On 2018-04-26 15:59, Dave O'Reilly wrote: > The absence of recommendations about log retention periods does not mean that > recommendations about what to log are not useful. There are technical reasons > why logging source port (and supporting recommendations) is a useful thing to > do and this recommendation can be made without needing to give any > consideration to the period for which those logs are retained. This question > can be left to organisations to decide for themselves in the context of their > national data protection obligations.
I disagree for a similar reason to that which Povl brought up. A recommendation to log source ports risks being construed by implementors, operators and regulators as a technical necessity to log source ports, including for a long time (in fact, about 12-24 months as we've heard, or, as stated in the informational RFCs, at least 6 months). Practises which were already rejected by courts once (general data retention) could therefore be perpetuated through the technical route. The only way for a court to re-establish its authority would be to basically re-draft RFCs itself, or go into a level of technical detail in its decisions that isn't appropriate. I don't think that's a useful job for a court to do at all, and I'm not very keen on the working group working on recommendations that contravene privacy decisions arisen from the careful assessment of courts over close to a decade on the merits of logging identifiers. It'd be backdoor politicking. best regards, Amelia > daveor > > -- Amelia Andersdotter Technical Consultant, Digital Programme ARTICLE19 www.article19.org PGP: 3D5D B6CA B852 B988 055A 6A6F FEF1 C294 B4E8 0B55 _______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
