[BlueOnyx:21889] Re: EU-DSGVO - anonymize ip addresses in apache logfiles / other logfiles?

[Michael Stauber]

Hi Ken,

> My view is the opposite, if I no longer have the data, I 
> can't be forced to cough it up, so delete it as soon as I
> no longer need it for a legitimate operational purpose.

Yeah, that is a quite sensible approach.

> It sounds like deleting logfiles containing IP 
> addresses after a reasonable period like maybe 1 month
> would satisfy the EU requirements?

I'm no lawyer, but I think one month should be easy to justify. In any
case we can make it configurable.

> I know that low level LEA requests can come in 6 or 12 months 
> after the fact. But terrorist, hostage, kiddie porn, soliciting
> minors for sex, etc will happen within hours or days. And any
> network attack investigations I will have completed in a month.

Exactly. One way or other one has to fully comply with such legal
requests. In Germany it's like this: If an ISP has more than 100.000
clients/users, then by law he is required to install a "black box bug"
(called "SINA") that allows LEA to access the server(s). They can then
do so by dialing into the SINA box. There is also a gag order, so
affected ISP's are not at liberty to discuss this with third parties,
similar to the FISA warrant gag orders in the US. If the ISP is smaller,
he has of course to provide the requested data via other means. On a few
occasions I've assisted BlueOnyx server owners to comply with the manual
aggregating of data requested by law enforcement agencies.

-- 
With best regards

Michael Stauber