Data retention question

Andrew Cormack Andrew.Cormack at ja.net
Tue Jul 29 11:42:00 BST 2014 


> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Peter Fairbrother
> Sent: 29 July 2014 09:30
> To: ukcrypto at chiark.greenend.org.uk
> Subject: Re: Data retention question
> 
> On 28/07/14 10:28, Andrew Cormack wrote:
> >>  On Behalf Of Peter Fairbrother
> >> On 25/07/14 10:46, Andrew Cormack wrote:
> 
> >>> James On the question of what might be lost, a long time ago
> >>> LINX consulted Elizabeth France (yes, *that* long ago) and
> >>> concluded that "necessary for security" probably covered
> >>> retention of all logs for roughly six months.
> >>
> >> I am a little uncertain as to what "necessary for security"
> >> actually means. Whose security? Security of what?
> >>
> >> If you mean the security of the network, why would a network need
> >> to keep any customer logs at all?
> >
> > "Necessary for security" wasn't my phrase. Actually I suspect that a
> > lot of protecting the security/availability of a network service can
> > probably mostly be done using aggregated flow data.
> 
> Yes, I agree - maybe you would want to keep records of which IP was
> issued to which customer, but I see no reason to keep records detailing
> user's individual communications.

Nor do I, and we don't have anywhere near the technology that would be needed to collect either comms data or content on our links (100Gbps) anyway. 

Identification and helping the user is something we leave to the responsible university/college - we just send them the network coordinates and time and the nature (to the extent that we can determine it) of the problem. Even within universities, I recommend doing identification as a separate process (probably formally escalated) from investigation to protect both the investigated and the investigator.
 
> > But detecting and protecting breaches of end systems, whether servers
> > or clients, does seem to me to be a genuinely hard privacy question.
> 
> 
> I don't see it that way. so much, as long as the ISP, in its role as a
> pure packet-passer, has nothing to do with keeping the logs.
> 
> In practice ISPs do do other things than passing packets, eg they run
> email servers, webservers, and so on - and keeping logs for those may
> be
> necessary for security and in order to maintain the service. For
> instance, keeping email to-and-from logs may help if you get
> blacklisted
> - though I don't see any need to keep them for more than a few days.

Agreed on what to keep, and why. Though from my experience as postmaster, users expect you to be able to resolve problems a lot longer after the event than that. Typically, "my supervisor didn't receive the essay I sent last term, what happened to it?" :(
 
> JANET is of course a different proposition from the average ISP, and I
> expect you have many different roles to perform - but I don't think
> even
> you need to keep detailed user network records in order to protect the
> network.
> 
> Use of email and other services you provide, yes as needed. Packets
> passed, no.
>
> though of course if you keep detailed records of all traffic, including
> content, that might one day allow you to trace a breach which you might
> not otherwise be able to trace - however privacy must come into it
> somewhere, and like keeping packet-level records, keeping att traffic
> would be too much.

Completely agree!
 
> On the DRIP issue, Cameron said he is "not prepared to be a prime
> minister who addressed people after a terrorist incident, saying he
> could have done more to prevent it."
> 
> But that will always be the case, you can always do more.
> 
> The real question to ask is, is it worth the cost - how well does it
> work, and is that result good value in terms of money, lost liberties,
> lost privacy.
> 
> There are no absolutes here, just calculations.
> 
> Calculations of risk and reward - calculations which I do not believe
> the involved politicians and civil servants actually make, or even know
> how to make.
> 
> Let's see the numbers!
> 
> ]
> 
> 
> > That does need logs of activity by individual users and on individual
> > records: the longer I keep the logs then the greater privacy threat
> > the logs themselves become. But if I reduce the retention period then
> > I increase the risk that when a breach does occur I won't be able to
> > look back and find out either how it happened or who was affected.
> > Depressingly, the results from the Verizon breach survey suggest that
> > compromise to detection could easily be more than six months :(
> 
> The types of breaches in the report seem to be breaches in an attached
> server, not in the network itself - the operators of the server may
> well
> want to keep detailed logs, but I don't see that an ISP which does not
> run the server has any need to.
> 
> > As the law heads towards mandatory reporting of breaches and also
> > mandatory minimisation of data, that dilemma between keeping logs and
> > not keeping them is going to get sharper, so if there's any reliable
> > research on where the best balance lies I'd be interested to hear of
> > it?
> 
> 
> I don't know of any research into that specific area - but in general
> we
> do know how to do the math behind the risk and reward calculations.
> 
> It's just hard to get people to agree on the values of the risks and
> rewards.
> 
> -- Peter Fairbrother

I just hope someone informed and authoritative (Art29, maybe?) can come up with something before the Regulation makes inconsistent demands on breach notification versus data minimisation. Otherwise we'll end up with businesses each making that decision themselves (probably based on the balance of sanctions, rather than any balance of privacy), which hasn't exactly been a great success this far :(

Cheers
Andrew

--
Andrew Cormack
Chief Regulatory Adviser, Janet
t: +44 1235 822302
b: https://community.ja.net/blogs/regulatory-developments
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is
registered in England under No.2881024 and whose Registered Office is at Lumen House, Library
Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238

More information about the ukcrypto mailing list