Judge Rules IP Addresses Not "Personally Identifiable"

yuna49 writes "Online Media Daily reports that a federal judge in Seattle has held that IP addresses are not personal information. 'In order for "personally identifiable information" to be personally identifiable, it must identify a person. But an IP address identifies a computer,' US District Court Judge Richard Jones said in a written decision. Jones issued the ruling in the context of a class-action lawsuit brought by consumers against Microsoft stemming from an update that automatically installed new anti-piracy software. In that case, which dates back to 2006, consumers alleged that Microsoft violated its user agreement by collecting IP addresses in the course of the updates. This ruling flatly contradicts a recent EU decision to the contrary, as well as other cases in the US. Its potential relevance to the RIAA suits should be obvious to anyone who reads Slashdot."

Yup

[FredFredrickson]

So on one end of the stick, you've got privacy advocates who hate Microsoft, who are thinking that collecting our IP addresses is wrong and violates our privacy.

There's more to it, though. Any sys admin could explain... Imagine trying to have a conversation with somebody by mail. They couldn't respond if they didn't take note of the return address, no? Fact of the matter is, for strictly technical reasons, use of the IP address is required.

But... For statistical and anti-abuse reasons, a log of IP addresses is kept (on any server, really). But don't get all pissy at microsoft for doing so. I mean, almost every site on the net keeps an http log, it's the default setting! The fact is, if you don't want them knowing who you are- I've got an idea- don't contact their servers.

You have a reasonable right to privacy, but you lose that right when you're in public. You don't get to get pissy when a store's security cameras capture your image. I rarely hear anybody complain about other people seeing you while you're at the grocery store. But the fact is: these small dings in privacy are neccessary to operate. You don't need to go in public. And you don't need to connect to somebody's server.

Now the real problem TM
An IP address DOES identify a computer- but not the way the judge thinks. My IP address identifies my router, which in turn owns 5 to 6 computers. With the wireless open, it could refer to the whole neighborhood, for all I know/care. They need to revise, an IP address identifies a NETWORK, but not neccessarily conclusively any particular computer.

So there's another level there. Not only is an IP address not good for identifying a person, but it's rather useless to discover a particular computer either. (Now, there are cookies and other tracking mechanisms, but they're not fool proof..)

But hey, at least this is a step in the right direction. Anyway, it doesn't really matter whose computer an IP address identifies, if the feds pick up on your ip they'll just take every machine in your house anyway.

Anonymous Coward

[Anonymous Coward]

Addresses aren't personal information! They point to a house or an apartment, not a person!

Sure, it's not personal at all

[AtomicDevice]

If this is true, I suppose addresses and license plates aren't personal either, they just identify cars and houses, it's not as though those things usually contain the same people. Or what about phone numbers, that really only identifies my phone, not me the individual. And when you stop to think about it, my email is really just a code so the mailserver knows where to put some bytes it receives, it doesn't really have anything to do with me.

Re:Yup

[Jugalator]

They need to revise, an IP address identifies a NETWORK, but not neccessarily conclusively any particular computer.

A network endpoint, yes.

So there's another level there. Not only is an IP address not good for identifying a person, but it's rather useless to discover a particular computer either.

I agree about this, and that's why I think the methodology RIAA is using *should* not really hold in court. They should really provide them with name and date ranges, forget about the IP addresses, it's just an Internet Protocol technicality and should be treated as such.

Sure

[ringm000]

A vehicle registration number identifies a car, not a person.

A phone number identifies a phone, not a person.

A postal address identifies the location of a building, not a person.

Re:Sure, it's not personal at all

[Reason58]

A license plate, street address and phone number are both unique and tied to a specific person until the person chooses to end that connection. An IP address (dynamic) is randomly assigned to a user and then changed with little or no control from the user's end. This isn't IPv6. Everyone can't be issued a permanent address when they sign up for an ISP.

Beyond that, you are aware that cars and the like can't be ticketed, right? If you run a red light and are caught on camera they have to be able to determine who is driving the car for it to be valid. Simply having the plate will not work. The same does not apply to IPs, however. They do not have to prove that it was actually you who committed the act, only that at one point in time you had been randomly assigned that IP.

Re:Sure, it's not personal at all

[wtfamidoinghere]

Addresses are not personal. They can be connected to you in some ways, but are not personal per se. For instance, when you get a bill by mail, you have the mail address AND the person name to whom the service is registered. Imagine a situation like this: gunshots are reported as being shot from address x; does that automatically implies the owner did the shooting?

License plates and phone numbers are more or less the same. I'm sure you can come up with some examples of your own to illustrate.

As for your email, that one is on a diferent level. With email you're supposed to have identification AND authentication. (name + password)

Re:Yup

[Anonymous Coward]

You said "This ruling flatly contradicts a recent EU decision to the contrary" but a ruling in the US carries no weight in any other country. So the EU may rule the opposite and that is how they will deal with it on a legal basis. The US does not make rulings that bind other countries.

Re:Not all that relevant to the RIAA

[geminidomino]

An IP does not identify the user but it will identify that it's someone's computer doing to sharing (once you've a court order getting the User's details).

How so? If the precedent stands that IP address is not personally identifiable information, then how do you identify the user based on it (to the court's satisfaction?)

Re:Sure, it's not personal at all

[gcatullus]

Depending on state law (at least in the US) you can be ticket for certain things on the basis of license plate. You can be ticketed as the owner of the vehicle. The most obvious ticketing here would be for parking. The meter maid doesn't care who parked your car by the fire hydrant. you will still have to pay fines. This is the same principle as charging the owner of an internet account for nefarious deeds done using an IP address that was assigned to him.

Is this really a bad thing?

[Millennium]

Think about it: according to this judge, an IP address identifies a computer (as others have pointed out, "network endpoint" would be a more correct term), not the person behind it. Although this makes it easier for the **AA to collect IP-address information, it also makes such information a lot less useful, because by itself it leaves a hole big enough to establish reasonable doubt. The IP address can establish what computer was used, but it does not prove that the defendant was the one operating the computer in that capacity. Especially in an age of botnets and malware, there's a lot of doubt here unless you can establish a stronger link, and the IP address won't help you on that score.

That leaves open the question: does this really strengthen the **AA, or does it actually hamstring their tactics? This may remain to be seen.

The IP is a lot like a license plate

[istartedi]

If all they have is a picture of your license plate, that doesn't prove you were driving. We should use this ruling as precedent to get out of automated tickets when there is no clear picture of your face.

And a STREET Address?

[Philip K Dickhead]

Identifies a HOUSE!

Not personally identifiable? Right! No reasonable analogy?

The Judge needs a head check.

 

Re:Yup

[cml4524]

Contradict just means to take a contrary position. The multiple definitions of contrary allow for the word to be used accurately in this context, in the sense that the opinions are opposite of one another. It does not necessitate, however, that those opinions cause any sort of conflict.

In other words, they are contradictory in the sense that they stake opposite positions, but not in the sense that one opinion will overrule or clash with the other.

Re:How is this significant to RIAA cases?

[_avs_007]

IP address identifies "a" computer, but not "whose" computer... For all the RIAA/ISP/etc knows the IP address could've been spoofed. Similar to dropping a letter in the mail at the post office with a forged return address. RIAA can say the letter contains pirated copyrighted material and go after the person who owns the house address listed as the return address, but that doesn't meant they got the right person.

Re:You want to bet?

[Volante3192]

Yes, we do get to get pissy.

We just can't do anything about it other than choose not to shop there.

Re:I'm confused...

[JumpDrive]

Because you are the owner of the computer.
They have never gone after a said individual, but the owner of a computer. Remember the case where the ladies kids were downloading all the crap. She wasn't responsible because she was the guardian of the children, she was responsible because she was responsible for the computer.
So if your room mate uses your laptop to download a bunch of music via your computer, you will be held responsible, until you can prove that your roommate had equal access and usage of the computer.

Re:Is this really a bad thing?

[SeeSp0tRun]

Again, your IP address (or mine anyway) is to the network endpoint that the ISP is not responsible for afterward. In this case, it will identify your network.

I believe it is said that "Ownership is 9/10 of the law." In this case, a computer with your billing information, or an IP address for that matter, ties it (indirectly) to you. If my neighbor is on my computer at home, viewing kiddie porn, someone is going to be held liable.
If I fail to remember that my neighbor had used my computer that week/day/whatever, you bet your ass I am going to jail.

While a warrant would (and should) not be needed to collect IP addresses, the warrant should be needed to connect them to billing information, and therefore individuals.

Re:Yup

[wvmarle]

There is a difference between "the device works out of the box" and "the user knows how to use it". Big difference.

Re:Yup

[JockTroll]

What's your fucking problem? If it saves one life it's worth it, isn'it? No debate /sarcasm