Melissa Ngo comments on the DOJ’s attempt to get the IP addresses of Twitter users involved in the WikiLeaks investigation:
Web sites, such as Twitter, can easily collect IP addresses. The best protection would be for the web sites to expunge the data after a short period, as news site Indymedia.us showed in a 2009 case. In January 2009, U.S. attorneys issued a subpoena to Indymedia.us for “all IP traffic to and from www.indymedia.us” for June 25, 2008. This could have identified all the site’s visitors — every person who read a single story on the news site. However, the subpoena was withdrawn, says site administrator Kristina Clair, because Indymedia.us deletes the IP address info it gathers after five weeks. Because the site did not keep long-term logs of its visitors’ IP addresses, Indymedia.us was able to protect its readers.
I’ve said it before: If companies don’t keep personal data on their customers beyond the time necessary to complete a transaction, then there would be little trouble protecting that data from prying eyes of government, hackers, or others.
To which I say, “Amen!” I have repeatedly argued for shorter retention periods for IPs and other data. With Data Privacy Day coming up later this month, wouldn’t this be a great time for your organization to consider whether it really is retaining more data than it absolutely needs to? One of the reasons I love the email service I use, Cotse.net, is because of its log retention policy. People can’t get my data if they’re not retained. Now if we could just get the major social media sites to also purge log data quickly…
Read Melissa’s full commentary on Privacy Lives.