Deep in the darkest heart of your servers, there live files known as logs. They contain all manner of intensely revealing information about people who use your systems. Web server logs might show which URLs somebody has visited, for how long, and what they wrote on an anonymous message board. Email server logs can even contain information about who is sending email to whom.

The truly scary thing is that many Online Service Providers (OSPs) don't realize they're collecting all this personal data in their logs. Or, if they do know, they have no policy in place to protect the privacy of the people whose online activities they've routinely been logging.

This data is of great interest to third parties, including attorneys pursuing cases, industry groups like the RIAA, and state and federal law enforcement. Under the USA PATRIOT Act, the government has greatly expanded powers to request this kind of information, and OSPs must respond to requests for private user data and logs. Yet complying with these demands threatens the OSP's goal of providing users with reliable, secure network services.

To help OSPs respond to these increasing legal pressures, EFF has written a white paper outlining best data-logging practices for OSPs. This is required reading for anyone who works at an OSP, or uses one -- in other words, just about everyone.

Related Issues