Feeds

Websites could be required to retain visitor info

Even if it would break their privacy policies

Providing a secure and efficient Helpdesk

A series of legal events means that companies that have no business reason to retain documents or records may be compelled to create and retain such records just so they can become available for discovery.

Companies routinely create, maintain and store electronic records. Some records are consciously created – like memoranda, letters, spreadsheets, and even e-mails and chat or instant message communications. Other records are created inadvertently, like meta data, log records, IP history records and the like. Some information is useful to the company, and it wants to retain it, and other information is of little use, merely takes up space, creates potential liability, and represents an unwarranted threat for attack or violation of privacy. The problem for most companies in developing or maintaining a document retention/destruction policy is identifying the documents and records it wants to keep and effectively purging the ones it doesn't want. Some recent legal events have made the problem of document retention and destruction even more complicated.

A recent case involving file sharing site TorrentSpy illustrates the point. Torrentspy's privacy policy is clear and concise. It states:

TorrentSpy.com is committed to protecting your privacy. TorrentSpy.com does not sell, trade or rent your personal information to other companies. TorrentSpy.com will not collect any personal information about you except when you specifically and knowingly provide such information.

Pretty straightforward, and not too dissimilar from thousands of other website privacy policies. Such privacy policies are considered to be legally binding contracts, and the United States Federal Trade Commission, and Privacy Commissioners in Europe, Asia and other places routinely hold companies to their promises – under threat of civil and criminal prosecution or fines.

The first problem with this privacy policy – like most privacy policies – is that it's not true. Whenever you visit a website, you "involuntarily" provide "personal" information to the site operator – things like the type of browser you are using, your IP address, the physical location of that IP address, your configuration settings, and what website you may have been referred from or to, among other things.

If you are engaging in malicious, unlawful, or otherwise "actionable" conduct, the website operator may certainly attempt to use this information to identify you and discern what you are doing – the essence of "personal information". Indeed, much of what we do as forensic investigators is to use this kind of information to find people.

While net-savvy individuals know that this information is being collected and utilized, the vast majority of individuals would not say that they "specifically and knowingly" provided that information to the website. This information frequently has economic value to the website operator as well. Knowing what site referred the user may result in payments from or to the referring site under "pay per click" agreements.

Aggregated personal information is useful for advertisers, and valuable to those who collect it. So its not accurate to say that your website ONLY collects information that you voluntarily give them. A better approach to a privacy policy would include language similar to that used by, for example, Google, which specifically states:

Log information - When you use Google services, our servers automatically record information that your browser sends whenever you visit a website. These server logs may include information such as your web request, Internet Protocol address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser.

Some of this information is collected automatically as a consequence of delivering web content to the requestor. You would think that, in pursuance of its privacy policies, a company could choose not to collect or more accurately not to store or retain such information – after all, that's what they promised their customers, no?

Beginner's guide to SSL certificates

More from The Register

next story
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Zippy one-liners, broken promises: Doctor Who on the Orient Express
Series finally hits stride, but Clara's U-turn is baffling
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.