EFF app helps sysadmins find sneaky logs ...

[Zachariah]

As a reseller account, I know I could probably run the EFF's tool on my own -- but I'm wondering if this is actually something WebHSP should offer for its customers as an included/optional service.  

Are the operators of WebHSP aware of the options/benefits to offer more privacy, or specifically this attempt by the EFF to make it easier?  

Are any other WebHSP clients interested in this issue?  

• EFF: Best Practices for Online Service Providers
• EFF Announces New Privacy Tool
• Boing Boing: EFF app helps sysadmins find sneaky logs before The Man does

(from boingboing.net)

Monday, February 7, 2005
EFF app helps sysadmins find sneaky logs before The Man does
Hey, sysadmins! Are you logging stuff you don't need? If you are, The Man might bust down your door and take those logs from you and use them to screw over your gentle, goodhearted and trusting users.

EFF's got the answer: my co-worker Seth Schoen has written an app that digs through your drive and tells you what you're logging and where so that you can decide what you need to keep and what gets catted into /dev/null.

By finding unwanted log files, logfinder informs system administrators when their servers are collecting personal data and gives them the opportunity to turn logging off if it isn't gathering information necessary for administering the system.

Logfinder was conceived by security consultant Ben Laurie and written by EFF Staff Technologist Seth Schoen. It's intended to complement EFF's recent white paper, "Best Practices for Online Service Providers," in which the organization argues that administrators should remove as many logs as possible and delete all personally identifying data from them.

Link ("EFF Announces New Privacy Tool")

[john]

Hi Zachariah,

Thanks for all the information.  I have quickly gone through it, and want to spend more time reviewing.  Having dealt with several subpeonas and court orders while at Ventures Online, I can see where they are coming from.

As for your specific logs, you could implement something for your application specific logs that are logged within your site or domain.  But your web logs, ftp logs and other server level logs would be derived from our logs, so it may not provide you the protection you seek since ultimately we are the service provider.

Will we implement the practices suggested?  I don't know.  There is a lot to consider and I need to consult with our legal counsel, so I have a good understanding of the law, and our obligations under the law as a service provider.  

As a provider and a citizen within the overall internet community I feel I do have a moral obligation to keep logs so that illegal activites, lets says something like kiddie porn, can be shut down and prosecuted.  

Also, it seems that the overall theme is one of "lets eliminate the logs" so when someone asks us for information we can say we don't have it and they can go away, which reduces work.  Seems to make sense.  But is that good thing or is it just providing an excuse for a provider to be lazy?  I don't know.

So it becomes a complex question, and a question to which there is not an easy answer.

I want to thank you for bringing it into the forum.  It raises very interesting questions and discussion points.

~John Burns

[Zachariah]

Thank you for the very detailed response.  I'm glad it seems to be a worthwhile article for me to have posted about.  I understand the need to speak with legal counsel, and I'm glad that it's an issue you consider, no matter what action you take.