Bug#759382: do not keep so much logs

To: Antoine Beaupré <anarcat@koumbit.org>
Cc: 759382@bugs.debian.org
Subject: Bug#759382: do not keep so much logs
From: Vincent Lefevre <vincent@vinc17.net>
Date: Tue, 23 Sep 2014 10:42:20 +0200
Message-id: <[🔎] 20140923084220.GE10055@xvii.vinc17.org>
Reply-to: Vincent Lefevre <vincent@vinc17.net>, 759382@bugs.debian.org
In-reply-to: <[🔎] 87mw9robgr.fsf@marcos.anarc.at> <[🔎] 87ppenofhp.fsf@marcos.anarc.at>

On 2014-09-22 11:13:22 -0400, Antoine Beaupré wrote:
> On 2014-09-22 10:52:48, Vincent Lefevre wrote:
> > I don't know where you live, but this is the same in most countries,
> > except that the period varies.
> 
> Where I live is irrelevant. It is not the same in all countries: some
> have more or less strict restrictions, some don't have any at all.
> 
> The United States of America, for example, do not enforce logging.

On http://forum.ovh.com/archive/index.php/t-47594.html someone said
6 months for the USA. Now I wonder whether one should believe him.
I still wonder whether you can't have any problem with the justice
if someone does something illegal with your machine (e.g. via apache),
and you just say that it's someone else so that your are not
responsible.

> > What you say is a lie. France does not force users to spy on other
> > users.
> 
> I disagree. I think that forcing logging is forcing webserver operators
> to surveil their users, in the ultimate goal of revealing their
> activities to the authorities, and therefore spying.

No, webserver operators are not forced to log. No-one has ever been
convicted just because they didn't keep logs. However if something
illegal is done, the operator can be taken as responsible if he can't
identify the user who did this, or at least if he hasn't kept some
trace to identify him. Users should know that some trace may be kept,
so that this isn't even spying at all (it would be spying if done by
a 3rd party, without the knowledge of the parties).

Now, if a country wants to spy, it doesn't need a law (see the NSA
in the USA, for instance).

> >> I do believe that the european logging directives, for example, are a
> >> way to force providers to spy on their users on the behalf of the
> >> state. Other countries do not have such requirements and still have
> >> other legal means of getting to the data they need for criminal
> >> prosecution. Forcing providers to keep logs is a way to force
> >> deanonymisation of our users on the network, and is a fundamental issue
> >> with freedom of speech and association.
> >
> > When someone connects to my web server, this is not my user.
> > This is someone (human or not) I don't know.
> 
> I disagree. I think the client of a webserver is a user of a webserver.

But it's not *your* user. It's not a user of Debian (the user doesn't
care what OS is at the other side).

> >> > Wow! Most web servers keep logs for a long time by choice. Visitors
> >> > who do not agree with that should not use the web.
> >> 
> >> Webservers that want to choose to keep logs for a long time can do
> >> so.
> >
> > And webservers that want to choose to keep logs for a short time
> > can do so. So, there was no reason to change the default period.
> 
> I guess there was a compelling reason enough so that the default was
> changed. I have given numerous reasons why globally, the default logging
> should be reduced (resource usage, privacy, etc). You have given a
> single reason why, locally (namely in France), the default should be 52
> weeks, and haven't adressed the question as to what to do with
> variations in those policies outside of France.

Actually, but this is related,I want to keep logs for a long period
(even more than 1 year), just to have some trace in case someone tries
to compromise my machine or do something else bad. Vulnerabilities can
be found months/years after they have been introduced. Two weeks is
not just enough, and the change in Debian has been silently enforced
(I saw it just because I diff some config files).

On 2014-09-22 12:40:20 -0400, Antoine Beaupré wrote:
> After a little more research, here's an overview of the national data
> retention policies in Europe:
> 
> http://wiki.vorratsdatenspeicherung.de/Overview_of_national_data_retention_policies
> 
> Data retention seems to have been ruled out as inconstitutional in
> Germany, to show an example of how important it could be to keep minimal
> logs.

This is different because it seems to apply to private communitation
from A to B, and information kept by a 3rd party (i.e. which is neither
A nor B).

> So please provide more references to back up your laim that "most
> countries need data retention" if you want to make a proper point here.

So, perhaps you should forget about what countries explicitly say,
but more focus on the responsibility of the end user who has a
webserver and needs trace if someone tries to do illegal things.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to:

Follow-Ups:
- Bug#759382: do not keep so much logs
  - From: ilf <ilf@zeromail.org>

References:
- Bug#759382: do not keep so much logs
  - From: Antoine Beaupré <anarcat@koumbit.org>

Prev by Date: Bug#759382: do not keep so much logs
Next by Date: Bug#759382: do not keep so much logs
Previous by thread: Bug#759382: do not keep so much logs
Next by thread: Bug#759382: do not keep so much logs
Index(es):
- Date
- Thread