Thursday, September 29, 2016

Everything is logged, all the time

Assume everything you do is logged and can be accessed under the right conditions.
This is just how large computer systems work. You do something, the system takes an action, it logs the action it took. Those logs stay around for a while, to help with both diagnostics and repair. Without them, companies couldn't build or maintain large systems that span millions of devices. They couldn't detect and respond to security threats. The more reliable and high-performing the system, the more data it is likely to be logging, with more detail and more specificity.
The company may take privacy very seriously and protect those logs from improper access, but once the data is logged, the company has it, and as the article states, the government can compel companies to release it. And as a friend pointed out, that's only the company you're dealing with directly. Every web action involves a number of companies, all of which could be logging data about your actions.
This article claims that Apple should have disclosed the particular data they were logging. Maybe that would work for the article's author--a journalist who has reason to care deeply about such things--but we've all seen and ignored online Terms of Service. I think my last ToS and disclosure from Apple was 20 pages of small print, for some definition of print. Increasing that to 40 or 80 or 100 pages wouldn't help. Logging changes as engineers try to track down and fix problems, and the vast majority of users don't have the context to determine how the different pieces of logged data might be pieced together to create a larger picture.
So, just assume everything is logged. Remember that you're not operating a phone or computer by itself, but a piece of a large, highly connected system that spans continents and countries, one that records almost everything that happens, at least for a while, because those records are the nervous system and memory it needs to function.
And remember that system does not have the right to remain silent.

If your privacy needs are strict enough, learn how to protect your privacy yourself. Rather than hoping data won't be recorded, use less convenient tools that don't release the data in the first place. In the end, that will be far more effective than making sure you understand all the implications in a company's disclosures.

No comments: