Forgot your password?
typodupeerror
Privacy Your Rights Online

Swedish Court Says IP Numbers Privacy Protected 108

Posted by CmdrTaco
from the then-how-can-i-ping-you dept.
oh2 writes "The highest applicable Swedish court, Regeringsrätten, has ruled that IP numbers are protected (in Swedish) since they can be traced to individuals. This means that only government agencies are allowed to track and store IP addresses, leaving 'anti-piracy' advocates with no legal way to find possible copyright infringers." Update: 06/18 14:42 GMT by KD : The original linked article had been pulled due to factual errors and a new article has been posted (link replaced above). Here is a Google translation. The new article makes clear that the ruling does not affect the anti-piracy efforts of rights-holders.
Update: 06/18 15:08 GMT by KD : Behind the link below is a summary in English of the article sent in by the submitter, oh2.

This autumn Datainspektionen will start monitoring how the IPRED law is applied when it comes to disclosure of personal information. A recent verdict in the Regeringsrätten, Sweden's highest applicable court, has upheld Datainspektionens decision that IP addresses are to be considered personal information and therefore protected under law.

In 2005 Datainspektionen ruled that collecting and storing personal information online like copyright advocates were doing was a breach of the Swedish PUL, Personal information act, that regulates how and what kind of information that can be traced to a single individual that can be stored. The anti-piracy organizations were quickly granted an exemption though, that expired March 31st. Starting April 1st this year IPRED allows holders of copyright to apply to the courts for this information.

Datainspektionen will now monitor closely how any personal information acquired from the courts in this manner is used by copyright holders.
This discussion has been archived. No new comments can be posted.

Swedish Court Says IP Numbers Privacy Protected

Comments Filter:
  • by Threni (635302)

    I see growing trade for companies who 'launder' access to other sites, and not just warez, but absolutely anything else. Perhaps there'll be more TOR exit nodes there now?

    • Rather more VPN servers you can connect to. Those are already quite popular in countries like Sweden, where bandwidth is cheap and plenty.

      Also there is a chance of people going for seedboxes as prices of those also dropped.

  • bad rule (Score:5, Insightful)

    by gmack (197796) <gmack.innerfire@net> on Thursday June 18, 2009 @08:54AM (#28372551) Homepage Journal

    And no way for server admins to track what virus infected bots are trying to break into their systems.

    This rule will hurt more than it will help.

    • Hmm...Nah.
    • Re:bad rule (Score:5, Insightful)

      by jtev (133871) on Thursday June 18, 2009 @09:01AM (#28372643) Journal
      First thing I thought of too. That, and almost all servers already log connections by IP address. I mean, I look at /var/log/secure and what I see is a list of IP addresses that have connected to my machine, with what they have been trying to do. Someone didn't have their thinking caps on when they wrote this law.
      • Re:bad rule (Score:5, Informative)

        by Narpak (961733) on Thursday June 18, 2009 @09:16AM (#28372831)

        "The highest applicable Swedish court, RegeringsrÃtten, has ruled that IP numbers are protected (in Swedish) since they can be traced to individuals. This means that only government agencies are allowed to track and store IP adresses, leaving "anti-piracy" advocates with no legal way to find possible copyright infringers."

        This is pretty much the way things are, and have been, in Norway now for many years. And so far I have heard none of my friends in IT, nor anyone in the media, complain about "And no way for server admins to track what virus infected bots are trying to break into their systems."being a problem.

        • Re:bad rule (Score:4, Informative)

          by Rakshasa Taisab (244699) on Thursday June 18, 2009 @09:34AM (#28373019) Homepage
          It's not a problem as while the agency responsible for pushing companies to secure, delete or reorganize the information they hold on individuals, they haven't really gone after web-server logs and systems used to track virus infected bots. But if you try using logs to catch filesharers, you might suddenly get in trouble. I guess we're just a bit more flexible when it comes to applying common sense.
          • It's rather common sense that people who get sued as filesharers are usually more interested in how they were found (and press charges if they find out that foul play was the original lead) rather than someone being told by their ISP that they are part of a botnet, which has no legal implications whatsoever.

            In the first case you usually stand against a lawyer (hired by the accused) who will do whatever is in his power to punch holes into your argumentation, and if he can't achive anything else, then he'll d

          • I wonder if logging IP addresses from bit-torrent clients on a personal computer would be illegal under this ruling.
            And some people write some damn good bit-torrent clients [rakshasa.no] :-) Thank you for the great program
        • "This is pretty much the way things are, and have been, in Norway now for many years."

          Yes, I'm sure they are. They point is "and the news are?". I know IP address being consired private data subjected to privacy laws in Spain for about ten years and I bet that's the case all around Europe too.

    • Re:bad rule (Score:5, Informative)

      by polle404 (727386) on Thursday June 18, 2009 @09:07AM (#28372715)

      the first article has been removed, since it was wrong on several points.
      http://www.dn.se/kultur-noje/nyheter/ny-dom-paverkar-inte-ipredlagen-1.894500 [www.dn.se]
      the court says: IP's are personal information, therefore you can only get this information through a court of law, and this ruling does not affect the Ipred law
      http://en.wikipedia.org/wiki/IPRED [wikipedia.org]

      so a sysadm is not prohibited in managing his own network.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      And no way for server admins to track what virus infected bots are trying to break into their systems.

      This rule will hurt more than it will help.

      Can I use that BS rule next time my system has any problems? What a load of horse .... Any compentent admin can take care of the system without knowing who did it. Yes I would like to know what little snot nosed 13yr old kid is doing the evilness but it could just as well be your grandma that got owned and doesn't know she's doing it.

      So your real statement should say, "And no way for server admins to track down WHO is trying to break into there system. This rule will hurt the accountability process more tha

    • Re: (Score:3, Insightful)

      by CarpetShark (865376)

      What are you talking about? People attack your servers, and you hunt them down and kill them? When people attack your server, you find the responsible network block's admins abuse address, and report the IP and the problem. If they fail to act, and you continue to see attacks from that ISP, then you report that ISP upstream. None of that requires you knowing the individual(s) involved, and rightly so, since it could be the ISP pretending to be the individuals, for instance.

      As for hurting more than helpi

      • As for hurting more than helping... a swedish feminist politician recently compared (very directly, in a short post about that subject alone) file sharing to rape. Are you really saying you don't value privacy of your IP address in a world like that, considering that people have been killed in mob violence when they were mistakenly believed to be child molesters, for instance?

        It's true that many mobs throughout history have burned witches at the stake. Even Swedish witches. These are definitely things
      • The summary clearly states that the logging of IPs is to be stopped. As a server admin, no, I don't give a damn about the actual ID of a person using an IP. But how am I to "report the IP" that is causing the problem if I can't log IPs to begin with?

        SirWired

        • I'd be very surprised if that applies to tracking IPs on a webserver for normal (non-business/marketing) IT purposes. In the most extreme interpretation, of "without" it, all TCP-based protocols would be useless. In less extreme interpretations, you'd have TCP, but most of the stateful web apps (the ones that use IP as part of their session key) wouldn't work. In the minimal interpretation, you'd have stateful web apps, but you'd have trouble tracking down faults, doing normal system diagnostics, counter

      • A feminist liking filesharing to rape? This can only mean:

        a) She's not really a feminist.
        b) She's been fed enough BS about filesharing to actually believe it.
        c) She's on the payroll of some media company.
        d) All of the above.

      • by PhilHibbs (4537)

        When people attack your server, you find the responsible network block's admins abuse address, and report the IP and the problem.

        But by reporting the IP address, you are recording and transmitting someone else's private information.

    • Re: (Score:1, Offtopic)

      by jonaskoelker (922170)

      And no way for server admins to track what virus infected bots are trying to break into their systems.

      Even worse than this:

      No way for ISPs to store in their DHCP server IP pool which IP addresses have already been given to customer networks.

      Let's enforce this against the ISP of the judge who came up with this idea ;-)

      Or maybe have them rethink the issue and specify in greater detail what should and shouldn't be allowed. If the problem is using IPs to identify people, instead of banning the storage of IP addresses one should ban the use of stored IP addresses to identify people?

    • by xtracto (837672)

      And no way for server admins to track what virus infected bots are trying to break into their systems.

      This rule will hurt more than it will help.

      I was just thinking, from the following snippet in the summary:
      IP numbers are protected (in Swedish) since they can be traced to individuals

      The bad thing about this statement is that AFAIK one of the main defense points against the MAFIAA tactics is/was that an IP cannot be deffinitely linked to an individual... how does this decision affect that? does it means that now that the highest Swedish court made this explicit, the sue-friendly groups can backup in this assumption?

      • An IP address cannot be *definitely* linked to an individual, but it's not totally random either.

        What tiny bit I know about someone/anyone's law across multiple countries, I'd want this basic court level protection in place. Then we can go after removing the exemption for the copyright holders, and reinstating basic IT workflow. But the base law might be a step against the privacy-abusing laws that are a *worldwide* rage these days.

      • The bad thing about this statement is that AFAIK one of the main defense points against the MAFIAA tactics "is/was that an IP cannot be deffinitely linked to an individual... how does this decision affect that?"

        "May", which is enough to get into consideration when we are talking about fundamental rights as is the one about privacy, versus "for sure" which is what the MAFIAAs around the world want governments to believe.

        A city council will mark as "non potable" any water spring that is not under scrutiny. W

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Not quite. My Postal address is personal information too. But I give it to you whenever I want to have a response by mail. An IP address is like that. You can off course respond to and keep the info that is handed to you, but not sell it or give to other companies. This will hurt though, as you probably want the right to pass those addresses to a security firm or to your provider.

      • "Not quite. My Postal address is personal information too. But I give it to you whenever I want to have a response by mail. An IP address is like that"

        Exactly. That's why laws all throught Europe will treat your postal address as private data, unless you decide to make it public, and protect it under quite strong barriers too.

        No: telling your postal address to someone doesn't allow him to abuse it on ways you didn't allow him too.

  • by bjourne (1034822) on Thursday June 18, 2009 @08:55AM (#28372561) Homepage Journal
    This decision doesn't only affect anti-piracy hunters. Virtually all web companies track user ip addresses for various purposes.
    • by Yvanhoe (564877)
      Presumably with their users' consent...
      Plus, many web companies prefer to use cookies. Tracking via IP always causes troubles.
  • No, sorry. (Score:3, Informative)

    by richie2000 (159732) <rickard.olsson@gmail.com> on Thursday June 18, 2009 @08:57AM (#28372585) Homepage Journal

    There's an exception to this law in the recently enacted IPRED-law (based on an EU directive) that basically allows rightsholders to gather IP-addresses anyway.

    • by hansraj (458504)

      And that means that whoever tagged the story "suddenoutbreakofcommonsense" can only weep when the music industry will keep doing what they already do but many with perfectly sensible reason will not be allowed to store logs including ip addresses.

      Sometimes I don't know whether one ought to laugh or cry at the knee-jerk reactions one sees on /. (well everywhere actually).

    • by L4t3r4lu5 (1216702) on Thursday June 18, 2009 @09:18AM (#28372847)
      Don't you know anything about IT? "Deny" automatically overrules "Allow"

      From http://en.wikipedia.org/wiki/Supreme_Administrative_Court_of_Sweden [wikipedia.org]

      ... [T]he court as an institution is independent of the Riksdag, and the government is not able to interfere with the decisions of the court.

      That's the IPRED law out the window, then.

      • In some configurations, the rule is deny first, then allow. In others, it's the opposite.

        • It also depends on whether it's "first match", or "apply all rules in order, then evaluate result."

      • Turns out that this is total rubbish, as there is a clause in Government law which appears to supersede this. So, the Government CAN interfere (read: ignore) with Supreme Administrative Court decisions.

        If the system was in any way similar, this would be like the Commons bring in legislation which contravenes a decision by the Lords. It seems that the systems are not analogous, though.
      • Don't you know anything about IT? "Deny" automatically overrules "Allow"

        LOL. Do you?

        If so, maybe you can explain how the rules relevant to Windows' ACLs (which I assume you're referring to) define IT, generally, how those those rules are relevant to say, packet filtering, and then, how they apply to the Swedish legal system.

        So that you don't feel like a complete ass, I'll offer the comment that in the context of women (specifically, the behaviour of the ones I've known), it would be correct to suggest that

  • by mattj452 (838570) on Thursday June 18, 2009 @08:58AM (#28372593)
    The article had a lot of errors and DN has replaced it with a new article: http://www.dn.se/kultur-noje/nyheter/ny-dom-paverkar-inte-ipredlagen-1.894500 [www.dn.se] In short: They can still do what they want, but they need a permit for it.
  • Sadly the Swedish anti-pirate bureau has an exemption allowing them to store the IP-addresses. This has already been updated in the Swedish press.

    • Re: (Score:3, Informative)

      by oh2 (520684)
      Yes, there was a couple of factual errors in the original article. The upside is that IP numbers ARE now regarded as personal information in Sweden, the downside is that the IPRED law is still an abomination and a major infringement on our civil rights. Even more so now, really.
  • I'm going to fire off an email to my friends right now letting the know about this landmark decision. I'll also send it unencrypted so the NSA can hear about it too.
  • by LaminatorX (410794) <sabotage.praecantator@com> on Thursday June 18, 2009 @09:04AM (#28372681) Homepage

    Isn't the whole point of a publicly routable address to trace to a specific host or gateway? I sense some significant unintended consequences here. A ton of services will have real problems if this gets enforced thoroughly.

    I'm comparing this to phone numbers in my head. Even if you have an unlisted number, should it be illegal for someone to write down your number if it shows up on caller ID when you call them?

    • If you're going to send it off to a marketing agency to send you targeted advertisements based on the content of your call, then yes it damn well should be.
    • "Isn't the whole point of a publicly routable address to trace to a specific host or gateway? "

      Yes. And since the "whole point" is "to trace to a specific host or gateway" that means it has "no point" being used "to trace to a specific person".

      • Well, yes and no. Automobile license plates serve a similar function. If my car were used in the commission of a crime I would certainly be investigated as a likely suspect.

        • "Well, yes and no. Automobile license plates serve a similar function. If my car were used in the commission of a crime I would certainly be investigated as a likely suspect."

          A "likely" as in "there's demonstrable relationship between car plates and people we need to take into consideration" is quite different to "here: that's the bastard, we have his car plates".

  • The posted link didn't work for me, but http://www.dn.se/kultur-noje/nyheter/ny-dom-paverkar-inte-ipredlagen-1.894500 did.

    • by oh2 (520684)
      The original article has been removed due to a few errors. The new version is the one you found.
  • by wamatt (782485) * on Thursday June 18, 2009 @09:08AM (#28372723)

    I think overall this is a win for Copyright lobby and not the other way around.

    1) Legitimises IP address being tied to account holder. IE lessens the "TOR/ Wifi Defense"
    2) APB have gotten an exemption and are now allowed to track IP's.

  • So are they now illegal in Sweden?

  • If you are a server operator in Sweden, this presumably means you also cannot store IPs for later analysis of where your traffic is coming from. Now, you might say that IPs can be geocoded on the fly, but there are other issues:

    You also can't log the IPs of attackers. You can't log IPs to analyze botnets. You can't log the IPs of spammers.

    There are lots of legitimate reasons for private individuals and companies to store IP addresses. By forbidding it wholesale, the court is demonstrating its technologi

    • ... shared computers, NAT, insecure wireless networks, dynamic IPs

      In all of these cases, it becomes the responsibility of the contract holder to ensure that their connection is not used for illegal purposes, kind of like if you lend you friend a car, and he speeds... Oh, wait, that's not right. Kind of like if you buy a shotgun to go pigeon shooting and... Urm, no that doesn't work... Kind of like if you had a series of tubes...

      Huh, I guess you're right. Who'd have thought that big media were talking out of their asses?

  • Privacy in Sweden (Score:4, Interesting)

    by Biotech9 (704202) on Thursday June 18, 2009 @09:14AM (#28372791) Homepage

    Sweden has some strange privacy norms. Asking what someone votes for politically is close to a serious faux pa. In fact some people I know have absolutely no idea how their parents or even partners vote. That is a very private thing. But you can look up car owners on a free and public website by registration number, you can go and check tax returns for anyone in Sweden, and see what they earn. On the other hand, religion is another area that you very much leave alone and don't ask about.

    Hopefully the IP information will be considered something a little more private, and after the Pirate party did so well in the European elections maybe there is a chance that common sense will prevail and rules like IPRED will be struck down anyway.

    • Re:Privacy in Sweden (Score:5, Interesting)

      by mikael_j (106439) on Thursday June 18, 2009 @09:25AM (#28372931)

      This is thanks to something called "offentlighetsprincipen" which is basically the idea that anything related to the government (taxes, car registration, legislation, police records and so on) should be available to the public. One of the main criticism of the EU that tends to be get brought up in Sweden is actually that the EU doesn't work the same way, that there are a lot of things that are withheld from the public in the EU (or at least kept out of reach by bureaucracy and pointless paperwork).

      Personally I rather like our system, if its not explicitly classified as secret then anyone can access it.

      /Mikael

    • "Sweden has some strange privacy norms."

      Not that I know about.

      "Asking what someone votes for politically is close to a serious faux pa."

      It's unpolite which is quite different of being illegal. But it is illegal to force someone to tell you where his vote went or trying to guess it by other covered means. What do you exactly see strange here?

      "In fact some people I know have absolutely no idea how their parents or even partners vote."

      And what that exactly has to be with the legal system? That only means th

  • In related news, the bandwidth usage in Sweden is back up to the numbers before the IPRED law was enacted. Normally the usage is low during the summertime, but apparently not this summer. It is speculated that the increase is because the law is pretty toothless at the moment, and the bandwith usage may decrease if the current investigation goes to court and leads to a conviction.

  • by buddyglass (925859) on Thursday June 18, 2009 @09:32AM (#28372997)

    So if I'm running an online forum or game of some sort, I can't drop IP-bans on offensive parties since that would constitute tracking an IP address?

    I'm pretty much of the opinion that if you visit my website then you're volunteering your IP address. It's just like if you mailed me a letter or sent me an email. In either case you're supplying a return address.

    • by jonwil (467024) on Thursday June 18, 2009 @09:52AM (#28373219)

      Theres a BIG difference between an IP address (which is public information) and account details i.e. the link between an IP address and the account holder that is holding that account at the time (which should NOT be available to anyone without a valid court order or warrant)

    • by TheP4st (1164315)

      It's just like if you mailed me a letter or sent me an email. In either case you're supplying a return address.

      Huh? In the case of a letter I have to actively write the return address. In the case of email I can spoof the sender address.

      • I should have been more specific. It's comparable to you sending me a letter or email requesting information from me. That is to say, you actually want a response.
    • by Dunbal (464142)

      So if I'm running an online forum or game of some sort, I can't drop IP-bans on offensive parties

      That would be a pretty foolish thing to do anyway. Ban the account, not the IP. Many different people can use the same IP, especially if they're connected via a cable modem. Banning the IP is a lazy, sloppy way to do it.

      Plus you can ban the IP all you want. You just can't use the IP to trace back to an actual person, and then take legal action from there. Of course if

      • Many free games allow people to sign up with just an email address. Or not even that, in some cases. For them, the only way to ban someone is via IP range. And, since they're free, it's not as big of a deal that they might accidentally ban other non-guilty parties.
  • "I'll create a GUI interface in Visual Basic, see if I can track an IP address."
    Swedish Court Says: No you won't!
  • Short summary (Score:3, Informative)

    by oh2 (520684) on Thursday June 18, 2009 @09:57AM (#28373313) Homepage Journal
    The original article has been pulled, new one available (In swedish) here [www.dn.se]

    A short summary in english.

    This autumn Datainspektionen [datainspektionen.se] will start monitoring how the IPRED law is applied when it comes to disclosure of personal information. A recent verdict in the RegeringsrÃtten, Swedens highest applicable court, has upheld Datainspektionens decision that IP adresses are to be considered personal information and therefore protected under law.

    In 2005 Datainspektionen ruled that collecting and storing personal information online like copyright advocates were doing was a breach of the Swedish PUL, Personal information act, that regulates how and what kind of information that can be traced to a single individual that can be stored. The antipiracy organizations were quickly granted an exemption though, that expired march 31st. Starting april 1st this year IPRED allows holders of copyright to apply to the courts for this information. Datainspektionen will now monitor closely how any personal information aquired from the courts in this manner is used by copyright holders.

  • by Anonymous Coward

    I like that IP numbers are protected when they are in Swedish, but I doubt I can keep up the accent.

  • by Anonymous Coward

    ...perhaps a little less googlish: http://www.allende.se/blog/2009/06/en-ipred-fant-balanserade/

  • by Anonymous Coward

    Basically APB argues IP addresses are not personal data and can not be linked to actual persons, thus should not be govenerd by the Personal Data Law (or something like that PUL, Person Uppgifts Lagen).

    The court ruled that since APB is using IP addresses to sue people who are participating in illegal file sharing, then obviously IP addresses can be linked to persons and are thus protected by PUL.

    The PUL law as google translated it:
    http://translate.google.com/translate?hl=en&ie=UTF-8&sl=sv&tl=en

  • I oppose intellectual property, but I am often disappointed that most who do are inconsistent,
    Many people explained that DMCA makes numbers illegal. Well, so is this. There's nothing wrong with storing IP adresses.

    Information about people is information, just because you like privacy doesn't mean there's ethical magic surrounding this kind of information.

    • by shaitand (626655)

      This is being misrepresented. This does NOT prevent storing IP addresses. All it does is require a warrant to get the account holder details from the ISP because the account holder has a reasonable expectation of privacy. The same should be the case anywhere.

  • Your IP lease expired by DHCP server because the DHCP server violated privacy policy. You will be asked to go to the ISPs website to "opt-in" to have that data persistnant but - whoops - you have no IP to connect with...

  • They tie to a computer, not to a person.

    And in many cases, they don't even do that.

  • If I can use a standard protocol (ICMP, ARP, etc.) to determine your IP address, and such tools are available to anyone, then it is not reasonable to expect privacy. If I know your host name, I can get your IP. If you're connecting to my services via TCP or UDP, I have your IP, and kindof need it in order to do anything.

    On the other hand, server logs with this info in it should be considered private. Your transactions between you and my server are business between you and me. You should have an reasonab

  • I don't think this has the implications a lot of people think it has. The courts are very able to say that storing IPs with the purpose of protecting yourself against attacks is acceptable, but doing it the way the APB has been doing it is not. In fact, if I'm not mistaken Swedish law actually does specify how information is to be used when you supply a service over the net. ISPs ( as an example ) are required to delete details when they are no longer used. Due to EU directives they may soon be required to

    • by cdrguru (88047)

      I would imagine that storing logs that show someone trying to brute-force attack your server would also be against the law. I would hope that any illegal act would be made pretty much impossible to prosecute because of a lack of identifying information from this.

      That is the idea, isn't it?

  • Then I guess they are busy bringing charges against LiveJournal and every other website that stores IP addresses.

  • Once upon a time it was possession and control of land, real estate, that caused friction, conflict, and wars. No more: land is a finite commodity. The new Last Frontier is this so-called intellectual property, where an infinite amount of things to control can be created out of thin air. These things don't require armies of soldiers to control them, instead they require armies of lawyers and expert witnesses. There seems to be an economy of scale to this new IP real estate, though, because it requires a

  • !{those who are not{anti{privacy{piracy}}}};
  • If I understand correctly, this ruling does NOT affect webserver logs, because that person came TO YOU. It would, however, affect the legality of you selling or giving away those logs.

    This is analogous to a doctor being able to keep records of his patients, but not able for that same doctor to sell or even disclose those records to a third party.

  • "IP numbers are protected (in Swedish)". I did not know you could translate IP numbers from one language to another! Perhaps you pronounce it with diphthongs.

Today's scientific question is: What in the world is electricity? And where does it go after it leaves the toaster? -- Dave Barry, "What is Electricity?"

Working...