Data retention question

[Caspar Bowden (lists)]

On 07/25/14 15:00, Andrew Cormack wrote:
>> -----Original Message-----
>> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
>> bounces at chiark.greenend.org.uk] On Behalf Of Caspar Bowden (lists)
>> Sent: 25 July 2014 11:30
>> To: UK Cryptography Policy Discussion Group
>> Subject: Re: Data retention question
>>
>> On 07/25/14 11:46, Andrew Cormack wrote:
>>> James
>>> On the question of what might be lost, a long time ago LINX consulted
>> Elizabeth France (yes, *that* long ago) and concluded that "necessary
>> for security" probably covered retention of all logs for roughly six
>> months.
>>
>> And obviously DP Registrar then, as ICO now, renowned as leading
>> authority on Internet technology and punctilious assessment of the
>> "strict necessity" (CJEU words) of infringements to private life
>> arising
>> therefrom.
>>
>> {/heavy_sarcasm}
>>
>> Caspar
> The shorter time you keep logs for, the less chance of determining either the cause or impact of breaches of privacy such as Target. I wish companies holding personal data were better at detecting incidents, but DBIR et al suggest it's not happening.

Nobody forced customers to use Target, but most users have no choice in 
JANET-type provider. Running a comms service (public or private) entails 
obligations of comms data minimization against which 
security/availability of the service are factors to be weighed against 
(not trumping) privacy.

The public still doesn't realize that little stitch-ups legitimating 
retention like this go way back to France's era, under the deluded 
collective premise that a public benefit was being served, rather than 
damn-nearly-fatal erosion of a fundamental right.

CB