Feeds

Retain or restrain access logs?

If the system ain't broke, don't fix it

SANS - Survey on application security programs

The problem is that these powers are not limited to cases of organised crime, terrorism or child protection - nor could they be for IP retention. After all, an ISP would have no way of knowing if records were going to be relevant two years hence in some investigation, and therefore they would be required to keep everything.

Nor has the government proposed legislation that would say that the retained records may only be accessed pursuant to a court order in cases of child exploitation or protection. No, once retained, the records are subject to criminal or civil subpoena, investigative demand, National Security Letter, grand jury subpoena, search warrant, administrative demand, or even a secret request from the government pursuant to the powers of the President as Commander in Chief in a time of war. And unprivileged records can be subpoenaed by private litigants as well.

The cost of record retention

Who will pay for creating and storing these terabytes of data? Who will store them? The ISPs or the government? And who will secure and protect them? Perhaps the United States Department of Veteran's Affairs, or the Department of Energy can be trusted with our personal records?

Sure, it would make investigations easier if all kinds of records were created and stored forever. What the Attorney General fails to understand is that ISPs already strike a balance in favour of protecting the privacy of their users. The IP records they create are created solely for the purpose of making sure the connection is made, and serve no real ISP function thereafter. Therefore, they are destroyed.

The government is seeking to fundamentally change that balance and to make ISPs agents of the state in creating and retaining records not for their own purposes, but for the government's. As CNET's Declan McCulloch pointed out, Congress is considering making the retention rules mandatory. This is bad policy.

Law enforcement already has the power to demand, in individual investigations, that ISPs retain specific records for 90 days, in 18 USC 2703(f). This can be extended to up to six months. This should be long enough to get a subpoena for the required records. The government wants two years? Why not 20? Why not forever? I'd better stop typing before I give someone some ideas.

Look, if records exist, they will be subpoenaed, stolen, lost or hacked. We already have a pretty good balance of retaining records when we need them and getting rid of them when we don't. Let's not spoil a system that works unless we have clear evidence that it is failing.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

SecurityFocus columnist Mark D Rasch, JD, is a former head of the Justice Department's computer crime unit, and now serves as senior vice president and chief security counsel at Solutionary Inc.

Top three mobile application threats

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.