Data retention question

Ross Anderson Ross.Anderson at
Tue Jul 29 08:38:38 BST 2014

Andrew Cormack:

> As the law heads towards mandatory reporting of breaches and also mandatory 
> minimisation of data, that dilemma between keeping logs and not keeping them is going 
> to get sharper, so if there's any reliable research on where the best balance lies I'd be 
> interested to hear of it?

We did a big report for ENISA in 2008 which recommended that the EU move
towards reporting security breaches to affected citizens, as in the USA:

Unfortunately ENISA decided that it would rather have breaches reported to a
network of intelligence agencies, with itself at the centre. Hence the NIS

I'm afraid that if you try to minimise our data before you send it off to 
the spooks, they will probably pass a law pretty quick to stop you.

All in the name of "situational awareness", old boy ...


More information about the ukcrypto mailing list