Data retention question

Andrew Cormack Andrew.Cormack at ja.net
Mon Jul 28 10:28:14 BST 2014 


> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Peter Fairbrother
> Sent: 26 July 2014 08:33
> To: UK Cryptography Policy Discussion Group
> Subject: Re: Data retention question
> 
> On 25/07/14 10:46, Andrew Cormack wrote:
> > James On the question of what might be lost, a long time ago LINX
> > consulted Elizabeth France (yes, *that* long ago) and concluded that
> > "necessary for security" probably covered retention of all logs for
> > roughly six months.
> 
> I am a little uncertain as to what "necessary for security" actually
> means. Whose security? Security of what?
> 
> If you mean the security of the network, why would a network need to
> keep any customer logs at all?

"Necessary for security" wasn't my phrase. Actually I suspect that a lot of protecting the security/availability of a network service can probably mostly be done using aggregated flow data. 

But detecting and protecting breaches of end systems, whether servers or clients, does seem to me to be a genuinely hard privacy question. That does need logs of activity by individual users and on individual records: the longer I keep the logs then the greater privacy threat the logs themselves become. But if I reduce the retention period then I increase the risk that when a breach does occur I won't be able to look back and find out either how it happened or who was affected. Depressingly, the results from the Verizon breach survey suggest that compromise to detection could easily be more than six months :(

As the law heads towards mandatory reporting of breaches and also mandatory minimisation of data, that dilemma between keeping logs and not keeping them is going to get sharper, so if there's any reliable research on where the best balance lies I'd be interested to hear of it?

Andrew

--
Andrew Cormack
Chief Regulatory Adviser, Janet
t: +44 1235 822302
b: https://community.ja.net/blogs/regulatory-developments
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is
registered in England under No.2881024 and whose Registered Office is at Lumen House, Library
Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238

More information about the ukcrypto mailing list