Aller au contenu

Computer Science and privacy

CMAP staff database

CMAP has set up a tool to centralize some information on CMAP members. This database contains information intended for the laboratory directory, as well as useful information for the secretariat (status, dates of presence in the laboratory ....)

This database has been declared to the CNIL (Ref : n° 1223192) and complies with the norm n'46 concerning the recorded information and the treatments made.

Each member of the laboratory can assert his or her right to consult or modify this file by contacting the laboratory secretariat.

Management of IT logs

All of our computer servers that provide network services (email, web server, remote access, etc.) produce a number of logs that record certain system activities and usage.

The IT staff may need to examine these logs or perform statistical processing in order to :

  • Detect any security failure or anomaly, voluntary or accidental, passive or active, of material or human origin;
  • Detect any violation of the law or abuse of computer resources
  • To be able to provide the necessary evidence to carry out investigations in the event of a security incident and to respond to any official request submitted in the legal form.
  • Monitor the volume of use of the resource, detect anomalies in order to implement quality of service, and upgrade the equipment according to the needs

It is therefore normal that each user is well aware of the information that is stored in these logs.

The network administrators may be required to provide information that may include personal data only at the request of the functional security structure (defense security officer, school CISO), as they are bound by professional secrecy. The network administrators are bound by the utmost discretion and do not respond, except at the request of the judicial authority, to any request for information or processing that may implicate individuals or infringe on their privacy.

On externally accessible servers, logs are kept for 52 weeks.

E-mail

We know:

  • the name and email address of the sender and the recipient
  • the date of sending/receiving.
  • the network addresses of the sender and the recipient
  • the result of the anti-spam and anti-virus treatment on this message

We do not keep :

  • The subject
  • The content

Systematic processing is carried out for exchange metrology. These are statistical treatments in volume which are anonymous.

Connections on the SSH CMAP gateway (ssh.cmap.polytechnique.fr)

  • the name of the user under which the connection is made,
  • the network address of the machine from which the connection was made
  • the start and end dates of the connection.

Web server

  • The source and destination IP address and the various authentication data (identifier/authenticator or certificate) in case user authentication is performed
  • The page consulted and the information provided by the client (browser, robot, ...) such as the type of browser and the operating system of the client
  • The source and destination port numbers as well as the protocol
  • The type of the request
  • The date and time of the attempt
  • The volume of data transferred

Statistical processing is also carried out.

Laptops connections to the wired network

  • Dates, source and destination IP addresses, physical addresses, port numbers, protocol of all network connections are kept for 52 weeks

Prints

The printing logs are kept for a few days only. Anonymous statistical processing is carried out.

Workstations not accessible from the Internet

Connection logs (date, login) are kept for a few days only.