The European Union moved closer to labelling Internet Protocol addresses as personal information yesterday at a public hearing of the Civil Liberties Committee. Peter Scharr, Germany's data protection commissioner and the man behind an EU group considering the privacy policies of major search engines, told the meeting that if IP …
A permanent cookie
When it comes to my home broadband connection I'm very wary of static IP addresses - they are, in effect, a permanent tracking cookie. So when IPv6 comes along and all out networked devices - including mobile phones, cameras and even cars - have an IP address, the privacy issue will become very important. I'm glad the EU is already looking ahead and thinking about it.
I feel that an IP address is as personal as a postal address or phone number... it can be used to trace a specific connection. It should therefore be treated in the same manner... If I call you, I have the option of withholding my telephone number. If I need something posted to me, I can set up a PO box address.
In other words, people should have the right to determine whether their IP address is given out to anyone who asks for it. In my examples above, should the police need to trace me, the information is still available to them.
I suppose the key question then becomes... should privacy be opt-in or opt-out?
How will this affect
Pretty much every forum and guest book system, and many e-commerce systems that store you IP address
Or alternatively, when someone takes them to court to reveal the identity of someone, will they be able to say, sorry, we just don't store that information anymore, EU rules and all that.
Can they do the following?
Can the MEPs debating this, go here, on their home PCs:
And publish the IP address it reports? Go on, dare you!
They should be PRESUMED to identify an individual, unless PROVED otherwise
Some IPs identify an individual. Others may belong to a machine serving a department or used by more than one person. But in most cases there is no way to reliably tell the difference.
Consequently, for all purposes, they ought to be treated AS IF they identify an individual, even though in many or most cases they probably do not.
ITs not an issue.......
Surely an ip address identifies a connection, end of, this ip address here is to my router, which is open wifi, and cabled to my other computers, which other members of my household use, its not personal to me, its anyone in my family or the multitudes of weirdo's stealing my wifi.
What about blacklists?
So if this goes into affect what about ip based anti spam or broken mail server blacklists? Can a spammer now demand his ip be removed based on it violating his privacy?
By the same logic your postal and telephone numbers wouldn't count as personal data. Also what about the single person households with secure internet connections then with a very high probability the person is identified.
Another issue with IP addresses is not only are they an identifier in many places (eg BT provided ones) they also provide location information.
As the EU correctly states how personal the information is depends on the context of how they are being used. But there is always the risk that a low risk activity (a text log file of logins with ip address) is converted into a more highrisk activity (a database of logins is crossreferenced with an advertising networks database of adverts viewed on different sites by the same ip address and then further correlated to find the locality of said ip address).
"its not personal to me"
Fair enough, can I have it please?
How to solve it using consistency
If IP addresses are not personal information, they do not identify anyone. Therefore they cannot be used to accuse someone.
If IP addresses CAN be used to accuse someone, they do identify a person and are personal information, protected by various privacy acts (including RIPA).
think we may have a problem here, let's work on the assumption that an IP address is personal information... If I remember my DPA training right, personal information can't be transmitted out of the eu unless there are adequate protection measures in place... So if a packet request goes through a country without these safegards with my IP address on it as the originator, has my ISP broken DPA?
Any lawyers out there
"How to solve it using consistency ..."
but the law is rarely consistent ... which is why the weasel phrase "for the purposes of the act" appear a lot in UK law.
Private property ? Try having a few stellas, and spinnng your Corsa around privately owned land ... "for the purposes of the act" it becomes public land ....
Context & use paramount
Law should protect the governed. IP's are too vague and disconnected with users to associate with one specific individual for legal purposes (when the exact individual needs to be identified), but too personal to be allowed to be data-mined for commercial purposes, when the exact individual involved doesn't matter.
What's the likelihood of that ever happening...
The EU has three choices here:
1) it can declare that IP addresses are not personal identification, as they cannot be used to uniquely identify a person. In which case the various international bodies interested in tracking down filesharers will suddenly be very upset.
2) it can declare that IP addresses are personal information, in which case international routing becomes problematic under data sharing laws, and pretty much every website admin in europe would have to register to be a Data Controller (much to the delight of the registrars)
3) It can declare that an IP address is not sufficient *on its own* to be uniquely identifiable, and give a list of info that you are not allowed to keep with the IP address (eg time of contact, or anything specific about the machine, or info in a persistent cookie). This would render logging on forums for libel purposes impossible, but would allow investigators working on a specific case to legally turn on logging for that specific purpose. It would also hugely annoy both camps, so its not going to happen.
Rather than debate whether an IP address can or can't be personal information, just make it illegal to treat it as personal information. This includes any attempt to link the IP address to a given individual in any way.
In other words, you can use an IP address to determine if a packet or packets came from a given endpoint, and choose to disallow or track connections from that endpoint in the future, but you can't legally use the IP address to say that that end-point "belongs" to a given individual (even if, technically, you could prove that that end-point was connected to that individual's ISP using that individual's account.)
This would allow forums, anti-spam groups, etc. to block "rogue endpoints", but prevent legal agencies, ISPs, or orgs like the RIAA from presuming you're guilty simply because someone used "your" IP address.
Crap. When I put it that way, it's clearly too sensible for any government to implement.
'there's no black and white answer'
No, just ones and zeroes
Even if it is normally illegal for a citizen to record or process data such as an IP address, there might be rare situations where the citizen is legally justified. http://hack-igations.blogspot.com/2008/01/ip-address-privacy-and-self-defense.html
If you've ever read the ICO documents on what constitues personal data ( A rather dry read) then you should know that Personal information is anything the can be just to uniquely identify an individual.
So saying my name is Fred Blogs is not classed as personal since there are likely to be other Fred Blogs.
Having 2 pieces of information e.g name :- Fred Blogs, Mobile Number 0123456789, is personal because there is only one Fred Blogs from that number.
You don't always need the name.
A description such as:- The man who live in the High street, has grey hair, drives a green Ford Mondeo, walks his poodle every Saturday morning.
Could be classed as personal since it indentifies an individual, There is the assumption that the description is sufficient enough to prove that only one person who has these characteristics.
Of course the interesting things are email addresses. These are always unique, even if you work in a large corporation where there are bound to be multiple John Smiths etc, everyone of them will have unique email address. Since most sites where you have to register will ask for you email address at some point, this is personal information so the IP address is somewhat irrelevent.
Since mutiple home users will use the same PC or corporate users will be behind a single NAT address, an IP address itself could not be classified as personal information.
Possibly you forget that in the UK the site admin would be the victim of a crime and therefore be presumed to be guilty, be tasered (at least twice) then locked up for 42 days without being interviewed or seeing a solicitor or being offered a cup of tea immediately any complaint was made. All for abusing the 'rights' of the hacker.
This is British Justice we're talking about.