There's a temptation, when you run an online service, to keep your logs forever. Storing text is cheap and easy, so why not? Well, if you're storing the personally identifying info of your users, you risk compromising their privacy in the event of a hack-attack, a lawsuit, or a PATRIOT-style sleazeball no-due-process investigation. EFF has produced a white paper with many recommendations for online service providers who want to log enough data to troubleshoot tech problems, but not so much that you risk your users' privacy.
As an intermediary, the Online Service Provider finds itself in a position to collect and store detailed information about its users and their online activities that may be of great interest to third parties. The USA PATRIOT Act also provides the government with expanded powers to request this information. As a result, OSP owners must deal with requests from law enforcement and lawyers to hand over private user information and logs. Yet, compliance with these demands takes away from an OSP's goal of providing users with reliable, secure network services. In this paper, EFF offers some suggestions, both legal and technical, for best practices that balance the needs of OSPs and their users' privacy and civil liberties.
