Friday, March 2, 2007

More Pressure for Data Retention from Washington

According to this article from CNET, the Department of Justice is pushing for more data retention from Internet service providers. The purported justifications for this new push are combating child pornography and (of course) anti-terrorism. The problem (or one of them) in this is that longer and more extensive data retention is, from a security standpoint, a policy which should be discouraged, not mandated. For example, section 3.1 of the payment card industry data security standard (available here, though you have to agree to a license) mandates that as little cardholder data as possible be retained, since the more data is retained the more data could potentially be stolen and/or used for unauthorized purposes. Whether such concerns will have any impact at all in Washington remains to be seen, but they indicate that the more involvement the government has in determining data retention policies, the more potential risks consumers will face.

No comments: