Is an IP address you use in an internet session personal data about you?
Who else would it be personal data about?
[missing icon: big SO questionmark]
Let’s revisit that old chestnut: “Is an IP address you use in an internet session personal data about you?” The reason: I have just come across two legal references which relate to copyright infringement where the argument that an IP address is personal data was accepted. The first reference I found was the Monetary Penalty …
Who else would it be personal data about?
[missing icon: big SO questionmark]
I'd say an IP address is no more personal to me than the number of a hotel room I stayed in last month, or the ticket number for the deli counter I had yesterday.
'shirley' the fact that its perfectly feasable that tomorrow someone else might have the IP I have today means that it's transient info at best ?
In practice, unless you use dial-up, the IP address assigned to you will remain yours for at least as long as your broadband router stays up. Even for the average Joe, that could be months. If you have your router on a UPS, you might be stuck with the same address for years.
If you rent where you live, you might be changing real address every six months, but no-one would argue that your postal address isn't personal data.
Of course, addresses need to be *public* in order to be useful, but they are still personal.
Conversely, what I do in the toilet is *private*, but I do it the same way as everyone else, so it is hardly personal.
Or, at least you think you do. Unless you are observing the private practises of a load of people...
My IP address is definitely personal data - it's a static address, and if you run a reverse DNS lookup it resolves to my name. Perhaps in hindsight not the smartest choice for a username, but I've had it for years and a static address is hard to come by in the consumer space these days so I'm not about to give it up.
I'd click the anonymous button, but there doesn't seem much point really.
I set my router to reset every night and pull a new IP address each day but then I'm on DSL and can do that - I see it as one of the unsung benefits of DSL.
"An IP address is no more personal to me than the number of a hotel room"
That could be the case if IP addresses are assigned dynamically rather than static. But, even if dynamic (and mine is), quite often they are static (mine has been the same since I started with my ISP.
So an IP address is probably more equivalent to your mobile number rather than a hotel room number...and I'm sure you wouldn't want your mobile number bandied around to all the marketers etc.
A lot will depend upon the set up, but typically when ISP hand out IP's via DHCP the following happens:
1. You get exclusive use of an IP for 24 hours (will vary from ISP to ISP)
2. After 12 hours your PC will request the same IP again from the same DHCP server and will normally be given it. The clocks reset to 24 hours
3. If after 21 hours your PC has not managed to renew if will broadcast a request to any listening DHCP server asking for any IP. Listening DHCP servers will respond and if the client gets more than one response it will choose which response to use (usually the one with the IP it already has).
4. If, after 24 hours, you haven't renewed your IP (perhaps you are powered off) the DHCP server will not immediately reuse the IP for somebody else, it usually allows a grace period (perhaps as long as an hour) before allowing it to be re-used
Lets say that every morning at 8:00am you power up your PC and get an IP address. You use the PC for 30 minutes and then switch it off and go to work. The following day you do the same. On the first day you get IP 220.127.116.11. On the second day, you are just at the end of your lease and in the "grace period" so the DHCP server will re-assign the same IP address to you. As a result, you will nearly always have the same IP.
Everything of course depends upon the ISP, but the one I worked for had 24 hour leases with T1 (renew) set at 12 hours and T2 (rebind) set at 21 hours. There was a 1 hour grace period after the IP expired in which it would never be given to another PC. The reason 24 hour leases were used is because the T1 and T2 times are deliberately fuzzed around their values so that gradually the requests coming into the server are spread over the 24 hour period.
These people have your IP address *while* you're connected; so it's more like the number of a hotel room that you're in, or your position in a deli counter queue, *right now*.
Even after your IP address has changed (and that's *if* it changes -- some people require a connection with a static IP address), it still indicates who your ISP is -- just like a deli counter ticket shows which supermarket you have been shopping in.
Just rebooting your router may not be enough to get a new IP address. See, most depend on some variety of DHCP, which essentially takes the device address of your router, associates it with the IP address it assigned to your router, and if your router has not been off-line long enough for the lease to have expired while the router was down, will by preference assign you the the same IP address again. So, rebooting your router MIGHT get you a new IP address, but there's good odds that you'll get the same one again. Stuff just works better that way, including the ISP's own caching, which gives them an incentive to do this above and beyond that's how all the networking course recommend it behave.
This means that -to stay with the analogy- it's directly taggable to you. From your bill, I can tell that you emptied the minibar, spent £43.50 on the in-house porn channel, ooh...here's your email address and credit card number..........etc.
$ host 18.104.22.168
22.214.171.124.in-addr.arpa domain name pointer wylie.me.uk.
$ whois 126.96.36.199
inetnum: 188.8.131.52 - 184.108.40.206
descr: Mr Alan J. Wylie
And anyone that claims otherwise is a clueless muppet.
FWIW it seems you are catching up with what is the Accepted interpretation in Germany: IP addresses are personal information. AFAIK there is not yet a uniform position across the EU but it is likely possible that this will become consensus which puts not just statistics* but more importantly ISP logs into the spotlight - EU law requires that ISPs log user accounts for six months - as a potential breach of data protection law, one of the reasons why the EU law is not in force in Germany because it is unconstitutional. A round of legal beggar thy neighbour is probably due.
* For the purpose of statistics it seems reasonable to randomise non-reversibly the last octet of the IP address which is exactly what Google is rolling into the German service of Google Analytics.
I'm sure, when I was looking at this subject earlier this year, that the ICO's advice was to handle IP addesses as though they were personal data, because you didn't know, as your server wrote it to a logfile, whether it was coming from an internet cafe or from a home. It was, I think, pointed out that it was a lot like a telephone number in that aspect.
Whilst I agree that in certain circumstances an IP address is Personal Data that is normally limited to the point in time where one party seeks to identify the user of that address without the consent of the individual.
In the scenario described in the article the IP address as used by marketers and behavioural marketers cannot be deemed to be a Personal Data on the following grounds:
There is no attempt to identify the specific individual who is using the address and in most instances if there are multiple users of the address then identifying one individual would be difficult.
Tracking the IP address does not necessarily identify the individual. Is the partner or the account owner visiting the Next store's womens clothing site? The marketer does not know and does not need to know they are only looking to see if a user of that IP address falls in to a possible class of customer
The identification of a user through such tracking can only occur at the point that the user actually decides to a)follow the link and b)voluntarily reveals to the supplier their personal details. In this latter point the marketer may not even have visibility of this information and thus remains unaware of the identity of the person using the IP address.
Therefore the test of remoteness still stands since the marketer makes no specific effort to actually identify the individual behind the IP address. Their primary concern is to identify members of a class of people who visit specific types of web site with a view to encouraging them to attend a single web site with a view to actually revealing themself. That is where the consent is actually provided.
I used to think along similar lines to you, but I have changed my mind.
I think that someone does not have to get your name to have identified you. If I point someone out in the street, I have identified them; no name, no date of birth, no address is needed, but i have identified them.
Now think about Google Analytics. Google gets a load of data that shows the types of website that an IP address visited, and possibly a list of search terms that the IP address was looking for. Maybe nobody knows what name you call yourself, but Google identifies you by your IP address instead (like your bank identifies you by your customer number; John Smith is just a label for your letters). Google identifies you by your IP address (and possibly also by a different reference number), and stores other personal information about your browsing habits. Google can now sell this information in the way of targeted advertising (or other things) to their customers.
This example uses IP addresses to identify you without any need for name and address, and I think definitely falls into personal data.
Some good points here that I agree with around the use of IP addresses to 'tag' a user and place into a particular marketing bucket. I agree that, as this does not identify a living individual and allow direct linkage to name / address etc without access to further data, the IP in itself cannot be seen in this situation as personal data.
Also, there are some major flaws in the approach used to analyse the legal judgements. At no point do these state that an IP address is personal data - they both state that personal data is present alongside the IP address.
The first quote, you summarise by saying: "In this way, the IP address formed part of the personal data each ISP had in its possession." Correct - it forms part of the personal data sent back - it is NOT personal data in itself as it cannot be used by itself to identify a living individual (as per the definition in the Data Protection Act) without linking to the other data in the response.
As for the second reference, you introduce the quote by saying that it states IP addresses are personal data - it doesnt at all ! The quote says that ISPs must process personal data to link the IP address to an individual - in this case, the name/address etc that is linked to the IP is personal data, not the IP address itself.
Either you cant read properly, or you are trying very hard to stretch a quote to mean something totally different, and are thus willfully misleading the reader!
Good points, IME. The missing element I *think* is using information to identify individuals - so making the data 'personal'. IP address in marketing is used as a way in which to classify consumers in an aggregated form, rather than to identify Mr X, aged 37, of such and such an address.
The thing is, at present there's no distinction enshrined between uses of data in these ways, but it would seem that at some point in the relatively near future there will be a battle of interpretations to lay it down in law.
Anonymous said at 10:34 "Also, there are some major flaws in the approach used to analyse the legal judgements. At no point do these state that an IP address is personal data - they both state that personal data is present alongside the IP address."
But The DPA covers any data "that can be combined with other readily available data to identify an individual" so on that basis I think this does constitute personal data as far as the DPA is concerned.
Ah - but define 'readily'. To the vast majority of people with access to an IP address (including marketting platforms etc), this other data is not readily available.
Whilst I agree with the conclusion of the article, the only true and accurate definition is that an IP address identifies a particular network interface at a given moment in time. By extension you can argue that it identifies a data packet as originating from one or more computers using that address at that the time it was sent.
ISP records records can identify the customer responsible for that IP address at the time. But that person is not necessarily one of the users of the computer(s), nor the person who commits the copyright infringement.
The best analogy is that the IP address is like the number plate of a car. How would the law be applied if a customer could prove that they were somewhere else at the time of an infringement? Surely we will end up with the situation like with speed cameras, where the "registered keeper" must identify/incriminate the "driver" on request from the authorities?
But isn't it the case that ISP customers are being held responsible for the use of their connections?
I have 5 PCs, various smart phones with wifi, games consoles and two sons at home in their early 20s, hope they don't come knocking on my door asking who did what when!
All the more reason to route everything through a proxy then.
Ah, but they're on to that one. Routing through a proxy will count as "anonymous posting" and it will only take one complaint to have you chucked off the internet ... [deep voice] FOREVER!
And then you'll be made cupcakes.
"...chucking you off the Internet for being anonymous..." How exactly?
If they don't know who I am they'll struggle to take any action against me. <deep voice>"Will the person anonymously posting through that proxy please identify themselves so I can throw them off the Internet</>
Anonymous proxies sound like a great idea don't they? Heard about the cases where anonymous proxies have handed over user details just as quickly as an ISP would? Probably not or you wouldn't have posted that.
Don't pretend the operator of the anonymous proxy doesn't know who you are. Even if they only have your IP address that's enough (see above). But it's amazing how many supposedly anonymous proxies require you to have an account. How is that anonymous then?
"Tracking the IP address does not necessarily identify the individual. Is the partner or the account owner visiting the Next store's womens clothing site? The marketer does not know and does not need to know they are only looking to see if a user of that IP address falls in to a possible class of customer"
I think this is wrong. Tracking the IP address allow the marketer to correlate several independent sources of information, so the individual is identified as the same one who also did such-and-such. It is true that the marketer doesn't know the individual on a personal level but they've been identified to the extent that the marketer cares about just as surely as they would have been if they'd been tagged by postal address.
The law presumably has no hesitation in declaring "tagging by postal address" to be a means of personal identification, so it shouldn't hesitate in a functionally similar case.
But the record that links IP adress to user at a certain time/date is personal.
Depending on how often you reboot the router, IP address is more or less useful for marketing.
Surely the data protection issue here is that the ISPs provided personal data (name, address, etc) to ACS Law on specious grounds? Seems to me, they all breached the Data Protection Act and could be prosecuted
As far as I know, they were provided to ACS law following a court order and therefore were lawful. However, there is an arguement that the court order was obtained without any intention to onwards prosecute, but to use the information to extort. On these grounds, some ISPs refussed to respond to the orders.
One of the attractions (to me) of my ISP is that they give me a static IP address. To my mind that makes my IP Address most definitely personal data.
I hold to the view that all marketing should require a specific opt-in, so anything that cuts down the ability of marketeers to bother me in the current legal framework seems like an excellent idea
... there's no point.
ACS:Law were fined just £800 for what they did... BT who sent ACS:Law an unencrypted email with a list of subscribers, and details of the pornography they alleged to have been downloaded (contrary to a Court Order requiring encryption) were fined nothing at all.
The Information Commissioner issued no enforcement notices last year. (see http://www.whatdotheyknow.com/request/2011_enforcement_notices#incoming-218168).
"We have consulted with colleagues in our Enforcement department and they have advised us that the ICO has not issued any Enforcement Notices since August 2010 i.e. the last published Enforcement Notice on our website".
Thus if DPA regulators are not prepared to enforce the law, debating the minutiae of the DPA seems irrelevant.
Just to correct you... if BT sent the data unencypted then that could have been in contempt of court - it would not have been breaking the law.
Your IP address is considered private (possibly identifying) information in the Netherlands.
but it's much easier to opt out of having a Nectar card (you can still shop at Sainsburys) than it is to opt out of having an IP address (you can't use the internet). Given that being without a permanent address can effectively drop you out of society, is not hard to imagine that being without an IP address could eventually leave you in a similar position.
"Face the facts. If you don't have anything to hide, why do you care?"
Its not about (not) having something to hide. Its about how the receiving party will interpret and/or use the obtained information. THAT is the risk people want to avoid.
Example (really happened)... Bank reports usage of a stolen credit card at an ATM. Police pull up the camera records, but for whatever reason don't end up on Tuesday 15:00 but Monday 15:00 and bring that person in for questioning. Fortunately for him he had a solid alibi and the mistake surfaced, but what if he didn't?
Note: Not saying nor insinuating that camera's above ATMs are a bad idea or anything, just trying to give an example as to what can happen when data is used incorrectly.
This is a relatively innocent example, but believe me; there's much more and worse where that came from.
there was a case a while back where UK plod requested the details of a subscriber using an IP address from an ISP, and didn't notice the timestaps were not GMT/BST but somewhere in the US. So they kicked down the door of a terrified family who had been using that IP address 4 hours later
I have a static IP in a long-term rented office with one computer (and one PS3 devkit) and I am the only occupant. The IP is registered in my company name, of whom I am the CEO, CTO, and one of two shareholders.
Is that IP still not personal data? Just because an IP doesn't *necessarily* map to an individual, in some cases (many cases, perhaps) it absolutely does. So should privacy protection, or protection in general, be afforded on an average basis (most people are OK), or a worst-case basis (everyone is OK)?
Is my home address personal data?
Is my telephone number personal data?
Is my IP address for all intents and purposes 'mine' (e.g. long term broadband connection; smartphone) ?
I feel that if the answer to the top two is 'yes' (and I say it is) and the last question is 'yes' the my IP address IS personal data!
This machine has two user spaces and as a result the likes of Google and Amazon show me the sorts of things my wife has been looking at and vice versa, unless you are logged into them that is then they become truly personal.
Our cable modem is always on and barring long term power cuts that cross over the DHCP reset window will mean a static IP address. On top of that the wireless router allocates a static IP address to each device connected which will stay the same regardless of the IP address fetched by the modem.
An IP address stored with a time stamp is personal data.
Welcome to the law agency; trying to label that which is hardly labelble (?) :-)
I think the best answer here is "Nyeo". As in yes/no.
It depends on the situation. In a household on broadband it most likely is; after all this address points to your connection on the Internet. However; several people (everyone in the household) could be using it, even at the same time. Thus the "personal" part gets a bit flawed here.
Some people compare it to a telephone number; but that too doesn't work. 5 people can't use the same telephone number at the same time, nor can you keep your IP address as soon as you switch ISP's (while you often can keep your phone number).
I'm not including the option of others (ab)using your setup and thus making themselves appear to be you, since its not (too) special. I can also take someone's phone and start making prank calls; the other end will see the number and won't immediately trace it back to me. Same deal (sorta).
I'd say its not personal data about me, its data about my current /likely/ whereabouts.
An IP address only ever identifies a location - not a user. Plus, it's a location at a point in time. Personal data is static and belongs to a person.
And your home address is *not* personal? It only identifies a location, not a person. It is static.
"An IP address only ever identifies a location - not a user."
Exactly, that is what lots of people have been saying. But it seems that PEOPLE are still being sued based on IP addresses; strange, they should be sueing LOCATIONS!
some websites don't treat IPs as personal data at publish the ip along side comments and posts. I once picked an IP from my logs and with just google was able to find out the guys address and follow a bunch of his blog posts for that day cross referencing the browser user agent sometimes too. I was trying to workout if some funny requests were from a hacker I ended up with a pretty decent profile of the guy.
Yes - was the answer given by David Evans Business and Industry Group Manager, UK Information Commissioner's Office at the PCI Community Conference on Tuesday 18th October 2011.
Rules seems to be if somebody can link that number to a person, then it's personal.
I agree with Alan - Not only does an IP only define a location, not a user, but a (public) IP can be and often is, shared among multiple devices, and thus possibly between multiple persons.
In addition, an IP can be shared with unknown devices and thus with unknown persons. Most well known is 'wardriving' where unsecured wifi access is (ab)used, either as a free ride or in order to hide your true identity, but other forms exists.
There are many forms of malware that hijacks a machine in order to control it (as a bot or zombie), usually to send spam or participate in DDoS attacks, but they are also often used as a base for further intrusions or hacking, and for downloading illegal stuff, including child pornography.
Finally and much more rare are cabled abuse. I've seen stories about a guy that simply ran a network cable to his neighbors router/switch, and even one where the 'freeloader' hid a rogue wireless access point at the victims house so no cable would give away who used it.
So no, there's no way an IP in any way, shape or form identifies a single person with any certainty and thus it cannot be personal data.
If an IP address is personally-identifiable data then getting it to prosecute someone should be difficult (i.e. it must be protected).
If an IP address is not considered personally-identifiable data then it cannot, should not and must not be used to try and identify a person.
Sounds like a win-win to me. I'm off to reboot my cable modem (aka turn it off for a few hours and cross my fingers :D)