Data retention question

Peter Fairbrother zenadsl6186 at zen.co.uk
Tue Jul 29 09:29:41 BST 2014 

On 28/07/14 10:28, Andrew Cormack wrote:
>>  On Behalf Of Peter Fairbrother
>> On 25/07/14 10:46, Andrew Cormack wrote:

>>> James On the question of what might be lost, a long time ago
>>> LINX consulted Elizabeth France (yes, *that* long ago) and
>>> concluded that "necessary for security" probably covered
>>> retention of all logs for roughly six months.
>>
>> I am a little uncertain as to what "necessary for security"
>> actually means. Whose security? Security of what?
>>
>> If you mean the security of the network, why would a network need
>> to keep any customer logs at all?
>
> "Necessary for security" wasn't my phrase. Actually I suspect that a
> lot of protecting the security/availability of a network service can
> probably mostly be done using aggregated flow data.

Yes, I agree - maybe you would want to keep records of which IP was 
issued to which customer, but I see no reason to keep records detailing 
user's individual communications.


> But detecting and protecting breaches of end systems, whether servers
> or clients, does seem to me to be a genuinely hard privacy question.


I don't see it that way. so much, as long as the ISP, in its role as a 
pure packet-passer, has nothing to do with keeping the logs.

In practice ISPs do do other things than passing packets, eg they run 
email servers, webservers, and so on - and keeping logs for those may be 
necessary for security and in order to maintain the service. For 
instance, keeping email to-and-from logs may help if you get blacklisted 
- though I don't see any need to keep them for more than a few days.

JANET is of course a different proposition from the average ISP, and I 
expect you have many different roles to perform - but I don't think even 
you need to keep detailed user network records in order to protect the 
network.

Use of email and other services you provide, yes as needed. Packets 
passed, no.



[

though of course if you keep detailed records of all traffic, including 
content, that might one day allow you to trace a breach which you might 
not otherwise be able to trace - however privacy must come into it 
somewhere, and like keeping packet-level records, keeping att traffic 
would be too much.

On the DRIP issue, Cameron said he is "not prepared to be a prime 
minister who addressed people after a terrorist incident, saying he 
could have done more to prevent it."

But that will always be the case, you can always do more.

The real question to ask is, is it worth the cost - how well does it 
work, and is that result good value in terms of money, lost liberties, 
lost privacy.

There are no absolutes here, just calculations.

Calculations of risk and reward - calculations which I do not believe 
the involved politicians and civil servants actually make, or even know 
how to make.

Let's see the numbers!

]


> That does need logs of activity by individual users and on individual
> records: the longer I keep the logs then the greater privacy threat
> the logs themselves become. But if I reduce the retention period then
> I increase the risk that when a breach does occur I won't be able to
> look back and find out either how it happened or who was affected.
> Depressingly, the results from the Verizon breach survey suggest that
> compromise to detection could easily be more than six months :(

The types of breaches in the report seem to be breaches in an attached 
server, not in the network itself - the operators of the server may well 
want to keep detailed logs, but I don't see that an ISP which does not 
run the server has any need to.

> As the law heads towards mandatory reporting of breaches and also
> mandatory minimisation of data, that dilemma between keeping logs and
> not keeping them is going to get sharper, so if there's any reliable
> research on where the best balance lies I'd be interested to hear of
> it?


I don't know of any research into that specific area - but in general we 
do know how to do the math behind the risk and reward calculations.

It's just hard to get people to agree on the values of the risks and 
rewards.

-- Peter Fairbrother

More information about the ukcrypto mailing list