back to article Dynamic IP addresses are your personal property, CJEU rules

The CJEU has affirmed personal property rights over dynamically allocated IP addresses, a move which brings European data protection laws into play. The case was brought by German Pirate Party politician Patrice Breyer, who first brought an action restraining the German Federal Government from storing IP addresses, allocated …

  1. tiggity Silver badge

    Not unusual

    Mr O said:

    "This CJEU ruling wins European citizens a property right over something (an IP address) that they didn’t create, (the network operator “creates” the address), and which they cannot control.

    Roll that one around for a minute."

    I didn't (directly) create my date of birth and have no control over it but it's potentially identifying data (puts me in a small subset of UK folk & pretty much 100 % guaranteed to ID me with just about any other bit of data about me to remove other potential matches)

    On the more mundane "randon number" level (much like an IP) - nor did I create my NHS number, NI number, EHIC number, passport number, driving licence number, landline phone number etc. (or have very much control over them)

    Plenty of identifiers we do not create / control, but like those above do not particularly want storing unless absolutely necessary (hence why most people give "non essential" web sites that store DOB a fake DOB )

    1. Anonymous Coward
      Anonymous Coward

      Re: Not unusual

      Ive always respected ownership of numbers. Thats why I specifically adjusted my counting system.

      Zero

      One

      Flarg

      Three

      Four

      Five

      Wibble

      Seven

      Eight

      Nine

      ...ad infinitum.

      Also, if number based info is used to identify someone in court can they plea "im not a number, I am a free man" in court?

    2. alain williams Silver badge

      Re: Not unusual

      In the UK you will share your date of birth with a bit less than 3,000 people. So not much more is needed to narrow in on you.

      (Exact number depends on age, ...)

      1. Anonymous Coward
        Anonymous Coward

        Re: Not unusual

        Am i missing something?

        APX UK population 65,000,000

        Days in the year 365

        So apx 179000 share your birthday.

        Dunno where you get less than 3000 from.

        1. J.G.Harston Silver badge

          Re: Not unusual

          Assuming a fairly average distribution over a 60-year range, 179000/60 gives about 3000.

        2. Jason Bloomberg Silver badge

          Re: Not unusual

          Am i missing something?

          Date of birth including year, rather than day of birthday celebration.

        3. Anonymous Coward
          Anonymous Coward

          Re: Not unusual

          179,000 may share 20th October as their birthday.

          3,000 possibly share 20th October 1960, probably less, as their birth date.

          Happy birthday to anyone who's reading this on their birthday by the way.

          1. Anonymous Coward
            Anonymous Coward

            Re: Not unusual

            ...and sorry that we plastered your private data all over the internet

    3. Anonymous Coward
      Anonymous Coward

      Re: Not unusual

      re Fake DoBs. I get "happy birthdays" from contacts on facebook on the wrong date.

      I am starting to embrace this, after all Queenie can manage to have 2 birthdays.

      I've taken it a step further, facebook , skype, linkedin birthdays. If I can sign up for another 360 odd sites I can have a birthday every day.

      Just think about all that cake ! awesome .....

      ( but I'll never have anyone troop their colour for me . oh hum )

    4. Anonymous Coward
      Anonymous Coward

      Re: Not unusual

      Interesting examples and I follow your reasoning

      But I think in this particular case, the analogy could be the person who goes out in public.

      By that act, they are "risking" the fact that they may be identified by their appearance, their clothing, the door they walk out of or the door they enter. They have no expectation of being able to order people not to look at them or observe their actions.

  2. Steve Todd

    Property?

    Erm, no. Personally Identifiable Information, yes. The combination of dynamic IP and time is personally identifiable.

    The EUCJ is saying that the German government can't require the ISP to store that data as doing so contravenes the EU convention. They do seem to have little idea how easy it is for a computer to combine together the IP and time to link to the subscriber, but that's another point entirely.

    1. Darryl

      Re: Property?

      Even if it's actually 'Property', does this mean I don't have property rights over my house? My car? After all, I didn't create them either.

      1. Anonymous Coward
        Anonymous Coward

        Re: Property?

        > Even if it's actually 'Property', does this mean I don't have property rights over my house? My car? After all, I didn't create them either.

        You paid for them though. And you paid your ISP for [the rental of] your IP address.

        But here I think we're talking more about ownership of information ("I lived at 52 Festive Road") rather than the thing itself (52 Festive Road)

  3. Dan 55 Silver badge

    “The data stored does not enable Mr Breyer to be directly identified,” the CJEU noted in its ruling yesterday. “The operators of the websites at issue in the main proceedings can identify Mr Breyer only if the information relating to his identity is communicated to them by his internet service provider. The classification of those data as ‘personal data’ thus depends on whether Mr Breyer is identifiable."

    Or he surfs a while, several ad networks store his IP, then he buys something on-line at a shop which uses one or more ad networks. Dots joined, job done.

    Or he used a service on a govt website which required more of his info.

    Etc...

  4. Daggerchild Silver badge

    Janus woz 'ere

    I don't mind giving my official identity to an entity, but I do mind not being able to choose which identity I give.

    I can't see why you can't have more than one official authenticatable identity. The restriction is really that you must exclusively only use one for any given party. That this party now becomes unable to combine this with a different identity you gave to another party (without asking you to make the connection), is the whole point.

  5. Anonymous Coward
    Anonymous Coward

    Just make them pay for it

    You want to store and/or use my personally identifying information like my IP address, birth date, etc?

    Fine. But you have to pay for it. How about $10 (or 10 euro -- I know that's a lot more money, but then Europeans pay a lot more in taxes than we freeloading Americans) a day, every day that you keep it on hand?

    If you share it with, or sell it to, anyone else, both of you pay as long as either of you keep or use it.

    The point is: the free ride is over. We should take back what's ours.

  6. g00se
    WTF?

    SQL

    However in reality, that would be “practically impossible” because connecting a dynamic IP address to the ISP’s subscriber information means a “disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant.”

    Really? The ISP is pretty easily identifiable by IP address and then it's a phone call to ask someone to run a database query. Unless they're doing it wrong ..

    1. You aint sin me, roit

      Re: SQL

      It's dynamic, so we'll have to go through the records to see who had what address, when.

      There's paperwork... in triplicate.

      And phone calls, because we have to be careful, can't give this information out to just anyone...

      And the strange bloke who runs the database is off sick again.

      And it will cost you because even though ISPs are obliged to keep these records that in itself is a costly business and ISPs will want to recoup some of that by making it difficult - and therefore expensive - for people to get hold of the details.

  7. Steven Jones

    Public visibility of IP address logs

    I seem to recall cases where the IP addresses used to edit some Wikipedia entries allowed the identification of sock puppet activity causing the perpetrators some embarrassment. In those cases it was IP addresses allocated to organisations or offices and not, directly, individuals but the culprits (or close associates) were obvious.

    There have been some much more complex versions of this whereby sources of deliberately misleading or derogatory information have been identified. So there are occasions where publicly visible IP addresses have some public interest.

  8. thomas k
    Thumb Up

    Arrr!

    +1 for the pic.

  9. jamesinspain01

    I remember working for the NHS as a temp in the nineties. Looked up my full name and DOB there were 10 other people with the exact same names and DOB in just the county I lived in.

    1. This post has been deleted by its author

  10. Anonymous Coward
    Anonymous Coward

    so in the UK in 2019 ..

    Theresa's enforcers will be able to ignore this , because the CJEU will not have any jurisdiction over the UK ?

  11. druck Silver badge
    FAIL

    Identification

    The German appeals court agreed with Breyer that an IP address could be used to identify an individual… but only up to a point. Only the ISP can make the identification,

    And only if they are supplied with the correct information including the timezone.

    A friend of mine was accused of piracy, and had hell of a difficult time fighting against the case, until it was discovered that the accuser had specified the timezone as GMT+x rather than GMT-x, which then meant someone else was using the particular IP address.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon