|
|
| No.: |
89 |
| DATE: |
August 6, 2003 |
| TO: |
ATIP CommunityDepartmental Security Officers |
| SUBJECT: |
Requests for Internet Logs |
This Implementation Report replaces Access to Information and Privacy Information Notice No. 2002-14 dated October 4, 2002 and Security Policy Implementation Notice No. 2002-21 dated October 4, 2002.Please note that a copy of this Implementation Report has also been sent to your Departmental Security Officer.
The enclosed appendix provides additional details on the processing of access to information requests for Internet logs. It presents a short explanation of the technical terms used, of Internet logs and reverse lookup resolution software. It also includes a discussion of the exemptions that will most likely apply, examples of requests, and information on the retention and disposition of Internet logs.
Questions relating to the processing of access to information requests for Internet usage logs should be addressed to the Information and Security Policy Division of the Treasury Board Secretariat at (613) 946-4945.
Anne Brennan
Director
Information and Security Policy Division
Government Operations Sector
Appendix to Implementation Report No. 89 on Internet Logs
This Implementation Report replaces Information Notice No. 2002-14 dated
October 4, 2002, and is intended to provide additional details on the processing of access to information requests for Internet logs. It presents a short explanation of the technical terms used, of Internet logs and of reverse lookup resolution software. It also includes a discussion of the exemptions that will most likely apply, examples of requests, and information on the retention and disposition of Internet logs.
Please note that the following guidance does not pertain to requests for incoming and/or outgoing e-mails. The technical information contained in this report is general in nature and is provided to help the reader understand Parts III and IV of the report. It does not cover all situations since institutions use different technologies and procedures. Please consult your information technology specialist to determine the best approach for handling specific requests.
I. Definitions
The computer terms used in this report may be defined as follows:
Destination IP: the IP address of the site visited, shown as a series of numbers such as 198.103.53.2
Firewall: security interface or gateway between a private network and the Internet that blocks or manages communications to monitor traffic and to prevent unauthorized users from accessing the system
Fully qualified domain name: consists of the local hostname (www) and the domain name
(tbs-sct.gc.ca). The fully qualified domain name is the portion of the URL that appears between the double front slash (//) at the beginning of the URL and the next front slash (/).
Internet log: report generated from a program or software used to monitor the use of the Internet
Reverse Lookup resolution software: software that uses the Domain Name System to convert an IP address (expressed as a number) into a fully qualified domain name (expressed in plain language, such as
www.tbs-sct.gc.ca). The Domain Name System is the way that Internet domain names are translated to and from IP addresses.
Source IP: the IP address of the computer from which a particular packet originated, shown as a series of numbers. A packet is the unit of data that is routed between an origin and a destination on the Internet.
URL (Uniform Resource Locator): the address of a resource on the Internet. A URL may have hundreds of characters after the hostname part of the address. The URL specifies the protocol being used (typically "http", but can also be "ftp"), followed by the fully qualified domain name and more specific details regarding the location of the resource. A URL may also be used to carry other instructions relating to a search. For example,
http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=utf-8&q=help+definition&btnG=Google+Search
is the URL for a Google search for the definition of "help".
II. Internet Logs
What information is typically contained on an Internet Log?
Logs differ from institution to institution with regard to the specific information that they track and make available, depending upon the configuration or set-up of the firewalls and the reporting mechanisms used by the institution. At a minimum, the Internet logs show the date and precise time that a specific computer connects to an Internet site, the source IP and the destination IP. Usually, the logs also show the URL visited.
Source IP Addresses
Source IP addresses can be maintained in a variety of ways.
· They can be assigned manually to a specific computer or workstation and logs of the IP address assignments are kept.
· Other sites use the Dynamic Host Configuration Protocol (DHCP) to automatically assign IP addresses to a workstation. Depending on the duration of time the system leases an IP address to a particular computer, this could be a constantly changing variable on a workstation and some sort of history database is needed to track IP addresses. However, DHCP addresses can be very stable, especially when the pool of addresses is sufficiently large (e.g., 50% more addresses available than needed).
· Other sites give long lease durations to IP addresses to ensure that an IP address stays with a particular workstation.
· Other sites do not even use IP addresses and have a proxy server that forwards requests on behalf of clients on the Internet. These clients could be running on non-TCP/IP protocols, such as Novell IPX/SPX or NetBEUI instead of TCP/IP.
The linkage from the source IP to a specific institutional employee is not maintained by the firewall logs but by either a manual look-up log or an automated one, such as a database. These correlating logs are maintained for an established period of time, such as 90 days. If an access request for Internet logs is received at any time within the established period of time, it will be possible to determine the name of the employee who is associated with each source IP, although the names of the employees do not appear on the Internet logs.
URL and Reverse Lookup Resolution Software
When a list of Internet sites visited by the employees of the institution is requested, it is possible that the requester wishes to obtain a list of the sites visited expressed in plain language rather than a list of the destination IP addresses. If the information contained in the logs does not include the URLs visited, you will need to use the "reverse lookup" resolution software. This software converts the destination IP address, expressed as a number, into a fully qualified domain name, expressed in plain language. The reverse lookup software will not provide the exact site visited, but the top level domain (or homepage). In addition, some IP addresses may remain unresolved if, for example, the IP address no longer exists when the reverse lookup software is used.
It is probable that all institutions have reverse lookup software and use it as needed. It is also probable that institutions do not generate lists of URLs from their logs unless there is a specific reason to do so (for example, when improper use of the electronic network by a particular employee is suspected).
Example of the configuration of an Internet log
The following is an example of the configuration of the Internet log of one government institution. The fields in italics and in bold are considered by some Information Technology security experts to pose a security risk if disclosed.
-
Number – sequential number for each entry in the firewall log.
The logs are restarted on a daily basis.
-
Date – date of request.
-
Time – time of request.
-
Interface – Interconnection between firewall software and the network systems
-
Origin – IP address of firewall servicing the request.
-
Type – type of record (log, accounting, etc.) – only log records are used.
-
Action – Accept, reject, drop (this Implementation Report deals only with 'accept').
-
Service – web access, ftp access, mail access, etc.
-
Source – internal source IP address.
-
Destination – destination IP address (shown as numbers, not a resolved URL).
-
Protocol – technical information.
-
Rule – associated rule number in Firewall log.
-
S_port – source port.
-
User – not recorded.
-
SrcKeyID – used for encryption that is not used on the firewall.
-
DstKeyID – used for encryption that is not used on the firewall.
-
Elapsed – not recorded.
-
Bytes – not recorded.
-
XlateSrc – usually external IP address of firewall.
-
XlateDst – usually the destination IP address.
-
XlateSPort – translated source port by firewall.
-
XlateDPort – translated destination port by firewall.
-
Product – always firewall module.
- Information – usually the length of the packet
III. Access to Information Requests
How a government institution responds to a request for Internet logs depends on the wording of the request. It also depends on the specific roles played by the institution, especially in those circumstances where disclosure of the list of Internet sites visited by employees of the institution might harm an ongoing lawful investigation by tipping off suspects about the nature and direction of the investigation. In addition, the institution's policy on the use of its electronic networks will determine the approach taken to ascertain what information should be exempt pursuant to section 19 of the
Access to Information Act (ATIA).
The institution must consider three general issues upon receiving an access to information request.
1. Clarify the request if necessary.
2. Find all relevant documents.
3. Determine if exemptions apply.
1. Clarify the request: It may be necessary to contact the requester to confirm what information is really wanted: a list of the visited Internet sites expressed in plain language, the Internet logs, or a combination of both.
If the requester wants the URLs and they do not appear in the Internet logs, the institution will need to generate a list by using the reverse lookup software, as explained in Part II.
If the requester wants the Internet logs and they do not contain the URLs, it may be useful to explain that the logs will only show the IP address numbers. The institution will need to clarify if the requester wishes to obtain the source IP addresses of the computers that visited the Internet sites. It will be necessary to explain that the logs have many different fields of information, and to determine if the requester is interested in seeing particular fields. For example, an institution may be able to create a record containing only the fields that show the source IP and destination IP addresses. A requester who specifically wants the logs, and not just the URLs, probably has a good understanding of what kinds of information are available on Internet logs.
In all cases where a request is clarified or altered, it is important that the institution confirm, in writing, its understanding of the revised request with the requester.
2. Find relevant records: The relevant records will include all records available to respond to the request. If the records do not exist but can be created from a machine-readable record and the institution has the necessary software and technical expertise, the records must be created and processed under the
ATIA.
The applicable provision of the Access to Information Act is subsection 4(3):
For the purposes of this Act, any record requested under this Act that does not exist but can, subject to such limitations as may be prescribed by regulation, be produced from a machine readable record under the control of a government institution using computer hardware and software and technical expertise normally used by the government institution shall be deemed to be a record under the control of the government institution.
Note also section 3 of the Access to Information Regulations:
For the purpose of subsection 4(3) of the Act, a record that does not exist but can be produced from a machine readable record under the control of a government institution need not be produced where the production thereof would unreasonably interfere with the operations of the institution.
If the institution is capable of producing the records requested using the technology that it normally uses, then it will be required to do so to respond to a request received under the
ATIA. Fees may be charged in accordance with subsection 7(3) of the Regulations:
7 (3) Where the record requested pursuant to subsection (1) is produced from a machine readable record, the head of the government institution may, in addition to any other fees, require payment for the cost of production and programming calculated in the following manner:
(a) $16.50 per minute for the cost of the central processor and all locally attached devices; and
(b) $5 per person per quarter hour for time spent on programming a computer.
3. Exemptions: In most cases, the grounds for exempting information will be sections 16 and 19 of the
ATIA. If challenged, the institution should be prepared to justify the exemptions cited. Lack of relevance is not a ground for exemption or exclusion of a portion of a record under the Act.
Subsection 16(1) – Law Enforcement and Investigations
Subsection 16(1) of the ATIA applies when disclosing the Internet sites visited might harm certain investigations. For example, an Internet log shows that the police or national security officials are investigating certain Internet sites and parties associated with those sites.
Paragraph 16(2)(c) – Security
It is also necessary to determine if the disclosure of certain information would constitute an undue security risk. Paragraph 16(2)(c) of the
Access to Information Act provides:
The head of the of a government institution may refuse to disclose any record requested under this Act that contains information that could reasonably be expected to facilitate the commission of an offence, including, without restricting the generality of the foregoing, any such information
(c) on the vulnerability of particular buildings or other structures or systems, including computer or communication systems, or methods employed to protect such buildings or other structures or systems.
In the example of a log found in Part II, the fields in italics and in bold are considered to pose a security risk if disclosed. This includes the source IP because it might reveal information about how the network is configured, and this in turn might provide information about potential security vulnerabilities. Note that most institutions mask the source IP number when it leaves the department network to visit an Internet site. As the source IP passes through the institution's firewall, the source IP is usually replaced by a general IP for the entire institution. Thus, the Internet site visited does not usually receive the source IP of the specific computer that visited the Internet site, but a general IP for the entire institution. However, the institution will have a log showing the connection between the specific source IP and the specific Internet site.
Thus, the institution can invoke paragraph 16(2)(c) when it can reasonably predict that the disclosure of the information could facilitate the commission of an offence against the institution's computer network.
Note: The Information Commissioner found that a bulk disclosure of e-mail addresses could not be withheld on the basis of security concerns. "[G]iven the large number of addresses which are publicly available, giving out the remainder would not materially change what is already a high risk." (Annual Report 2000-2001, p. 105). In cases where source IP addresses are generally masked and not in the public domain, a distinction can be made between the treatment of source IP addresses and e-mail addresses. E-mail addresses in and of themselves usually do not reveal information about a system's configuration. However, as noted above, a source IP can reveal potentially sensitive information.
Section 19 – Personal Information
This Implementation Report addresses only whether the personal information falls within the exception set out in paragraph 3(j) of the
Privacy Act.
Section 3 of the Privacy Act defines "personal information" as any information about "an identifiable individual", including numbers "assigned to the individual". IP addresses may be considered to be personal information since they can be traced back to the individual employee to whom that source IP address has been assigned. This is done through the database that shows the correlation between individual employees and the computer to which the source IP relates.
Paragraph 3(j) of the Privacy Act states that, for the purposes of section 19 of the
Access to Information Act, personal information does not include information about an individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual. Therefore, even though the information continues to be "personal information" for various purposes under the
Privacy Act, it is not personal information for the purposes of a request under the
ATIA.
The institution's policy on the use of electronic networks will have an impact on the application of section 19, as discussed below.
Policy on the use of electronic networks
Does the institution have an internal policy on the use of electronic networks? Does this policy permit personal use? Whether it does or does not, there will be a need to scrutinize the logs to identify personal information. The institution's policy on the use of its electronic networks will determine the approach taken to ascertain what information should be exempt pursuant to section 19 of the
ATIA.
a) The institution has a policy that prohibits personal use of electronic networks by its employees
Even if there is a policy that prohibits personal use, it cannot be assumed that every Internet site visit is work-related.
If the sites visited are neutral in nature (i.e. it is not apparent that they are not work-related), the institution can presume that they are work-related and can be disclosed. It can be argued that the information "relates to the position or functions of the individual" and therefore falls within paragraph 3(j) of the definition of personal information.
Where it is apparent that the site visited is not work-related, the institution should consider that site to be personal information and the source IP address should be severed. The destination IP address can be disclosed, unless another exemption applies. (When the requester wishes to obtain information about a particular employee, the destination IP address should be exempt.) In some cases, it may be necessary to consult the employee to determine whether the Internet site visit was personal or work-related.
b) The institution has a policy that permits personal use
When the policy permits personal use, certain source IP addresses associated with Internet site visits will be personal information that does not relate to the position or functions of the employee. These addresses must not be disclosed, in accordance with subsection 19(1) of the
ATIA. (When the requester wishes to obtain information about a particular employee, the destination IP address should be exempt.)
No presumption can be made that "neutral" Internet site visits are or are not work-related. To determine which source IP addresses must be disclosed and which must be withheld could require showing the logs to individual employees and having them identify which Internet site visits were for personal use.
It is possible that the work-related and personal Internet site visits cannot reasonably be severed from each other. In such cases, none of the source IP addresses would be disclosed pursuant to subsection 19(1) of the
ATIA. However, due consideration must be given to the discretionary exception in subsection 19(2) of the Act. Seeking the consent of a large group of employees may create an unreasonable burden on the institution.
c) The institution does not have a policy on acceptable use of the Internet or the policy
has not been communicated to its employees
The response would be the same as in b).
Subsection 19(2)
Institutions must consider subsection 19(2) of the ATIA, which permits the release of personal information in certain circumstances. For example, paragraph 19(2)(a) authorizes the disclosure of personal information when the individual to whom it relates consents to the disclosure. In addition, a reasonable effort must be made to obtain such consent. Please refer to Implementation Report #78 and the Cemerlic decision
(http://decisions.fct-cf.gc.ca/fct/2003/2003fct133.html) for additional information on this subject.
In cases where the URL contains the name of the individual who hosts the Internet site, such as
www.janedoe.ca , the name is publicly available personal information. Section 19(2)(b) of the
ATIA gives the head of the institution the discretion to disclose publicly available personal information.
Note: The Information Commissioner recently dealt with a request to obtain the listings of cellular telephone calls made by a Secretary of State. Some 8000 phone calls were involved. The Information Commissioner found that it would be unreasonable and impractical for an institution to go through the telephone records to determine which calls were personal and which were work-related. The Commissioner recommended that the last four digits of the numbers called be deleted. (Annual Report 2000-2001, page 102). Using this example, an institution might claim that it is unreasonable to sever personal and work-related Internet site visits of a given employee, in which case, the destination IP addresses and/or URLs would not have to be disclosed. Of course, it would be for the courts to give a final interpretation on this issue.
IV. Examples
Request #1: List of URLs visited by several employees, where the information is co-mingled
- If the logs do not contain the URLs visited, the list of fully qualified domain names is generated by using special software, such as the reverse lookup software.
- If the institution is capable of producing the records requested using the technology that it normally uses, it is required to do so to respond to this request.
- In most cases, very few exemptions will apply to lists of Internet sites visited. Subsection 16(1) will apply if the disclosure of URLs would be harmful to investigations.
Request #2: List of URLs visited by a specific employee
-
The sites visited by the employee should be reviewed to determine if the visits are work-related or personal. Since this request pertains to only one employee, the easiest way to accomplish this task is to consult the employee. If this is not possible, the institution's policy on the use of its electronic networks will determine the approach to take to ascertain what information should be exempt pursuant to section 19 of the Act. See Part III.
Request #3: The complete Internet logs for several employees
-
Institutions need to consider whether the disclosure of certain data fields, including source IP addresses, constitutes a security risk pursuant to paragraph 16(2)(c). See the example of a log in Part II.
-
When the site visited is not work-related, the institution should consider that site to be personal information and the source IP address should be severed. The destination IP address should be disclosed, unless another exemption applies.
Request #4: The complete Internet logs for a particular employee
-
Institutions need to consider whether the disclosure of certain data fields, including source IP addresses, constitutes a security risk pursuant to paragraph 16(2)(c). See the example of a log in Part II.
-
The destination IP addresses should be reviewed to determine if the visits are work-related or personal. Since this request pertains to only one employee, the easiest way to accomplish this task is to consult the employee. If this is not possible, the institution's policy on the use of electronic networks will determine the approach to take to ascertain what information should be exempt pursuant to section 19 of the Act. See Part III.
V. Retention and disposition of Internet usage logs
Pursuant to subsection 4(1) of the Privacy Regulations, institutions must retain personal information that has been used for an administrative purpose for a minimum of two years from the date of the last administrative use, unless the individual concerned consents to earlier disposal.
It is not necessary to retain automated logs and audit trails if the institution does not use them to make decisions about employees. Such records are considered to be administrative records for the purposes of the National Archives of Canada Act and are subject to Records Disposition Authority #98/001. Each institution should establish the retention period for retaining the databases and other records that show the correlation between an employee's computer IP Source address and the name of the employee. The retention period recommended by the Library and Archives of Canada (formerly the National Archives of Canada) is two years.
VI. Review of the steps in handling an access to information request for Internet Usage Logs
-
What is the scope of the request? If necessary, clarify the scope of the request: is it for source IP addresses, destination IP addresses, URLs or all of the above?
VIII. Further Consultation
It is recommended that you consult your information technology specialist to determine the best approach for handling specific requests. The specialist will be able to determine if the institution has the computer hardware and software and the technical expertise needed to provide the information sought.
For security-related questions, please contact your Departmental Security Officer (DSO), who will identify the fields contained in the Internet logs that pose a security risk if disclosed.
In addition, it is recommended that you consult your legal services if the request raises legal issues.
Questions relating to the processing of access to information requests for Internet usage logs should be addressed to the Information and Security Policy Division of the Treasury Board Secretariat at (613) 946-4945.
The Treasury Board Policy on the Use of Electronic Networks can be found at http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/tb_cp/uen_e.asp. For further information related to this Policy, please refer to the "Enquiries" portion of the Policy.
|
