back to article IP address-tracing software breached data protection law

The Swiss Federal Court has ruled that software which identified the internet protocol (IP) address of unauthorised music uploaders broke data protection law. The court backed that country's data protection commissioner, who said that Logistep violated Switzerland's Data Protection Act when it used the software. The IP …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Troll

    your IP address is as private as your car plate number...

    ... and that is the truth about it.

    you don't want people to track you? use public transportation... and pay in cash.

    in my personal and biased view, an IP address should be considered private when the entity storing it have the ability to link it to a real person (ie. Google, especially if you have a gmail account).

    1. Loyal Commenter Silver badge
      FAIL

      You misunderstand the issue here

      The IP address, on its own, is fairly innocent. However, it can be cross-referenced with indentifying information from your ISP, with usage logs from web sites and third-party advertisers, and suddenly, you have people knowing when you are at home, what you are buying, what your interests are, etc. If you don't find that sinister, then you have a lack of imagination, or are ignorant of history.

      The point you make about registration numbers is also of relevance, in that there are similar good reasons to be worried about ANPR cameras, and what use that tracking information is being put to. It is one thing for a police officer to look up a number plate to check whether a car is reported as stolen, it is quite another for the location of your car to be tracked automatically, in real time, and stored in a database somewhere to be used for some data mining exercise at a later date.

      Again, if you see no problem with this sort of thing, I refer you to European history, specifically from the mid 1930s up until around 1989, when the Berlin wall came down. Read about it, become less ignorant, and learn to understand the issues.

      1. Displacement Activity
        WTF?

        @You misunderstood the issue here

        Yeah, epic fail. Thank god those smart Swiss lawyers have got their heads screwed on.

        A couple of weeks ago I was driving past a second-hand record shop, and helped myself to some old vinyl displayed outside. Someone got my number plate, and called the police. The bastards looked up my private address information and arrested me. How low can you get? This outrage has got to be stopped.

    2. TimeMaster T
      Megaphone

      Wrong, sort of.

      Unless you have a static IP address at home it is possible for two or more people to have the same IP address on the same network over a given period of time. An individual could have had dozens of IP addresses in a month. So no, it is not like a car plate number.

      However, an IP address is unique to the person using it at the time/date they are using it, no one else will have that IP number on that network. In combination with server logs an IP address is an identifier as unique as a number plate, phone number, social security or checking account so the judge is correct that it should be considered as a personal identifier in all cases.

      The only time "public transport" comes into play is when you use an open WiFi at a cafe. And even then an IP address can be linked to the MAC number of your hardware using local server logs. A MAC number IS like the number plate of your car, it identifies your network hardware, not your temporary network connection.

      1. Annihilator
        Boffin

        @TimeMaster T

        "However, an IP address is unique to the person using it at the time/date they are using it"

        No it really isn't. It's unique to the broadband subscriber, not the person using it. There is nothing to prove who was using the IP address at the time - in fact there's generally nothing to prove which machine was responsible for generating/receiving the traffic.

        1. Grease Monkey Silver badge

          Somebody is talking sense, at last!

          "It's unique to the broadband subscriber, not the person using it."

          You got it!

          The IP address is allocated to the ADSL/cable router, any traffic coming from anything sitting behind that router on the pricate network will appear to come from that public address. Now as I understand it under EU and British DP law "personal information" is any information which ties to a unique living individual. The IP address of the router in my house ties to three living individuals most of the time. Sometimes we have visitors and I let them use my broadband. So how does the IP address allocated to my router identify a unique living individual? It doesn't.

          I am not aware of anything in law that says I am responsible for what anybody else in the house does while connected to my router. So yes you can identify my broadband subscriber account by the IP address in use at any given time* but you can't identify who was doing what at that time.

          So sorry, but fail.

          However I do think there is another legal problem with this software. So it sits there monitoring file sharing activity on P2P networks and logs the IP address should it find copyright data. And did they have a warrant to deploy that software? Without a warrant would any evidence gathered by this software be admissable in a court of law? Maybe in a Swiss court, but not (according to my understanding of English law) in an English court.

          * IF the ISP keeps records. My router is only powered on when in use so it has at least one new IP address per day.

    3. ao7

      private -> personal

      Your post makes more sense if you substitute "personal" for "private".

      Incidentally, in London it's increasingly awkward to pay cash for public transport.

  2. Dazed and Confused

    Personal data

    And this from a country that publishes a book with the names and addresses associated with all car registration numbers.

    But it is good to see some country taking individuals rights on the Internet seriously.

    1. Anonymous Coward
      Anonymous Coward

      Proof?

      "a country that publishes a book with the names and addresses associated with all car registration numbers"

      I think you're a few years behind. Although a surprising amount of details are available on cars and telephone numbers, you can ask to stop the disclosure. For car registration numbers, that means you then have to provide just cause for wanting the number and "wanting to publish a book" isn't good enough :).

  3. BristolBachelor Gold badge

    Good thing

    If you can be identified by an IP address or IP address and time, then the information is personally identifiable. As such it is right that it is controlled.

    I'm not saying that the freetards get a free-for-all, or that they shouldn't collect IP addresses, but the same way that the cameras that take pictures of shop-lifters are controlled, this should be too.

    There have been a number of cock-ups with addresses being flagged that obviously weren't infringing (even networked laser printers in some cases!), and other cock-ups with IP addresses being associated with the wrong people. The processes need to be verified and controlled.

    1. Loyal Commenter Silver badge
      WTF?

      Why have people downvoted this post?

      In my eyes, the points made here are salient, rational, and appropriate. Any use of IP addresses in this way should be properly controlled, otherwise we get the situatiion where ordinary people get letters from big law firms saying 'your IP was infringing X, Y and Z, pay us now to avoid going to court'.

  4. CD001

    Hmmmm

    ----

    I understand that under specific circumstances IP addresses are not personal-related but in general we would say as data protection authorities IP addresses are personal data because they identify indirectly the user of computer systems connected to the internet.

    ----

    Technically the IP address merely identifies the machine NOT the user - and in many cases (networks) all it identifies is the router not even an individual PC... and that's only once it's combined with the data from the ISP.

    So yes - it's personal data but it's not sensitive personal data. There is a legal difference in the DPA (which, as they stated, doesn't apply to Switzerland).

    ---- quote AC ----

    in my personal and biased view, an IP address should be considered private when the entity storing it have the ability to link it to a real person (ie. Google, especially if you have a gmail account).

    ----

    True, but you can circumvent it, Garbage In, Garbage Out - Google only holds the data you give them, give them crap and that's all they've got. An IP Address isn't really any more private than your home address such as you could look up in the phone book... what we could really use is an Internet equivalent of ex-directory - technically virtually impossible but it would be nice.

  5. petef

    all web sites affected?

    Does that ruling mean that anyone who runs a web site with access logs can have their collars felt?

    1. Paul Crawford Silver badge

      @all web sites affected?

      I don't know, but given that the whole *purpose* of the company concerned was to identify individuals based on the IP address, then ruling that IP addresses can be considered personal data is reasonable.

      But as already pointed out, in most cases all it identifies is the home NAT router, not which machines are behind it (wired or wifi), and more importantly, not who is actually using them.

      That was one of the rather nasty aspects of the recent "Digital Economy Act" and elsewhere, to make the subscriber liable for abuse of their internet connection. Something that may initially appear to be reasonable, but one that on closer inspection is not. For example, who is responsible for:

      (1) OS holes and similar that lead to a machine becoming a botnet, and abusing the connection?

      (2) AV software that fails to identify malware leading to (1)?

      (3) Security protocol flaws that lead to ease of abuse of wifi (e.g. original WEP), who then pays for replacing otherwise good equipment that can no longer be considered "secure"?

      (4) Actions of children. After all, if the parents of child killers don't face gaol for their child's actions, why should they for something as trivial as copyright infringement?

  6. JaitcH
    Thumb Up

    Judges getting smarter.

    Looks like this Swiss judge is on the ball and understands the nitty-gritty detail.

    Good for him (her?)

    1. Anonymous Coward
      Anonymous Coward

      Er, no.

      "Looks like this Swiss judge is on the ball and understands the nitty-gritty detail."

      Clearly not. Anybody who thinks an IP address uniquely identifies a person is not on any ball at all.

  7. Trevor_Pott Gold badge
    Heart

    @Switzerland

    I love you.

  8. Anonymous Coward
    Anonymous Coward

    Judges getting smarter?

    Probably just asked the right questions of the right people,but I doubt that this is the last that we will hear of this.I reckon this will be appealed

  9. Neoc

    Music industry wants to have it both way.

    Hang on a second: if the IP address is *not* "personal data" which can "uniquely identify a person", then why do the various entertainment industry use them as a basis for DMCA notices and the suing of individuals?

    You can't have it both way - either it *can* legally identify an offender (which would make it personal data), or it *can't* and the <whatever>AA or their equivalent have been issuing unlawful writs.

  10. Anonymous Coward
    Anonymous Coward

    Proxy servers in Switzerland

    Is this market about to expand as a result of the ruling?

    I'd expect they've decent bandwidth, however anyone know if the prices are reasonable?

  11. Bounty

    If you see me stealing can you legally describe me to police?

    If you see me stealing can you legally describe me to police?

    1. BristolBachelor Gold badge
      FAIL

      Analogy fail

      Yes, if someone sees you steeling, then they can describe you to the police. BUT if the police get an anonymous note that describes someone, and says that they committed a crime, does that person automatically go to jail?

      If someone goes to the police with a description, the police have properly controlled procedures to ensure that things are done properly. I'm sure you wouldn't want it any other way. How is it any different saying that those who want to collect IP addresses to prosecute people are controlled to ensure that things are done correctly?

  12. Iggle Piggle

    If I'm reading this correctly

    The judge is saying that gathering IP addresses is illegal as it is personal information. I know it was asked before but does that mean that my gathering statistics for visitors to my web site is also illegal? I use software that breaks down the visitor not only by which country they (probably) visited from and also what browser they were (probably) using.

    Sometimes I notice that some of those visitors try to get access to suspicious URL's that suggest they are trying to hack into my system. In some cases I then inform their ISP. Is this illegal (in Switzerland)?

    The article does not say that they looked up the home address (well the first line is a little vague on that). It simply says they gathered IP addresses of networks offering illegal content. Now suppose I was a little anal about cars driving too fast in my neighbourhood and sat by the road measuring their speed. Each time one goes past driving too quickly I write down the number plate. I then use this to try to take action. I can understand the judge throwing it out because they say you have no real proof, but saying that it is illegal to write down number plates seems a little strong.

  13. ao7
    Headmaster

    interesting but limited analogy

    An IP address is not a license to do anything?

    No one ever died or lost a limb in an IP accident?

    IPs are not a major source of tax revenue?

    I think in the USA there exists the concept of "expectation of privacy". Although I don't know if there's a British equivalent, there can't be for license plates on vehicles.

  14. Anonymous Coward
    Troll

    Personal IP address

    Give them a few years and they'll assign everyone an IPv6 address at birth. No arguments then.

  15. Steve Bush

    ipv6

    Wait till IP6 comes along ... they will know which ear to prosecute.

  16. Is it me?

    Odd

    Because Swiss vehicle licence plates relate to the individual, and are freely displayed on the car for all to see, I believe at one time you could look up the owner as well, on-line, so I'm not sure why doing IP translation is that contentious in Switzerland.

    I suppose parking fines are more important than IP theft.

  17. Robin 1
    Thumb Up

    Finally!

    Finally the complete ignorance of technology by court officers works in our favour! ;)

This topic is closed for new posts.