Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache Gets Big Brother Award In Germany

Posted by michael on from the captain's-log dept.

nomis writes: "Our favourite Webserver got one more award: The German issue of the Big Brother award, which blames privacy problems and tries to enforce a public discussion on this topic. Reason is the (from the technical point of view) unnecessary logging of various information (IP-Number etc.). The reasons for the award are described in German here. Basically the ability to log various information provokes user tracking and abuse of the collected data. I think they have a point. At least the default Configuration should log sparsely..." Interesting point.

1 of 9 comments (clear)

  1. Responsible Logging... how about /privacy.txt by Anomalous+Ovum · · Score: 3

    In this day, singling out any single web server product that logs IP information by default -- when they all do -- carries the flavor of provocative shotgun whining. Picking on a product to call attention to a more general issue has a superior hype response payoff; your targeting of a popular product gains better news coverage and attracts more response traffic, as loyal customers speak out in its "defense."

    Your server is your home and castle, your visitors are your guests. To get static pages and content they may only need to get past the moat; but if you run CGI, your front door is wide open and you must keep watch over them to make sure they stay out of the fridge and don't wander into the bedrooms.

    If you put up an Internet web server, it is irresponsible not to log ip addresses. In server context, IP addresses are not people, they are merely "source vectors." Only when you serve and log cookies does that context approach the person-level -- but even then you're still logging browsers, not people.

    During a transaction IP address will always be known. A log file is merely a form of persistent memory that extends beyond that moment. Therefore the real issue is not whether to log, but how long it is retained.

    If anonymity is declared as part of the service you are providing, it's easy to see that you start to cross the line if you write anything but summary stats to disk.

    But for all other uses, it is good practice to keep logs around for at least one "blink cycle", twice the window of time in which you regulary attend to the server. For most of us this is the time of the day when we sleep, let's be conservative and declare it to be a full 24 hours. If you awake and discover a problem, you expect to have on hand enough information to identify what, how and why even if who does not matter.

    Beyond the blink cycle, at issue is how often you rotate, how many rotations you keep -- and if you include logs in your regular system backups, the timespan until you scratch them.

    Internet activists regularly watch for legislation that unfairly targets the Internet medium, for crimes that are already covered by common law. In that sense, the IP logging issue is already addressed by an emerging "Internet common law" -- the "privacy statement". The idea is not to clamp down absurdly on information gathering practices that have real use and purpose, but to offer a convention where visitors are clearly informed of the information is collected so they can make their own judgement.