[guardian-dev] Privacy preserving anonymized nginx log config

Tim Schwartz tim at timschwartz.org
Tue Jan 30 13:19:56 EST 2018


Thanks Micah,

Yeah I really only think server logs are valuable as debugging, if $$$ is the core concept behind data analytics, then better to do it with a different system than straight server logs anyway. I really like this idea…

> Fortunately, you can actually get by
> without keeping any logs, and just turn them on *when you need to debug
> something* and then *turn them off immediately afterwards*. In this
> scenario, you are only giving up the possibility of debugging past
> problems that you cannot reproduce. A worthy sacrifice.

Though once you are scaling to a few servers or a higher level production environment, turning on / off logs might not be such an easy feat. 

Is anyone aware of managed hosting systems that have opted for privacy focused logging options? Might be an interesting space to investigate in general.  

Cheers,
Tim


> On Jan 30, 2018, at 9:42 AM, micah <micah at riseup.net> wrote:
> 
> Tim Schwartz <tim at timschwartz.org> writes:
> 
>> This is super helpful btw. Thanks. 
>> 
>> What do people generally use as a rule of thumb on timing for log
>> rotations on web servers that are privacy focused?
> 
> Depends on your threat model, but possibilities are:
> 
> 1. no logs at all, no rotation needed (when you have a ton of data, this
> is actually a lot easier)
> 
> 2. logs only in memory (vulnerable to vampire tap, or preservation
> orders)
> 
> 3. rotate stored logs in as short of a time as possible so that you can
> balance usefulness against being an arbitrarily deputized state agent.
> 
> when it comes to logging people generally want it for one of these
> things:
> 
> 1. surveillance capitalism - monetize visitors behaviors, sell to data
> brokers, track you across the web, advertising
> 
> 2. ego vanity - it feels good to know that 500 more people visited your
> site this month, compared to last month
> 
> 3. debugging
> 
> If you can get over the first two (requires a bit of transcendence above
> the earthly trappings of being human), the third one is really the only
> reason to have any logs at all. Fortunately, you can actually get by
> without keeping any logs, and just turn them on *when you need to debug
> something* and then *turn them off immediately afterwards*. In this
> scenario, you are only giving up the possibility of debugging past
> problems that you cannot reproduce. A worthy sacrifice.



More information about the guardian-dev mailing list