On this page:
Rationale
Implementation
Implications
Glossary
Policy
This policy applies to access logs created when Web pages are requested from, and served through, MIT's main Web servers, operated by IS&T, and typically known as web.mit.edu or www.mit.edu[1].
IS&T records only basic information about the activity supported through these servers. IS&T retains these records (or logs) for 90 days after their creation date to allow effective management and analysis of our network and Website.
All network and web access logs are considered confidential, and as such IS&T takes active measures to prevent unauthorized access during the retention period. During a log's normal retention period, access is restricted to IS&T staff that need these data to do their job.
In some circumstances a log, or more often a very small subset of one or more day's logs, may need to be kept for longer than the prescribed retention period or released to a third party. The use of any such retained information by authorized staff, and the release of any log information to third parties, is done under the direction and with the approval of MIT's Office of the General Counsel.
IS&T recommends that individuals, groups, departments, labs and centers which operate autonomous Web servers follows the same policy or create similar policies.
[1] There are hundreds of Web servers at MIT, most of them running on computers that are not operated by IS&T. These servers produce URLs like http://xyz.mit.edu/webpage.html. While this makes them appear to be part of MIT's (i.e., the mit.edu domain's) "Website," they are not covered by this policy.
Rationale
This policy implements MIT's Privacy Policy specifically for the collection and retention of Web server logs. In defining these logs, and in setting the retention period, IS&T has weighed a variety of competing interests: the need to maintain robust operational reliability of MIT's Web server, the need to be responsive to third parties who report issues that it needs to investigate or resolve, and the desire to limit log retention to reduce opportunities for inadvertent disclosure of private data.
MIT's main Web server, which IS&T operates, is typically accessed by visiting http://web.mit.edu or http://www.mit.edu. This Web server provides access to the MIT Home Page and its related pages, as well as vast numbers of other Web pages, documents and files which are stored in, and accessible through, MIT's campus-wide shared file system service (AFS).
In addition to operational needs, collecting data on Web server usage allows IS&T to plan for future capacity needs, and to identify which browsers and platforms are in use (in support of software provisioning activities).
Except as noted above, IS&T Web server administrators do not produce any other reports from these usage logs, nor are the logs shared with MIT Web content managers. Individual Web page creators may opt to use the IS&T provided Web page access counting service, or a different method, in which case their privacy policies should reflect the collection, retention and use of these data to its users.
Implementation
At the current time, IS&T Web server is configured to log these data:
- Internet address of computer or device issuing request
- Type of browser or other client application used
- The operating system of the computer or device
- Web pages requested
- Referring Web pages
These data may change from time to time as determined by IS&T to be necessary to provide appropriate service and operational control.
The web server is in a secure location and complies with secure data storage best practices. IS&T's Network Operations Team acts as the data custodian for web server logs, and ensures that the logs are stored securely and are deleted when they expire.
Implications
While the usage logs covered under this policy do not contain personally identifying information as addressed by recent state laws, it is true that if used in conjunction with other information IS&T has in its custody (limited by those logs' retention period), Web page usage logs may allow us to associate Web page access with a given individual's computer.
IS&T will comply with a court order or valid subpoena that requests the disclosure of information contained in Web usage logs. Failure to comply could have serious consequences for the individuals involved, IS&T, and the Institute. MIT's Office of the General Counsel is qualified and authorized to confirm that a request for information contained in logs is legitimate and not an improper attempt to gain access to confidential information.
Glossary
AFS: Andrew File System. Based on technology developed at Carnegie-Mellon, MIT adopted AFS in the early nineties to provide campus-wide file sharing services, initially for users of the Athena computing environment, then other common computing platforms and with the deployment of the Web. MIT's AFS cells are visible to the MIT Web server hosted by IS&T.
URL: Uniform Resource Locater. In common usage, it is the identifier for a Web page or address on the Internet.
Web or "the Web:" In common usage, a collection of mostly specially formatted documents, often using a markup language called HTML (HyperText Markup Language) that provides links to other documents, as well as graphics, audio, and video files.
Web Reporting: MIT web publishers, whose content is served from web.mit.edu, www.mit.edu and other Web servers at MIT, can keep track of hits to their pages with a few simple steps. See the related link below for complete details.