Internet Usage Records Accessible Under FOI Laws
from the data-shadow dept.
The records in question are log files created by the schools' proxy servers of what URLs are accessed by the student body. The school district in question isn't censoring Internet access with any sort of censorware product (they use teachers to monitor what students are accessing), and the parent would like to prove that the students are accessing porn sites. I do not believe it is an invasion of privacy to access these records; if there was an invasion of privacy, it occurred when the school district collected the records on their students, not when someone else requested to see them.
Some comments of mine that didn't make it into the Times article: I hope that this situation casts some light on Internet usage at public facilities. Many, many Internet services are set up to create detailed log files by default -- proxy servers, Web servers, various login mechanisms and authentication mechanisms, etc. These records are being collected, and they are just lying around on machines or tape backups here and there, and they are, if the entity that collected them is a public entity, public records accessible under FOI laws. If you want to prove that your local school/library shouldn't be censoring the Internet, request the records. (I'll help! E-mail me.) If you want to prove that your local school/library should be censoring the Internet, well, I won't help, but I still support your right to get access to public files.
And while this situation is about records collected by public entities, the same records are routinely collected by private entities as well. Is your Web access going through a proxy server at your ISP? (The answer is more likely to be "yes" than "no," by the way -- a proxy can be installed that is transparent to the end-user.) Then your ISP is collecting detailed records of every single URL you access through their service. How long are these records being retained? Who is the ISP selling them to? Do you know?
Several issues here, but ruling is IMO right (Score:3)
Also note that the judge specifically balanced the privacy of the students *AND* faculty vs the state's right to know law, and said that a program can be used to strip out all identifible information: the guy is only going to get a list of sites that were visited by the school system, so privacy *is* protected. If he wanted to go one step farther and find out who visited whitehouse.com, for example, he would then probably have another court battle to face, and given the expressed interest of the privacy of the students *AND* faculty, he probably wouldn't get it. In any case, all this guy wants is evidence that children visited explicit sites such that he can fight for mandatory filtering.
This is a PUBLIC institution, and therefore was not exempt from the public right-to-know law. Some here appear to be worried that it will extend to ISPs and whatnot. But those are for the most part private institutions, and therefore do not have to respond to public requests like this. The only way such log files will be revealed to third parties is if they are subpena'd.
Some are trying to compare a real world example, and the best way to think of this result is that if I wanted information from a public library on it's lending records, all I can expect as a public citizen is a list of books and how many times they were checked out. I would not expect to be able to trace back who borrowed a specific book without further legal action.
This does create an instresting situation for those in public colleges however. Yes, I would expect that a similar challenge on log files will give a similar result (only getting the list of sites, not names and such), but this is college, and I would expect to see a more diverse list. May be something to watch for.
And there is a good point on pg 2 of the Times version: if this decision is held throughout it challenge, then groups like Peacefire can easily get infomation on real-world lists of sites that were blocked if filters become mandated, and thus fight for removing such filters or emphasizing more public input into better filters.
Re:That's where it starts... (Score:3)
Re:But where is the legal interest (Score:3)
Is this really an invasion... (Score:3)
Mind you, I don't want this kind of thing getting into the hands of bookburners, as would be the case here. But I'm not sure there's anything illegal about his request.
----------
Re:IHLF (Score:3)
Lawyer in court: On this day, [insert date], you downloaded 150 pictures from www.kinkysex.com ...
A related story: Traffic cameras (Score:3)
DelDOT has traffic cameras [deldot.net] all over the state of Delaware. Once while checking out the traffic on I-95 I saw the camera zoomed in on an accident scene. I asked a friend in DelDOT if they recorded the video camera images. He said the absolutely DO NOT do this. One can't subpoena something that doesn't exist nor ever existed.
There's a lesson I learned from that.
What are your current backup tape retention policies? Do you just keep a few generations or do you stash long-term archival copies somewhere? If so, for what purpose? Will they come back to haunt you, your users, YOUR COMPANY, later?
The problem here is that seldom are there laws or regs saying stuff must be recorded, backed up, etc. But if they happen to have been, then they are open game for subpoenas and if applicable FOI requests.
Uhh, one other point! (Score:3)
These are just a few of the possible URLs. Also remember that POST and GET requests are logged too, so even if it doesn't show up in the URL, its still logged. It would not be hard at all to imagine someone collecting all of the records from around the country and doing a quick search to find where a particular "username" lives. Sure, not everyone is a student, but the internet is ATM mostly kids.
Me? I use an HTTPS proxy to encrypt everything I send, so I'm ok. But most students have no way of knowing such a thing exists, and recreational browsing at schools is a must in today's society.
Re:Why is this under 'privacy'? (Score:3)
"a record without revealing confidential information, such as an individual student's name, user name or password"
So, only the internet addresses (whether they be DNS or IP addresses) were given, not userids, passwords, or, most importantly, real names.
Unless, of course, the script produces also the client IP of each computer and the time of request, and the parent has some way/document of matching J. Random Student to J. Random Computer at a given time. Unless he has these three pieces of information, that information he received is not very useful in regards to tracking students.
If I were that school, this is how I would give him the data: I would give him a list of only each place the student, by IP address only. Thus, he would have a huge listing of:
143.23.145.165
135.204.65.1
208.123.5.143
etc, etc. It's that the bare minimum they have to comply? Or, even better, hex encode it, and give it to him as:
1A.0B.AA.F8
5B.CA.64.03
etc, etc. I mean, that is a completely valid method of writing IP addresses down.
I mean, true, now the school *has* to comply. Doesn't mean that they have to make it easy.
Cool! (Score:3)
I wonder... if it's mandated that schools and libraries use a censorware product, could you demand the list of sites the product bans under the same act?
Re:Why is this under 'privacy'? (Score:3)
If I walk on the street, for instance, I don't expect a camera somewhere spying everything I do, and then giving that information to anyone. So, yes, this is, IMHO, a privacy issue.
While you may not expect this, the law stated explicitly that in this case you have no legal expectation of privacy on a public street. Thus, if you are videotaped or audio recorded by police doing an illegal activity, it is admissable as evidence in court. This even extends to private property for public use (like a mall, or a restaurant). However, in your home, police must have a judge sign off on the taping for it to be admissable evidence.
IANAL
Intelligent decision making? (Score:3)
Call me foolish, but I am not as upset after reading about the ruling of the judge. By ruling that identifying information about users be removed from the logs before they are turned over, he's protecting personal privacy and obeying the FOI Act.
When this father's crusade is said and done, I belive he's going to find nothing that justifies his censorware. In fact, he's probably going to create another problem. He's going to find some consistant evening or early morning "dirty" surfing going on - there's going to be a scandal over which faculty member or administrator (or stupid sysadmin who forgot to remove that from the logs) visits the sites and the censorware will be forgotten or the shouts of "family values!"
Someone else will step forward with information about how screwed up filtering software is (not only ethically, but even under it's own standards, by blocking political or inocuous info). And maybe, just maybe, enough people will admit that they too, have surfed for porn, and that maybe this is all ridiculous.
I'm not pushing a transparency critique here, I'm just acknowledging that once some info escapes through a crack in the dam, it's only a matter of time before it breaks and intelligent and relevant decisions can be made.
Besides this is Vermont. We get this guy some Ben and Jerry's and we'll have no problem!
IHLF (Score:3)
Re:Internet Proxy (Score:3)
I think we are forgetting something (Score:3)
You could be able to find what students are searching for (because it is included in the URL of search engines), possible find out who the kids are (username for sites that send with URL), and intercept "private" messages that COULD be sent over the URL.
Has anyone heard whether or not the logs include the page they viewed?
Re:Why is this under 'privacy'? (Score:3)
I think that we're fighting the wrong fight here. If the technology exists to collect such information, it will be used, and it will be susceptible to abuse. That's pretty clear from the history of technology. The only question will be, who gets to abuse it? By fighting for less disclosure, we are essentially tying our own hands when we have need to root out abuses by those in power.
David Brin makes this issue his central argument in "The Transparent Society" which was published a couple of years ago. It's a must read for anyone interested in privacy issues, IMHO, just to get an out-of-the-box take on the problems. What he says, essentially, is that the more you attempt to lock down information, the more susceptible it is to undetected abuse by those who do control it. And with data collection technologies becoming less and less obtrusive, soon there will be no way to know that it's happening at all--unless we can create a meme that will call for _more_ disclosure, not less. The solution is not to try to lock away public (or in some cases even private) records, but to make them more accessible to everyone. In essence, what he says is that it's more valuable to open everything up to everyone (providing a sort of check and balance environment) than it is to restrict knowledge to a few who may abuse it with impunity, protected by those same privacy laws. He does not state, but I believe that it is implied, that we really only have a brief window of time to accomplish this, before we lock things down to such an extent that recovering such freedoms becomes problematic.
Not everyone will buy this--I'm not sure I do completely--but it's certainly worth considering the un-intended consequences of reactionary calls for secrecy.
Re:Requesting info (Score:3)
Start with the school district office (not the school site office, necessarily -- they probably won't have a clue what you're talking about). Generally, one person at the district office is in charge of public relations/public information. That person may be the superintendent or the responsibility may lie (pun intended) with a director of public relations or some similar title.
Tell your contact you want to make a request for public records under the Freedom of Information Act (FOIA). There may be paperwork and a fee for document reproduction involved, which will vary from district to district. Depending on the district, your liaison will contact the appropriate staff person to obtain the logs, or may refer you to her directly.
If the district resists your request, you now have precedent (at least in New Hampshire) in your favor. Have a good time!
Re:Why is this under 'privacy'? (Score:4)
pisses me off. Slashdot's forum is a public
place. Anything you say here can be quoted
as if you yelled it on the streets of Miami.
That is the result of public expression.
Quoting, or more properly, citation, is covered under fair use. Look it up [templetons.com] at Brad Templeton's site: Myth 4, third paragraph:
Fair use is almost always a short excerpt and almost always attributed. (One should not use more of the work than is necessary to make the commentary). It should not harm the commercial value of the work -- in the sense of people no longer needing to buy it (which is another reason why reproduction of the entire work is generally forbidden.)
Also, by simple act of posting my comments here on Slashdot, I obviously implicitly allow copying of my content for the purpose of conducting a discussion on Slashdot. This includes viewing, printing, quoting, and all other uses necessary to have a discussion here on this site. Copyright law explicitly protects such uses.
Use of my text outside of Slashdot, for example in a book published by Andover, or on a Best Of Slashdot CD-ROM, or in other places or for purposes other than discussion here on Slashdot requires a license. That is, I have to explicitly grant you the right to use my words.
Copyright does not cover names, trademark law does that.
Copyright does not cover ideas, patent law does that.
So if you like what I write, but I would not grant you a license to use my words, you could always phrase the ideas I convey in your own words, or express them differently (i.e. using no words at all). That should be differently enough in order not to qualify as a derived work, though.
And finally, when asked, I usually grant the license to use my words for free - completely, unaltered and with correct attribution as well as a pointer to my homepage. I do like to get 1-3 free reference exemplars of printed matter, and pointers to the sites where my words are hosted. Also, I will not grant license to use my words for free, if you sell them. If you make a living by selling my words and my works, I demand a sensible share of that money.
If you want to read my words, and my works, please go to my homepage. You find it at http://www.koehntopp.de/kris [koehntopp.de]. I keep freely accessible online copies of everything I have written and deemed useful, whether sold or not. I make my contracts in such ways that I can maintain this website with my works so that you can access all my published articles [koehntopp.de] and USENET posts [koehntopp.de] as well as my [linuxdoc.org] open [netuse.de] source [php.net] projects [koehntopp.de].
Copyright law may be not an ideal solution, and may be an annoyance sometimes. But there is (or at least was at some point in time) reason behind it and used sensibly and nonoffensively, it can be actually useful to protect the interests of the public as well as the interests of the author. Just try to think, and use Google, before you flame.
© Copyright 2000 Kristian Köhntopp [slashdot.org]
That's where it starts... (Score:4)
Just because someone hasn't reached the age of majority doesn't give anyone the right to traipse through records stripping them of any dignity or privacy.
The next argument will be: Well why should we stop just because they've reached the age of majority?
If its not tied to an individual person, what's the point? The school can also run the list through the IP filter to remove all traces of "unapproved sites" which might have been hit by who knows who?
Major snoops and people who are that invasive about information use should be deprived from it for the very reason that the asked for it!
Requesting info (Score:4)
Why is this under 'privacy'? (Score:4)
Re:Why is this under 'privacy'? (Score:4)
Nobody expects the Spanish Inquisition!
Try looking up a bit more often. You're going to be shocked at how often you are on camera these days.
Re:Why is this under 'privacy'? (Score:5)
In Germany, the supreme court has ruled that if a basic right can only be excercised in a way that the person exercising this right would feel monitored, threatened or otherwise limited while exercising that particular basic right in such a way that that person may decide not to exercise that basic right at all, then this is identical to an illegal takeway of such a basic right and therefore illegal.
In the above library scenario that would mean: If you are using a public information terminal to exercise your right as an adult to browse arbitrary information sources and you must fear that your browsing history is being monitored and may perhaps be used against you, than this would be an illecal takeway of your basic right to free and unhindered access to public information. It may be okay or even necessary to monitor the internet connection of minors (judges are still out on this issue in Germany), but it is clear illegal to do such a thing on a public terminal when an adult is using that terminal.
© Copyright 2000 Kristian Köhntopp [slashdot.org]
But where is the legal interest (Score:5)
So in the end this where law and public policy are mismatched to the Net? Why you ask? Well in this case it's not much different that protesting outside of a family planning clinic. the law states that protests have to be a certain distance from the front door so that people going are not only physically prohibited but also that they are not subject to undue emotional stress, verbal abuse, etc. In the case here there is no physical separation so what we have in effect is a protest or vigil that has a chilling effect on using a facility without the protection from figuratively blocking the door.
So the question you have to ask yourself is, is this challenge really about filtering software or is this challenge about using the facility at all. It would be interesting from a legal perspective to see whether this gentleman could be successfully prosecuted if he ever published and identifiable information on minors who access the Net. That is, let's say he is collecting this information in order to pressure the school or the students by publishing the names or addresses of sites they visit. If he refers to any identifaible attribute of a minors access, say, first initial last name could he be prosecuted under a law that bars divulging any information about minors without their guardians' consent?
Re:As a parent (Score:5)
Thing the first: The guy's children are _not at that school_, and he is requesting the log files for all of the children in the school. He does not have responsibility for any of those kids.
Thing the second: You might have the legal right to go through your daughter's drawers. But I'm not convinced that you have the moral right. Why shouldn't she have the same right to privacy as you? I don't believe your "responsibility" for someone's upbringing suddenly gives you the right to go through their personal stuff.
sounds like a marketers dream (Score:5)