Caching

Is All Caching Legal?

The ISP-Caching list discusses logging a customer's surfing habits.

[February 17, 2000]

On the ISP-Caching list in January, CJ posted this question about the legality of operating a specific caching system:

"One of our engineers recently told me that operating an ICS in our facility without the knowledge of the customers is potentially illegal if it logs the person's destinations, login ID and password, and even cookie information. Our systems administrator says we must have a disclaimer in our contracts and policies that states we will be using this cache engine. Is this fact or fiction?"

One respondent questioned whether the caching system could actually track that kind of data:

[Cary wrote] "I am not aware of any caching system that logs customer information. Although any caching system may store some customer information as part of the system operation, I don't think there is liability if that information is only used to facilitate system operation."

Another likened caching to standard systems logging:

[CEB opined] "Since when is this any different than any other system logs? There are various restrictions on what the data can be used for, but treating the logs the way you would treat customers' email - for systems operations only - falls under proper execution of one's job."

One respondent pointed out that, legalities aside, maintaining proxy logs may be a good idea:

[BS wrote] "I don't think keeping a proxy log is required legally, but you sure end up looking stupid if you don't. We opted not to keep the logs because they can grow to huge proportions extremely fast. But the police have been in here investigating the use of our network to perform certain illegal acts and we're unable to identify the customer account used for these transactions because we didn't keep a proxy log."

Which prompted another respondent to share his solution to the information storage problem:

[SC wrote] "We have the logs uploaded to a local server every six hours from our cacheflows and then get rid of everything but 'post' logs, so we have the records of who posted what information where."

A number of respondents commented on the issue of disclaimers about data collection:

[TJ weighed in with this point] "Ethically, you should tell your customers that they are going through a cache. Explain why (better web experience, etc.) and that some information may be logged in order to make sure the server runs at the highest efficiency level."

And at least one respondent suggested consulting a more knowledgeable source:

[DS wrote] "I think the cache collecting data is fine, but what you do with the data is the issue. Consult an Internet attorney about this."

—End