DOJ proposes US data-rentention law.

Steve Fulton steve at esoteric.ca
Sat Jun 22 18:38:07 EDT 2002


At 17:37 22/06/2002 -0400, geer at world.std.com wrote:

>Not arguing, but the hardware cost curve for storage has a shorter
>halving time than the cost curve for CPU (Moore's Law) and the
>corresponding halving time for bandwidth is shorter still.

You've got a point.  Storage is becoming less and less expensive per 
gigabyte, especially for IDE drives.  If you're using a RAID set up, IDE 
doesn't cut it, SCSI is the way to go (for now).  SCSI is a lot cheaper 
than it used to be, but it's still over $1000 for a single 70gig drive in 
Canada.  For maximum redundancy in one rack-mount server, RAID 10 is the 
way to go.  That means for every 1 drive, there must be an an exact 
duplicate.  Costs can increase exponentially.

That said, storage isn't the only expense when creating a large, fast and 
redundant file server (especially for caching).  The fastest way to get 
data from a computer to the file server is via fibre channel.  And fibre 
channel hardware isn't cheap.  Last time I looked, a DIY RAID 10 system 
with 15 drives (1 hot-standby), case and fibre channel capability was ~ 
$30-35k.  For each workstation that connects to it, there is a ~1k charge 
for the fibre channel client card.  Don't even go near a fibre channel 
switch, they run $10-15k apiece, and don't handle more than 10-15 
connections.  Plus cabling.

See, it adds up -- and that's just for one unit.  To do the kind of data 
retention proposed in th EU, that is the kind of hardware that would be 
necessary.  Plus a rack of tape backup drives running 24x7.  Perhaps this 
sounds extreme, and it very well could be.  My concern isn't so much based 
on what the law says must be retained, the penalties if the data isn't 
retained are what worry me.

Could a system or network administrator be charged if the data is 
unavailable?  What if their is a plausible reason (ie. hardware failed a 
year ago, fire)?  What if the company cannot afford it?  What charges are 
brought against the company?  These questions are the reality for sysadmins 
in the EU.  If Canada implemented a data retention law, I would be 
extremely concerned about my personal liability as well as corporate -- 
Canada already can charge a network administrator who the police believe is 
negligent in blocking (and removing) copyrighted software from computers 
he/she is responsible.  It has happened.  My understanding it has to do 
with an RCMP settlement over the PROMIS software scandal, but that's 
another topic.

-- Steve


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com



More information about the cryptography mailing list