: Is logging personally identifiable information a bad practice or violation of law? I know we all do semi-anonymous logging (server logs, Google Analytics, etc.). However, on one of our external
I know we all do semi-anonymous logging (server logs, Google Analytics, etc.). However, on one of our external web applications, we have some non-reproducible errors that the external users report occasionally. I chalk most of them up to a PEBKAC errors, but I always investigate the problem to see if I have the same problem.
While talking to the internal user that manages it, she mentioned that it is too bad that we can't figure out what browser the person is using without having to call them. I told her that actually we can, but normally it is anonymous data that isn't directly linked to a user.
I am curious, is this practice frowned upon? Actually tracking what browser an identified user is using to fill out our forms and log that information with their data. Nothing more than what is logged normally, just linked to a user.
Thoughts?
Updated: I thought I could get by without more details about the application and why. This is for a job application... application. I am trying to track down some "bugs". We hate to always call the user back and ask what browser they were using and how they got the error. If I link their browser information to their name as they fill out the form it removes one piece of the puzzle and I may be able to track down some of the browser-based errors.
The real question is if this is against best practices and/or the law.
More posts by @Chiappetta492
2 Comments
Sorted by latest first Latest Oldest Best
"Bad" is a somewhat subjective and relative term. But if you want to adhere to best practices regarding respecting user privacy, then, in addition to KoKo's answer, you can simply track the data for the minimum amount of time needed to do what you need to do, and then discard or anonymize it afterwards. This is what Google and most other major online operators do.
It's a bit unrealistic to expect website operators to not log basic technical data like user-agent, IP, pageviews, etc. And most of this isn't as sensitive as PII or search queries, etc. So as long as steps are taken to protect the user's privacy (i.e. the logged data can't be accessed by 3rd parties or used in a way detrimental or disagreeable to the user), it's perfectly fine IMO.
Or you could have users opt in to have their user-agent recorded in order to help you improve the quality of service. This is the most cautious approach, and using a sample population should still give you enough data to work with.
Though I wonder why you need to associate browser to PII in order to troubleshoot your problem. Judging by your conversation, you don't actually need to contact the user to debug the errors. Why can't your bug reports simply contain a UA + non-PII session info? Most software companies (e.g. Mozilla) only track anonymous user statistics for quality assurance.
As long as your privacy policy properly disclose what you track, and you don't misuse the information, there shouldn't be any problem.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.