The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Friday, November 05, 2004
The Electronic Frontier Foundation (EFF) has released a document entitled Best Practices for Online Service Providers. In response to Online Service Providers being continually subjected to subpoenas and warrants for log files, EFF argues that unless there is a legislated or reguatory need to archive data, OSPs should not keep any user info they don't need.
Best Practices for Online Service Providers: "...The best way to protect against the risk of log artifacts on disk is to never create any user logs in the first place. This is the ideal and safest solution even though it is often impractical. By reconfiguring the logging preferences in server applications, one can easily change the log level to record nothing about network events. But for most OSPs, these logs are necessary for network troubleshooting and security precautions. This is also virtually impossible for large, for-profit providers that need to maintain billing and subscriber contact information. Thus, the best tactic for an OSP is to come up with a safe and sane network policy in which logs are retained for the shortest possible time..."
Under Canadian privacy laws (at least until retention requirements are imposed under lawful access guidelines), ISPs/OPSs should only be collecting for reasonable purposes and keeping it for only as long as is reasonably necessary for the purposes for which it was collected. I know of at least one ISP that keeps their log files indefinitely because they enjoy their friendly relationship with law enforcement. They still require a warrant, but the cops know that it is all kept. Some organizations want to minimise the muss and fuss of being dragged into court being asked to provide user info. If they simply don't have the info that is being sought, they say so and avoid the issue. (This issue has also come to the fore in public libraries, where privacy aware librarians have changed practices to delete the history of borrowers after books are returned undamaged.)
Thanks to the ever-informative, always useful BeSpacific for the link.
Labels: information breaches, ip address, lawful access, retention
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.