Decide which data are "Sensitive" for logging purposes.

In safelog we have a method to mark data as "sensitive" for logging purposes, and thereby to suppress it from persistent logs by default. But we don't have a standard approach for what counts as sensitive. There are a number of approaches we could take, from maximally to minimally cautious.

The tradeoff is between making logs useful by default and making logs safe by default. If we mark too few things as sensitive, we risk exposing information when logs are exposed¹. But if we mark too many things as sensitive, we'll encourage people to always disable safe logging.

Here are some items that might or might not be marked as Sensitive. There are many more.

• User activity
  • Information about specific addresses that the user is visiting or looking up anonymously over Tor. 🔒
  • Information about which ports the user is visiting.
  • Information about when the user is making requests over Tor, and how many.
  • Information about when the user is not making requests over Tor.
• System information
  • The user's IP address.
  • The user's timezone.
  • The user's locale.
  • The user's username.
  • The user's hostname.
  • The user's home directory.
  • The user's operating system.
  • Specific versions of software that the user is running.
• Tor network usage information:
  • The user's list of guards.
  • Paths that the user has built over the network.
  • Exit nodes that the user has used.
  • Exit nodes that the user has used at particular times.
  • Times when the user has had difficulty bootstrapping.
  • Addresses or identities of bridges.
  • Paths that the user was unable to build over the network because of given circuit restrictions.
• Metadata
  • Information that can be used to infer types of information above with different degrees of reliability.

1. Logs are often exposed when users copy-paste or back them up them without being aware of the security implications. They can also present a tempting vector for attackers to steal. ↩