Logs… We will never get rid of them! It’s a pain to manage them from a technical point of view but collecting events and using them can also introduce more issues in companies… from a legal point of view! Tonight, an ISACA Belgium Chapter meeting was organised within the context of the Open Privacy Forum. If log management remains a hot topic, the legal issues could become a real nightmare compared to the technical ones. The speaker was a lawyer, Johan Vandendriessche. He gave a very good overview of the (Belgian) law regarding our privacy with logs.
[Note: I'm not a lawyer and laws are complex. I'll just give some facts grabbed during the meeting. Please use them "as is"]
First of all, the problematic of privacy must be addressed way before the deployment of a technical solution. Why? The way logs will be stored and processed may require some specific technical features. The first question to ask yourself is “Which log do I need?“. We can use logs for statistics or security purposes. Take as example an Apache event:
x.x.x.x:52772 - - [20/Feb/2014:23:00:05 +0100] "GET / HTTP/1.1" 200 18905 "-" "NewsBlur Page Fetcher - 3 subscribers - http://www.newszeit.com/site/59364/devrandom (Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_1) AppleWebKit/534.48.3 (KHTML, like Gecko) Version/5.1 Safari/534.48.3)"
The Referer, User-Agent and HTTP code and object size are very useful for statistic purposes. And, from a security perspective, we have the source IP address, the source port. Depending on the future usage that we will make of this event, we can drop some information or anonimize it. We are facing here a dilemna: If the law says that we are authorized to log only useful events, more and more companies tend to store a huge amount of events for forensics reasons or behavioral monitoring. The golden rule is always the same: If you keep logs, it must be for a (good) technical reason like ensuring that the network has good performances. They cannot be used to track people.
Then comes the second question: “Does this log contain PII?” (“Personal Identifiable Information“). PII is a very large topic! Even if the identification of a person is not immediate, some information are considered as private. A good example is a car plate. IP addresses were also considered as PII in recent cases! Here a some facts to keep in mind about logs:
- The scope of logging must be cleary defined. What is the nature of the data? A “data controller” (the person responsible of the data stored) must be able to justify the choices.
- Logs cannot be used to track employees but people must be aware that their tracks are covered (how and where)
- Access to the logs must be restricted to authorized people only. Access to logs must generate… a new log!
- Some logs are mandatory for legal or business reasons
- Proper controls must be implemented to protect your logs. In this case, the principle of “due care” applies. Companies must implement appropriate controls to protect their logs.
- Can we re-use old logs (archived) for processing? Yes if the purpose of the search is compatible to the original one.
Many questions were asked during the presentation, which proves that it’s a hot topic. But it also demonstrated that lot of grey zones remain. A last tip: Before processing logs with private data, ask for some help from the legal department of your company!