Swedish Court Says IP Numbers Privacy Protected 108
oh2 writes "The highest applicable Swedish court, Regeringsrätten, has ruled that IP numbers are protected (in Swedish) since they can be traced to individuals. This means that only government agencies are allowed to track and store IP addresses, leaving 'anti-piracy' advocates with no legal way to find possible copyright infringers." Update: 06/18 14:42 GMT by KD : The original linked article had been pulled due to factual errors and a new article has been posted (link replaced above). Here is a Google translation. The new article makes clear that the ruling does not affect the anti-piracy efforts of rights-holders.
Update: 06/18 15:08 GMT by KD : Behind the link below is a summary in English of the article sent in by the submitter, oh2.
Update: 06/18 15:08 GMT by KD : Behind the link below is a summary in English of the article sent in by the submitter, oh2.
This autumn Datainspektionen will start monitoring how the IPRED law is applied when it comes to disclosure of personal information. A recent verdict in the Regeringsrätten, Sweden's highest applicable court, has upheld Datainspektionens decision that IP addresses are to be considered personal information and therefore protected under law.
In 2005 Datainspektionen ruled that collecting and storing personal information online like copyright advocates were doing was a breach of the Swedish PUL, Personal information act, that regulates how and what kind of information that can be traced to a single individual that can be stored. The anti-piracy organizations were quickly granted an exemption though, that expired March 31st. Starting April 1st this year IPRED allows holders of copyright to apply to the courts for this information.
Datainspektionen will now monitor closely how any personal information acquired from the courts in this manner is used by copyright holders.
Proxy (Score:1)
I see growing trade for companies who 'launder' access to other sites, and not just warez, but absolutely anything else. Perhaps there'll be more TOR exit nodes there now?
Re: (Score:2)
Rather more VPN servers you can connect to. Those are already quite popular in countries like Sweden, where bandwidth is cheap and plenty.
Also there is a chance of people going for seedboxes as prices of those also dropped.
bad rule (Score:5, Insightful)
And no way for server admins to track what virus infected bots are trying to break into their systems.
This rule will hurt more than it will help.
Re: (Score:2)
Re:bad rule (Score:5, Insightful)
Re:bad rule (Score:5, Informative)
"The highest applicable Swedish court, RegeringsrÃtten, has ruled that IP numbers are protected (in Swedish) since they can be traced to individuals. This means that only government agencies are allowed to track and store IP adresses, leaving "anti-piracy" advocates with no legal way to find possible copyright infringers."
This is pretty much the way things are, and have been, in Norway now for many years. And so far I have heard none of my friends in IT, nor anyone in the media, complain about "And no way for server admins to track what virus infected bots are trying to break into their systems."being a problem.
Re:bad rule (Score:4, Informative)
Re: (Score:2)
It's rather common sense that people who get sued as filesharers are usually more interested in how they were found (and press charges if they find out that foul play was the original lead) rather than someone being told by their ISP that they are part of a botnet, which has no legal implications whatsoever.
In the first case you usually stand against a lawyer (hired by the accused) who will do whatever is in his power to punch holes into your argumentation, and if he can't achive anything else, then he'll d
Re: (Score:1)
And some people write some damn good bit-torrent clients [rakshasa.no]
Re: (Score:2)
"This is pretty much the way things are, and have been, in Norway now for many years."
Yes, I'm sure they are. They point is "and the news are?". I know IP address being consired private data subjected to privacy laws in Spain for about ten years and I bet that's the case all around Europe too.
Re:bad rule (Score:5, Informative)
the first article has been removed, since it was wrong on several points.
http://www.dn.se/kultur-noje/nyheter/ny-dom-paverkar-inte-ipredlagen-1.894500 [www.dn.se]
the court says: IP's are personal information, therefore you can only get this information through a court of law, and this ruling does not affect the Ipred law
http://en.wikipedia.org/wiki/IPRED [wikipedia.org]
so a sysadm is not prohibited in managing his own network.
Re: (Score:2, Insightful)
And no way for server admins to track what virus infected bots are trying to break into their systems.
This rule will hurt more than it will help.
Can I use that BS rule next time my system has any problems? What a load of horse .... Any compentent admin can take care of the system without knowing who did it. Yes I would like to know what little snot nosed 13yr old kid is doing the evilness but it could just as well be your grandma that got owned and doesn't know she's doing it.
So your real statement should say, "And no way for server admins to track down WHO is trying to break into there system. This rule will hurt the accountability process more tha
Re: (Score:3, Insightful)
What are you talking about? People attack your servers, and you hunt them down and kill them? When people attack your server, you find the responsible network block's admins abuse address, and report the IP and the problem. If they fail to act, and you continue to see attacks from that ISP, then you report that ISP upstream. None of that requires you knowing the individual(s) involved, and rightly so, since it could be the ISP pretending to be the individuals, for instance.
As for hurting more than helpi
Re: (Score:2)
It's true that many mobs throughout history have burned witches at the stake. Even Swedish witches. These are definitely things
Did you read the summary? (Score:2)
The summary clearly states that the logging of IPs is to be stopped. As a server admin, no, I don't give a damn about the actual ID of a person using an IP. But how am I to "report the IP" that is causing the problem if I can't log IPs to begin with?
SirWired
Re: (Score:2)
I'd be very surprised if that applies to tracking IPs on a webserver for normal (non-business/marketing) IT purposes. In the most extreme interpretation, of "without" it, all TCP-based protocols would be useless. In less extreme interpretations, you'd have TCP, but most of the stateful web apps (the ones that use IP as part of their session key) wouldn't work. In the minimal interpretation, you'd have stateful web apps, but you'd have trouble tracking down faults, doing normal system diagnostics, counter
Re: (Score:2)
A feminist liking filesharing to rape? This can only mean:
a) She's not really a feminist.
b) She's been fed enough BS about filesharing to actually believe it.
c) She's on the payroll of some media company.
d) All of the above.
Re: (Score:2)
Or the smaller brain?
*duck*
Re: (Score:2)
When people attack your server, you find the responsible network block's admins abuse address, and report the IP and the problem.
But by reporting the IP address, you are recording and transmitting someone else's private information.
Re: (Score:1, Offtopic)
And no way for server admins to track what virus infected bots are trying to break into their systems.
Even worse than this:
No way for ISPs to store in their DHCP server IP pool which IP addresses have already been given to customer networks.
Let's enforce this against the ISP of the judge who came up with this idea ;-)
Or maybe have them rethink the issue and specify in greater detail what should and shouldn't be allowed. If the problem is using IPs to identify people, instead of banning the storage of IP addresses one should ban the use of stored IP addresses to identify people?
Re: (Score:1)
And no way for server admins to track what virus infected bots are trying to break into their systems.
This rule will hurt more than it will help.
I was just thinking, from the following snippet in the summary:
IP numbers are protected (in Swedish) since they can be traced to individuals
The bad thing about this statement is that AFAIK one of the main defense points against the MAFIAA tactics is/was that an IP cannot be deffinitely linked to an individual... how does this decision affect that? does it means that now that the highest Swedish court made this explicit, the sue-friendly groups can backup in this assumption?
Re:Partial vs. Total Info (Score:2)
An IP address cannot be *definitely* linked to an individual, but it's not totally random either.
What tiny bit I know about someone/anyone's law across multiple countries, I'd want this basic court level protection in place. Then we can go after removing the exemption for the copyright holders, and reinstating basic IT workflow. But the base law might be a step against the privacy-abusing laws that are a *worldwide* rage these days.
Re: (Score:2)
The bad thing about this statement is that AFAIK one of the main defense points against the MAFIAA tactics "is/was that an IP cannot be deffinitely linked to an individual... how does this decision affect that?"
"May", which is enough to get into consideration when we are talking about fundamental rights as is the one about privacy, versus "for sure" which is what the MAFIAAs around the world want governments to believe.
A city council will mark as "non potable" any water spring that is not under scrutiny. W
Re: (Score:1, Insightful)
Not quite. My Postal address is personal information too. But I give it to you whenever I want to have a response by mail. An IP address is like that. You can off course respond to and keep the info that is handed to you, but not sell it or give to other companies. This will hurt though, as you probably want the right to pass those addresses to a security firm or to your provider.
Re: (Score:2)
"Not quite. My Postal address is personal information too. But I give it to you whenever I want to have a response by mail. An IP address is like that"
Exactly. That's why laws all throught Europe will treat your postal address as private data, unless you decide to make it public, and protect it under quite strong barriers too.
No: telling your postal address to someone doesn't allow him to abuse it on ways you didn't allow him too.
Far reaching consequences (Score:3, Interesting)
Re: (Score:2, Informative)
Note that it applies to IP numbers as a means to identify individuals.
The law in question is called , loosely translated "the personal information law" and basically says that it is illegal to record data that can be tied to an individual without that individuals consent.
If you connect to a server, your consent is implicit, and the IP address as such is fairly anonymous. But stuff like doubbleclicks cookie tracking is illegal.
Re: (Score:2)
"It's not legal to store an ip address since according to this ruling an ip address can be used to identify a person. In Sweden you can't store any information that can identify a person according to PUL (personuppgiftslagen, http://sv.wikipedia.org/wiki/PUL [wikipedia.org]) without Datainspektionens (the data inspection) permission."
And that's *exactly* the point and the one (almost) everyone here on Slashdot seems to be missing.
It is *not* illegal to retain IP address info. It is illegal to retain IP address info *disre
Re: (Score:2)
Plus, many web companies prefer to use cookies. Tracking via IP always causes troubles.
No, sorry. (Score:3, Informative)
There's an exception to this law in the recently enacted IPRED-law (based on an EU directive) that basically allows rightsholders to gather IP-addresses anyway.
Re: (Score:2)
And that means that whoever tagged the story "suddenoutbreakofcommonsense" can only weep when the music industry will keep doing what they already do but many with perfectly sensible reason will not be allowed to store logs including ip addresses.
Sometimes I don't know whether one ought to laugh or cry at the knee-jerk reactions one sees on /. (well everywhere actually).
Re:No, sorry. (Score:4, Funny)
From http://en.wikipedia.org/wiki/Supreme_Administrative_Court_of_Sweden [wikipedia.org]
... [T]he court as an institution is independent of the Riksdag, and the government is not able to interfere with the decisions of the court.
That's the IPRED law out the window, then.
Re: (Score:2)
In some configurations, the rule is deny first, then allow. In others, it's the opposite.
Re: (Score:2)
It also depends on whether it's "first match", or "apply all rules in order, then evaluate result."
Re: (Score:2)
If the system was in any way similar, this would be like the Commons bring in legislation which contravenes a decision by the Lords. It seems that the systems are not analogous, though.
Re: (Score:2)
Don't you know anything about IT? "Deny" automatically overrules "Allow"
LOL. Do you?
If so, maybe you can explain how the rules relevant to Windows' ACLs (which I assume you're referring to) define IT, generally, how those those rules are relevant to say, packet filtering, and then, how they apply to the Swedish legal system.
So that you don't feel like a complete ass, I'll offer the comment that in the context of women (specifically, the behaviour of the ones I've known), it would be correct to suggest that
Re: (Score:2)
but if you asked her
There's your problem, right there.
Article has been replaced (Score:5, Informative)
Re: (Score:1)
Exemption... (Score:1)
Sadly the Swedish anti-pirate bureau has an exemption allowing them to store the IP-addresses. This has already been updated in the Swedish press.
Re: (Score:3, Informative)
Re: (Score:2)
"So If I run a web server in Sweden, all my apache logs are now illegal?"
No. That means that if you run a web server in Sweden (and most all Europe for that matter) then you are collecting private personal data so you better follow the laws about private data management.
"Better block all my nationals."
Sweden is a free market economy. Surely there's nobody forcing you to make bussiness there. Only that if you want to make bussiness in Sweden, you'd better follow the rules.
If only in the U.S. (Score:2)
Re: (Score:2)
NSA has access to all american CA root certificates.
Not the one I made myself.
Besides...gpg doesn't use root certificates.
But aren't they addresses? (Score:3, Insightful)
Isn't the whole point of a publicly routable address to trace to a specific host or gateway? I sense some significant unintended consequences here. A ton of services will have real problems if this gets enforced thoroughly.
I'm comparing this to phone numbers in my head. Even if you have an unlisted number, should it be illegal for someone to write down your number if it shows up on caller ID when you call them?
Re: (Score:2)
Re: (Score:2)
"Isn't the whole point of a publicly routable address to trace to a specific host or gateway? "
Yes. And since the "whole point" is "to trace to a specific host or gateway" that means it has "no point" being used "to trace to a specific person".
Re: (Score:2)
Well, yes and no. Automobile license plates serve a similar function. If my car were used in the commission of a crime I would certainly be investigated as a likely suspect.
Re: (Score:2)
"Well, yes and no. Automobile license plates serve a similar function. If my car were used in the commission of a crime I would certainly be investigated as a likely suspect."
A "likely" as in "there's demonstrable relationship between car plates and people we need to take into consideration" is quite different to "here: that's the bastard, we have his car plates".
Link changed? (Score:1)
The posted link didn't work for me, but http://www.dn.se/kultur-noje/nyheter/ny-dom-paverkar-inte-ipredlagen-1.894500 did.
Re: (Score:2)
Double edged sword? (Score:5, Insightful)
I think overall this is a win for Copyright lobby and not the other way around.
1) Legitimises IP address being tied to account holder. IE lessens the "TOR/ Wifi Defense"
2) APB have gotten an exemption and are now allowed to track IP's.
Re: (Score:2)
You mean aside from the part that you run an open wifi and therefore are a common carrier and it could have been anybody?
um, honeypots and IDSes? (Score:2)
So are they now illegal in Sweden?
Law of unintended consequences (Score:2)
If you are a server operator in Sweden, this presumably means you also cannot store IPs for later analysis of where your traffic is coming from. Now, you might say that IPs can be geocoded on the fly, but there are other issues:
You also can't log the IPs of attackers. You can't log IPs to analyze botnets. You can't log the IPs of spammers.
There are lots of legitimate reasons for private individuals and companies to store IP addresses. By forbidding it wholesale, the court is demonstrating its technologi
Re: (Score:2)
... shared computers, NAT, insecure wireless networks, dynamic IPs
In all of these cases, it becomes the responsibility of the contract holder to ensure that their connection is not used for illegal purposes, kind of like if you lend you friend a car, and he speeds... Oh, wait, that's not right. Kind of like if you buy a shotgun to go pigeon shooting and... Urm, no that doesn't work... Kind of like if you had a series of tubes...
Huh, I guess you're right. Who'd have thought that big media were talking out of their asses?
Privacy in Sweden (Score:4, Interesting)
Sweden has some strange privacy norms. Asking what someone votes for politically is close to a serious faux pa. In fact some people I know have absolutely no idea how their parents or even partners vote. That is a very private thing. But you can look up car owners on a free and public website by registration number, you can go and check tax returns for anyone in Sweden, and see what they earn. On the other hand, religion is another area that you very much leave alone and don't ask about.
Hopefully the IP information will be considered something a little more private, and after the Pirate party did so well in the European elections maybe there is a chance that common sense will prevail and rules like IPRED will be struck down anyway.
Re:Privacy in Sweden (Score:5, Interesting)
This is thanks to something called "offentlighetsprincipen" which is basically the idea that anything related to the government (taxes, car registration, legislation, police records and so on) should be available to the public. One of the main criticism of the EU that tends to be get brought up in Sweden is actually that the EU doesn't work the same way, that there are a lot of things that are withheld from the public in the EU (or at least kept out of reach by bureaucracy and pointless paperwork).
Personally I rather like our system, if its not explicitly classified as secret then anyone can access it.
/Mikael
Re: (Score:2)
"Sweden has some strange privacy norms."
Not that I know about.
"Asking what someone votes for politically is close to a serious faux pa."
It's unpolite which is quite different of being illegal. But it is illegal to force someone to tell you where his vote went or trying to guess it by other covered means. What do you exactly see strange here?
"In fact some people I know have absolutely no idea how their parents or even partners vote."
And what that exactly has to be with the legal system? That only means th
Bandwidth use up to "normal" in Sweden (Score:2)
In related news, the bandwidth usage in Sweden is back up to the numbers before the IPRED law was enacted. Normally the usage is low during the summertime, but apparently not this summer. It is speculated that the increase is because the law is pretty toothless at the moment, and the bandwith usage may decrease if the current investigation goes to court and leads to a conviction.
that's pretty retarded (Score:3, Interesting)
So if I'm running an online forum or game of some sort, I can't drop IP-bans on offensive parties since that would constitute tracking an IP address?
I'm pretty much of the opinion that if you visit my website then you're volunteering your IP address. It's just like if you mailed me a letter or sent me an email. In either case you're supplying a return address.
Re:that's pretty retarded (Score:4, Insightful)
Theres a BIG difference between an IP address (which is public information) and account details i.e. the link between an IP address and the account holder that is holding that account at the time (which should NOT be available to anyone without a valid court order or warrant)
Re: (Score:2)
It's just like if you mailed me a letter or sent me an email. In either case you're supplying a return address.
Huh? In the case of a letter I have to actively write the return address. In the case of email I can spoof the sender address.
Re: (Score:2)
Re: (Score:2)
So if I'm running an online forum or game of some sort, I can't drop IP-bans on offensive parties
That would be a pretty foolish thing to do anyway. Ban the account, not the IP. Many different people can use the same IP, especially if they're connected via a cable modem. Banning the IP is a lazy, sloppy way to do it.
Plus you can ban the IP all you want. You just can't use the IP to trace back to an actual person, and then take legal action from there. Of course if
Re: (Score:2)
I guess No more GUI Interfaces in Visual Basic (Score:1)
Swedish Court Says: No you won't!
Short summary (Score:3, Informative)
A short summary in english.
This autumn Datainspektionen [datainspektionen.se] will start monitoring how the IPRED law is applied when it comes to disclosure of personal information. A recent verdict in the RegeringsrÃtten, Swedens highest applicable court, has upheld Datainspektionens decision that IP adresses are to be considered personal information and therefore protected under law.
In 2005 Datainspektionen ruled that collecting and storing personal information online like copyright advocates were doing was a breach of the Swedish PUL, Personal information act, that regulates how and what kind of information that can be traced to a single individual that can be stored. The antipiracy organizations were quickly granted an exemption though, that expired march 31st. Starting april 1st this year IPRED allows holders of copyright to apply to the courts for this information. Datainspektionen will now monitor closely how any personal information aquired from the courts in this manner is used by copyright holders.
127.0.0.1.bork.bork.bork (Score:1, Funny)
I like that IP numbers are protected when they are in Swedish, but I doubt I can keep up the accent.
tried my own take on the translation bit. (Score:1, Informative)
...perhaps a little less googlish: http://www.allende.se/blog/2009/06/en-ipred-fant-balanserade/
From the original document in swedish... (Score:1, Informative)
Basically APB argues IP addresses are not personal data and can not be linked to actual persons, thus should not be govenerd by the Personal Data Law (or something like that PUL, Person Uppgifts Lagen).
The court ruled that since APB is using IP addresses to sue people who are participating in illegal file sharing, then obviously IP addresses can be linked to persons and are thus protected by PUL.
The PUL law as google translated it:
http://translate.google.com/translate?hl=en&ie=UTF-8&sl=sv&tl=en
Consistency (Score:2)
I oppose intellectual property, but I am often disappointed that most who do are inconsistent,
Many people explained that DMCA makes numbers illegal. Well, so is this. There's nothing wrong with storing IP adresses.
Information about people is information, just because you like privacy doesn't mean there's ethical magic surrounding this kind of information.
Re: (Score:2)
This is being misrepresented. This does NOT prevent storing IP addresses. All it does is require a warrant to get the account holder details from the ISP because the account holder has a reasonable expectation of privacy. The same should be the case anywhere.
The privacy contradiction... (Score:3, Funny)
Your IP lease expired by DHCP server because the DHCP server violated privacy policy. You will be asked to go to the ISPs website to "opt-in" to have that data persistnant but - whoops - you have no IP to connect with...
I.P. Address is not DNA or a Fingerprint (Score:2)
They tie to a computer, not to a person.
And in many cases, they don't even do that.
Maybe (Score:2)
If I can use a standard protocol (ICMP, ARP, etc.) to determine your IP address, and such tools are available to anyone, then it is not reasonable to expect privacy. If I know your host name, I can get your IP. If you're connecting to my services via TCP or UDP, I have your IP, and kindof need it in order to do anything.
On the other hand, server logs with this info in it should be considered private. Your transactions between you and my server are business between you and me. You should have an reasonab
It's not just that they store. It's how and why. (Score:2)
I don't think this has the implications a lot of people think it has. The courts are very able to say that storing IPs with the purpose of protecting yourself against attacks is acceptable, but doing it the way the APB has been doing it is not. In fact, if I'm not mistaken Swedish law actually does specify how information is to be used when you supply a service over the net. ISPs ( as an example ) are required to delete details when they are no longer used. Due to EU directives they may soon be required to
Re: (Score:2)
I would imagine that storing logs that show someone trying to brute-force attack your server would also be against the law. I would hope that any illegal act would be made pretty much impossible to prosecute because of a lack of identifying information from this.
That is the idea, isn't it?
Really? (Score:1)
Then I guess they are busy bringing charges against LiveJournal and every other website that stores IP addresses.
IP is the "Last Frontier" (Score:2)
Once upon a time it was possession and control of land, real estate, that caused friction, conflict, and wars. No more: land is a finite commodity. The new Last Frontier is this so-called intellectual property, where an infinite amount of things to control can be created out of thin air. These things don't require armies of soldiers to control them, instead they require armies of lawyers and expert witnesses. There seems to be an economy of scale to this new IP real estate, though, because it requires a
implications for (Score:1)
Wrong Interpretation (Score:2)
If I understand correctly, this ruling does NOT affect webserver logs, because that person came TO YOU. It would, however, affect the legality of you selling or giving away those logs.
This is analogous to a doctor being able to keep records of his patients, but not able for that same doctor to sell or even disclose those records to a third party.
Swedish vs. English IP adresses? (Score:2)
Re: (Score:2)
Re: (Score:2)
English: 192.168.24.68
Swedish: 192.168.24.68
German: 192.168.24.68
French: 192.168.24.68
Italian: 192.168.24.68
See how easy that was?