[Imc-communication] PROPOSAL: New Principle of Unity for IMC network - IP Logging

Wed Oct 19 13:43:58 PDT 2005

There is a broader concern as to what this exactly means - currently, my 
understanding of the PoU is that it is a draft document and each IMC 
"responds" to it when it goes through the new IMC process- usually by 
showing how their internal rules, regulations, or principles conform with 
the PoU draft.  My understanding is that IMCs have been allowed to reword, 
rephrase, or otherwise adapt the PoU draft to their specific locale.

So, it's not clear to me that changing the draft document is the same as 
having the IMCs adopt the principle verbatim.  So we should clarify what 
consensing on this proposal actually means- I think that what the proposal 
could be phrased to do is A. modify the draft and B. require that every 
IMC interpret and comply with the principle of unity, and then state their 
official "response" to the PoU in X number of months.

  On Wed, 19 Oct 2005, hugh trevelyan wrote:
> 11. All imc's shall be committed to protecting the privacy and anonymity
> of their users.  The logging of internet protocol (IP) information about users
> shall be kept to the minimum necessary to maintain control over the server
> (i.e. in the event of an attack).  In the event that logging is necessary,
> details of the logging shall be made publicly accessible, including duration
> of logging, what information was stored, and actions taken as result of the
> logging.  Collectives are encouraged to have a public policy on IP logging.
> An example of such a policy can be found here:

My concerns with this are mainly technical.

"Internet protocol information" could be interpreted to include a lot of 
things, including things that are not the IP address of a machine that's 
connecting to the server.  I'm not certain whether this could forseeably 
be a problem, but I think it would be better to phrase it with what we 
mean and state that information that could personally identify a user of
the website should not be recorded, and in the event that it needs to be 
recorded to ensure proper function of the server or in the event of 
accidental recording, the records should be destroyed as soon as possible.

I think it's great to have a privacy policy and to make it public so 
people know what degree of monitoring they may be subjected to by the 
folks running the server itself.  That being said, in the course of a tech 
working group creating logs for whatever reason, I do not feel they should 
have to announce the existence of said logs.  If there is some unavoidable 
reason why we must create logs, announcing their existence publicly does 
not seem to be prudent.

My fear is that if logs are created and kept for even 15 minutes before 
being destroyed, announcing that they exist and were then destroyed may 
open up the door for various law enforcement branches of various states to 
claim that the techs have willfully destroyed evidence in a potential 
investigation and seek criminal charges against folks from it.  I'm not 
comfortable enough with the laws of every state to say whether or not this 
is possible, but it seems plausible to me.  In the event that techs need 
to create logs for whatever reason, they should be destroyed as soon as 
possible and they shouldn't have to let the world - which includes law 
enforcement - know that at one point, the logs existed.

Forensic analysis is also an option, so the state may attempt to seize 
disks knowing that at one point they contained a log of value...

Daniel P
Pittsburgh Indymedia Volunteer