Operation Bootstrap

Web Operations, Culture, Security & Startups.

Trying to Extend Audit Logging to Every Access Point, It's Doomed

| Comments

I read this article today about two new bills being introduced. Read the article for the details but here is a brief excerpt of the bill text:

“A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user.”

The issue here is that it is both dangerous and impractical to ask every operator of a network access point (that could be wifi, mobile data, an ethernet port in a building) to keep audit logs of who was assigned what address for 2 years. I have not read the bills, so I have more questions than answers, but what data must be kept? In this day of personally identifiable information seeping out crevices all over the place why would we want more of it put in places which are absolutely, without a doubt, not in a position to protect that data?

Above and beyond the logistics of obtaining and storing this information, the idea that it’s being stored for access by local law enforcement is also troubling. I wonder what conditions allow the police to come and ask for the access logs from my personal wifi router for the last 2 years because a suspect might have been outside my house? And of course, the more frequent access to that data will be by criminals themselves – there is a lot of valuable data in there.

Internet service providers can already provide close proximity of address assignment. They generally know if an address was assigned to a residence, who had it, and how long. Businesses likewise may not keep data about their internal networks, but the public IP – which is typically the first thing law enforcement would have – will lead them right to the office steps in most cases. Internet service providers are in a much better position to protect this data and store it.

Also, what is my liability if I don’t store this data for 2 years? What if I have a disk failure, or my house burns down? Do I have to keep offsite backups? And what if I don’t know who they are? A hotel with a wifi network for example, may require a login and may not – now they must have every person provide sufficient information that they may be identified. And how do we know that information is accurate?

If I’m a criminal using a public network – especially if I know this law exists – why am I going to provide accurate data?

Laws like this should end careers for politicians, they are a waste of our money and time both if they pass and if they fail.