On Fri, Nov 11, 2016 at 2:16 PM, Leila Zia leila@wikimedia.org wrote:
- Subpoena related concerns: the best way to handle this from the data
storage perspective is to not have the data at all. That is why very sensitive data is purged after 60 days at the moment in webrequest logs. As Nuria said, this length of time may be shortened by a little, but at least because of operational constraints, we won't be able to not store this data at all.
It is worth considering this in context of https://twitter.com/Pinboard/status/797167026481442816
That is, not storing the data is nice, but do we have any plans in place in case a government decides to place a recording device in our data center beside our servers? We may have the best of intentions, but "we don't store it" could in fact be misleading comfort if there is a third-party who *is* storing it.
This is perhaps a broader question (and more in line with James' initial inquiry?), as it suggests that we reconsider what sort of protections we can actually provide to our editors, and make sure they know if we can't protect them from state-level monitoring. --scott