[Foundation-l] should not web server logs (of requests) be published?

[WJhonson at aol.com]

In a message dated 11/28/2010 9:06:36 PM Pacific Standard Time, 
russnelson at gmail.com writes:


> The policy is very explicit. It says that logs may be kept. If you know
> anything about operational requirements, you will understand that that 
> means
> that logs are not routinely kept, but may be kept in order to diagnose
> problems. It's not practical to be more explicit than that. Aude has 
> already
> explained that in the usual case, the http server itself keeps no logs
> (because they'd just tell ops which squids are accessing which server), 
> and
> the squids themselves discard 99.9% of all accesses.
> 
> You're not likely to get any better explanation of what happens, because
> it's simply not practical or productive to keep you informed of which 
> squids
> or servers have had logging turned on. Rest assures that nobody at the WMF
> cares who is accessing what page. They have more interesting problems to
> solve!
> 

Yes I agree, the policy is extremely vague.
We may be struck by lightning, we may be abducted by aliens, we may be 
sentient beings.
May doesn't say anything.  Why have a policy which uses "may"? So you can 
do anything at all and say "well we did say we MAY..."
That's not a policy, it's a non-policy.

I know quite a lot about operational requirements, and I know that policies 
should state clearly what IS being done, not what may be done.
It's quite practical to be more explicit.  For example, the policy could 
state clearly what exactly is being done.  That would be more explicit.

I know what Aude stated.  I asked for a citation to the actual policy of 
the WMF on that point.  But apparently there isn't any.
You mean it's not practical or productive to keep users informed of what 
information is being stored on them.
Why bother with a clear privacy policy, why not simply ignore anyone who 
pushes for one? And then claim you're not....
Very clever.

W