That's kind of the point of log files. As a contrived example, what if users suddenly couldn't upload files that ended in .jpeg instead of .jpg. How would they be able to diagnose the problem if they didn't store data about image filenames?

Obviously they filter passwords and other sensitive data, but I think they should rightly have access to whatever they judge necessary to do their job.

There will always be people who have the ability to access data they are not supposed to, but in the end it comes down to who you will trust with your data.

To me, the transparency and contributions of 37signals qualifies them to have that trust. With that, I trust them to make good decisions about who they hire and what they store in their log files.

I wonder if parent was merely advocating obfuscating sensitive data so that engineers don't accidentally see things like "Downsizing-2012.xls". As long as the obfuscation is reversible, the data is still there for those who need it.

Of course, encryption per se is overkill for that. Something like ROT13 would do the trick.

If you're going to obfuscate reversibly, it is much better practice to use strong obfuscation and log (irreversibly) any time the raw data is accessed so there is an audit trail.

I would be happy if just the filename (not the extension) is at least obfuscated.

I can trust someone and still not be comfortable if he accidentally see that I uploaded "how to file a divorce.pdf" for example.

And now the problem is that files with "," or spaces in the name fail... The "reversible scrambling" proposal above might work (though not ROT13) - that way the data is there _if needed_, but it takes concious effort to take a look.

If in the process of debugging the "," issue, a set of files is uncovered (including "how to file a divorce", tough. Ideally, the usernames could be unscrambled separately, so at least there's no immediate connection to a single user.

A file based POST request always includes the name of the original file as it was uploaded from your computer, you could just as easily blame IE or firefox as you could a webserver log.

I doubt most web apps encrypt file names before they're written to logs.

I'd think the number of apps doing this is much smaller than those that don't, and even then only in cases where file names are replaced with hashes or GUIDs for directory reasons, not for the sake of information security.