Computer users leave traces of data on local and remote machines that record their activity. These records can cause problems for people who do not want their activities tracked, and they facilitate both mass and targeted surveillance. Service operators are put in an uncomfortable position because of the existence of this data: they have a responsibility to protect their users, but they may also be at risk of compelled data disclosure against their users' interests.
One way to avoid this problem is to reduce or eliminate the quantity of data generated and stored by any system by default in its regular operations. If you don't have the data, it can't be used against you or against your users.
Debian is in a good position to shape norms around this -- we can configure default logging levels; we can tune what specifically gets logged, and we can determine how long logs are kept by default.
This is a discussion about how to achieve the goal of data minimization within Debian, while considering the tradeoffs and consequences of this sort of change.
We should cover at least: