Tuesday, February 14, 2006

I wonder if the U.S. Congress keeps backups

I just learned about an article in News.com that tells of a bill introduced to the U.S. Congress requiring every web site operator to delete information about visitors if the data is no longer required for legitimate business purposes.

I guess Congress hasn't learned anything about its own nature from the Can SPAM law. That, or our Congresspeople have such high opinions of themselves that they think they have a grasp of the technology their dealing with. How else can you explain how such a stupid idea could threaten to become law?

I suppose it might reduce identity theft (the intended goal), if there weren't already so many ways information is kept "for legitimate business purposes." But look at some of the ways such a law might impact the Internet.

First, remember this is a U.S. only law we're talking about. So, data accumulated by web site operators outside the U.S. would be exempt from the law. Result: a whole bunch of businesses can save themselves a lot of heartache by moving their sites to off-shore web hosts, and domestic web hosts, already steeply competing for business, will face possible extinction.

I've seen it said that web server logs, which contain host identifying information such as IP addresses and machine names, may be forced to become self-editing to remove that information. Without the identifying information in web server logs, security professionals would no longer have an important tool in tracing the origins of attacks.

Sites that accept feedback from participants, such as blogs, forums/bulletin boards, or chat systems, will be greatly impacted, since they will no longer be allowed to associate a name to an e-mail address (or likely even be permitted to display either one). Assuming they even could, they would then have to have all of these services heavily moderated to prevent the display of proscribed information.

And if the web sites can't hold all of this information, what does that say about the backup tapes for these sites? When the data is no longer needed for "legitimate business purposes" it must be deleted from the sites. Shouldn't that mean the data must be removed from the backups as well?

Then there's the webmail systems, which are expected to maintain personal communications for eventual display/delivery via the browser. How can one possibly separate personal identifying information from e-mail data being stored for delivery on a web site? Ban webmail?

Okay, maybe some of these examples are extreme, but it would take a lawyer to figure out what behavior is allowed and what behavior is not. If this bill is allowed to become law, you can pretty well say goodbye to the American web site, and with that comes the eventual demise of the Internet - not from over use, but from disuse!

On the other hand, if American politicians can't keep from creating Internet policy, maybe we'd be better off letting it die!

No comments: