Obligations to keep the web server logs


Ideally a web server with a SecureDrop landing page would not keep any log as recommended in the deployment best practices. Unfortunately there are legal obligations in Europe to keep the logs during some time. How long exactly, I’m not sure.

Recent rulings of European courts (see below) acknowledge a conflict between state imposed data retention and human rights (freedom of expression, right to privacy…). This challenges the transposition of the DIRECTIVE 2006/24/EC and some member states face legal action from civil society.

Companies hosting web sites may be hesitant to challenge national laws and obey European law instead. However, this may not be relevant for logs regarding the SecureDrop landing page. If the navigation of this particular page is not logged while all other pages are logged, the hosting company is in compliance. There is no obligation to log each and every page of a web site, nor is there an obligation to log the navigation of every user within the web site.


Don’t forget that the landing page is not the only place. I vaguely recall French law that did it’s best to convince operators of websites to be able to identify people that contribute (upload/write texts). Don’t ask me it’s current status or it’s precise implemtations… I appreciate the effort to gather information here, but I’m afraid that it’ll be hard to keep it correct and up-to-date. Wouldn’t it be rather easier to limit ourselves here to list organizations and groups that are engaged in these topics, like la quadrature du net, vorratsdatenspeicherung.de, edri.org, bits of freedom, Alternatif Bilişim et al.? That way, whenever there’s a new instance or organization, they/we can ask these people?

Indeed ! This discussion should merely be a way to learn a little more, not an attempt to create a permanent resource.

Thanks for this list, I did not know about that last two and I’ll read about them.