Thread: Scary or just what the doctor ordered?
View Single Post
Old 2005-03-12, 04:21 PM   #8
raymor
The only guys who wear Hawaiian shirts are gay guys and big fat party animals
 
Join Date: Jan 2004
Posts: 178
Send a message via ICQ to raymor
Quote:
Originally Posted by RawAlex
Raymor, just a dumb question, but how much information are you LEGALLY allowed to collect from an end user about their computer before you have violated their right to privacy? Are things like the SN for their media player, nic card ID, etc acceptable to collect and retain? Do you have to disclose this to the end user?

Alex

Unfotunately the MAC address for the NIC isn't available unless the server
is on the same ISP as they are in the same facility and the same cage,
which would be a very rare case.
If there are routers between the two machines, which is almost
always the case, you'll see only an IP address and not a MAC address.
Thus in the general case you don't have any specific identifying information.
Without a cookie at least, the best you can do is categorize the
connections in certain ways. For example you can say that this particular
connection came from a Win98 SE user running a 3 year old browser called IE 6
whose clock is off by about 4 minutes, they have Excel installed
but not Acrobat Reader, and they logged in as "joebob".
The best indentifier is the username that
they gave you specifically to let you identify them.
The other information, such as operating system,
identifies only a class of machines, not a
particular machine or user.
Of course one could also offer a cookie at
signup time and if the user chooses to
give you that cookie info back you'd be able to
associate it with the sign info they gave you.

I never finished law school, but as far as I'm aware
there are no laws about keeping logs of what
types of operating systems etc. have used your site.
Personally indentifiable information such
as name and phone number can;t be collected
from those under 13 years of age without parental
consent in the US. Otherwise if they choose
to give you that info I don't know of any laws
against keeping the info around.

Strongbox primarily uses passive data collection.
It only analyzes information that the user offers
as opposed to seeking out information (except for requesting the user/pass).
I don't see any issues legally or ethically with using
information that the user provides for security purposes.
Obviously selling personal information like names and email addresses
to spammers would be an ethical violation, though
probably not a legal one at this time. Because Strongbox doesn't share
information with outsiders but only uses it for
internal security I haven't had to delve into these issues.
Strongbox does have one active component
but essentially it just records whether or
not the remote machine choose to grant us permission
to do certain things. We don't do anything
that anyone would complain about, we
simply ask permission to do things and
then record whether or not we got permission.
__________________
Ray Morris
support@bettercgi.com
Strongbox/Throttlebox & more
TXDPS #A14012
raymor is offline   Reply With Quote