Data retention question
Ross Anderson
Ross.Anderson at cl.cam.ac.uk
Tue Jul 29 08:38:38 BST 2014
Andrew Cormack:
> As the law heads towards mandatory reporting of breaches and also mandatory
> minimisation of data, that dilemma between keeping logs and not keeping them is going
> to get sharper, so if there's any reliable research on where the best balance lies I'd be
> interested to hear of it?
We did a big report for ENISA in 2008 which recommended that the EU move
towards reporting security breaches to affected citizens, as in the USA:
https://www.lightbluetouchpaper.org/2008/03/07/security-economics-and-the-eu/
Unfortunately ENISA decided that it would rather have breaches reported to a
network of intelligence agencies, with itself at the centre. Hence the NIS
Directive.
I'm afraid that if you try to minimise our data before you send it off to
the spooks, they will probably pass a law pretty quick to stop you.
All in the name of "situational awareness", old boy ...
Ross
More information about the ukcrypto
mailing list