Re: RFC 6302: "Internet-Facing Server Logging": No Word about Privacy?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I believe there is room to do better: A quick look at the Fair Information Practices (FIPs) would provide a good starting point: 

   Notice and Consent:  Before the collection of data, the data subject
      should be provided: notice of what information is being collected
      and for what purpose and an opportunity to choose whether to
      accept the data collection and use. 


   Collection Limitation:  Data should be collected for specified,
      explicit and legitimate purposes.  The data collected should be
      adequate, relevant and not excessive in relation to the purposes
      for which they are collected.


   Use/Disclosure Limitation:  Data should be used only for the purpose
      for which it was collected and should not be used or disclosed in
      any way incompatible with those purposes.


   Retention Limitation:  Data should be kept in a form that permits
      identification of the data subject no longer than is necessary for
      the purposes for which the data were collected.


   Accuracy:  The party collecting and storing data is obligated to
      ensure its accuracy and, where necessary, keep it up to date;
      every reasonable step must be taken to ensure that data which are
      inaccurate or incomplete are corrected or deleted.


   Access:  A data subject should have access to data about himself, in
      order to verify its accuracy and to determine how it is being
      used.


   Security:  Those holding data about others must take steps to protect
      its confidentiality.


On Oct 11, 2011, at 5:17 PM, Stephane Bortzmeyer wrote:

> On Tue, Oct 11, 2011 at 04:42:17PM +0300,
> Hannes Tschofenig <hannes.tschofenig@xxxxxxx> wrote 
> a message of 58 lines which said:
> 
>> it is quite likely that they also need to be told something about
>> privacy.
> 
> For me, the most important mention of privacy is:
> 
>   It is RECOMMENDED as best current practice that Internet-facing
>   servers logging incoming IP addresses from inbound IP traffic also
>   log:
> 
> Do note "Internet-facing servers ***logging incoming IP
> addresses***". It means that noone recommends to log IP addresses, the
> RFC just says that, ***if you do log***, logging the IP address
> without the port number is not very sensible.
> 
> 

_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]