, for the best privacy practices for collecting, storing and disclosing data that balance the needs of OSPs and their users' privacy and civil liberties.

OSPs are vital links between their users and the Internet, offering bandwidth, email, web, and other Internet services. In the process of offering services, OSPs collect and store detailed information about their users and their user's online activities.

User information can be of great interest to the government and civil litigants, leading to numerous requests from law enforcement and lawyers to hand over private user information and logs. Yet, compliance with these demands takes away from an OSP's goal of providing users with reliable, secure network services.

In the OSP Best Practices white paper, we offer information for OSPs in order to help them make sound, ethical decisions about how to safeguard private data and preserve freedom of expression online.

Summary of Recommendations

  1. Develop procedures for dealing with legal information requests and providing notice to users.
  2. Work with both attorneys and engineers to develop a privacy policy that fits your OSP’s practices.
  3. Collect the minimum amount of information necessary to provide OSP services.
  4. Store information for the minimum time necessary for operations.
  5. Effectively obfuscate, aggregate and delete unneeded user information.
  6. Maintain written policies addressing data collection and retention.
  7. Enable SSL as much as possible throughout your site to secure users’ information and communications.
  8. Understand threats to the security of sensitive information and communications on your systems, and mitigate them appropriately.
  9. Follow best-practice principles for the use of cookies on your site.
  10. Insist that the OSPs and other service providers you work with observe these best practices, too.

OSPs can face many other legal issues beyond user privacy, from DMCA takedown requests to defamation claims to issues with adult materials. While these are outside the scope of the OSP Best Practices paper, EFF recommends that OSPs review the EFF Bootcamp materials, which provides the basics on a number of key legal issues for Web 2.0 companies. We also recommend reading EFF’s Legal Guide for Bloggers, which provides a basic roadmap to the legal issues one may confront as an online publisher.