Comment Problems? (Score 1) 119
So, this presents some challenges to me.
I'm one of the co-founders of WonderProxy (https://wonderproxy.com), running a global proxy network you might imagine that we have a fair large log set. Our billing process involves pulling those logs into a central location, parsing out the information billing cares about (customer & amount transferred) and recording that in aggregate. We store the raw log files in the raw form for some period of time to comply with any sort of warrant from law enforcement (our goal isn't to be an anonymous proxy), then delete them.
We've deliberately avoided storing the details we have about traffic in any sort of a searchable form. We don't care unless something comes up, and as a general rule we don't think it's any of our business. So this is information about a customer we do possess, but also information that we've deliberately avoided making easy to access. To grab it we'd eschew all our UI tools, drop to a command line, and start uncompromising raw logs, then dropping in with grep or something to filter the user. Then another manual pass to make sure we haven't accidentally included a line from a different customer. For a customer who has only paid us $15 we're going to lose money once we comply.
Then there's our webserver logs. If someone logged in, we can technically deduce what requests are associated with that user, but the apache logs don't store that in a nice easy to read format. We'd probably need to correlate a bunch of different systems in ways we've never done before (because we don't care who loaded main.css on Tuesday the 4th at 16:22:32) to ensure we've handed everything over.
This is of course assuming that we're required to comply. We're a Canadian corporation, federally registered, all that fun stuff. But we do have servers in the US, even ones in California. Of course, getting an answer from our lawyer on whether or not we're required to comply would also cost well more than $15, and that's before we've started trying.
Then there's more privileged information. Internally calculated fraud scores, internal customer notes ("these people never pay on time", "serious PITA, don't give a discount", "Super nice") which is also information we have on a customer, but generally something we'd rather not share.
As a user of the web, I like this idea. As a provider of services the cost of compliance scares me.