Bug#759382: do not keep so much logs
On 2014-09-23 11:25:53 +0200, ilf wrote:
> Vincent Lefevre:
> >On http://forum.ovh.com/archive/index.php/t-47594.html someone said
>
> A link to a five year old thread on some random webforum is not exactly a
> convincing argument. If you want to have a discussion on law, please link to
> the legal text of the law in its official and in effect form.
The link above contains some other links. IIRC, some of them are
off-topic (such as anything related to private communications).
But there's this one:
http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000801164&dateTexte=
about "prestataires techniques", i.e. someone who maintains a service
but doesn't want to be responsible for what is done with it. The law
provides him some protection, but on the other hand, he has some
obligations. The French law does *not* enforce these obligations,
and someone who maintains a web service is free to ignore them, but
in such a case, he no longer has such a protection.
One of these obligations is:
Les personnes mentionnées aux 1 et 2 du I détiennent et conservent
les données de nature à permettre l'identification de quiconque a
contribué à la création du contenu ou de l'un des contenus des
services dont elles sont prestataires.
Basically, it says that one needs to keep some logs that would allow
authorities to identify contributors. It doesn't say exactly what,
but I suppose that in absence of other data, the IP address and the
date/time must be kept (this will be used as a part of the
investigation). The duration isn't given in the law but in a "décret"
(and I don't have it here -- anyway it's obviously much more than two
weeks).
Note also that this law is about the creation of public contents.
Most of end-user web servers do not offer that. The important point
is that there may be very similar issues. For instance, an attacker
may compromise a web server and provide his own, illegal contents.
Using the logs may allow one to identify the attacker. Without any
log, the end user would be taken as responsible (or have a part of
responsibility).
IMHO, the default should protect end users who have the least
knowledge or do the most basic things. Many users don't have a public
web server, but they may have a web server installed and running
(sometimes automatically due to a dependency) because of various
services. For instance, I have ones to test my web site (and access it
locally), also used for sensord graphs. They are not publicized. Since
they don't contain private data and I want to have access to them from
various places, I haven't added specific restrictions (at least at the
web server level). I can check in the logs if some people try to do
anything bad with them... If in any case, due to some vulnerability,
someone compromises the server or uses it as a gateway to do illegal
things somewhere else, logs can really be useful.
Admins of more important web servers can take some more time to adjust
config files (such as log rotation), depending on there needs. But
really, for a private web server (or public with minimalist contents),
there should be good defaults.
Moreover logs can also be useful for tools like fail2ban, and it is
not clear whether such a change may affect such tools, at least in
every configuration.
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply to: