Forgot your password?
typodupeerror
Privacy Government Networking The Courts News Your Rights Online

Judge Rules IP Addresses Not "Personally Identifiable" 436

Posted by Soulskill
from the what-about-the-ip-on-the-chip-in-my-head dept.
yuna49 writes "Online Media Daily reports that a federal judge in Seattle has held that IP addresses are not personal information. 'In order for "personally identifiable information" to be personally identifiable, it must identify a person. But an IP address identifies a computer,' US District Court Judge Richard Jones said in a written decision. Jones issued the ruling in the context of a class-action lawsuit brought by consumers against Microsoft stemming from an update that automatically installed new anti-piracy software. In that case, which dates back to 2006, consumers alleged that Microsoft violated its user agreement by collecting IP addresses in the course of the updates. This ruling flatly contradicts a recent EU decision to the contrary, as well as other cases in the US. Its potential relevance to the RIAA suits should be obvious to anyone who reads Slashdot."
This discussion has been archived. No new comments can be posted.

Judge Rules IP Addresses Not "Personally Identifiable"

Comments Filter:
  • A question... (Score:5, Interesting)

    by geminidomino (614729) * on Wednesday July 08, 2009 @11:57AM (#28623441) Journal

    Could this decision be referenced to disqualify the IP as evidence when the MAFIAA goes after someone based on IP addresses they got from WhateverMediaSentryIsCalledNow?

  • by Anonymous Coward on Wednesday July 08, 2009 @11:59AM (#28623475)
    Does this ruling mean that Microsoft 'bought' the Seattle judge, to get this ruling that favors them, but didn't succeed in buying the one in Europe?

    Regardless, I personally think that an IP address can't even always identify a computer (much less a person), since Internet Service Providers are known to assign different numbers to the same computer at different times, as the user connects the computer to the ISP.
  • I'm confused... (Score:3, Interesting)

    by clone53421 (1310749) on Wednesday July 08, 2009 @12:01PM (#28623501) Journal

    Identifying my computer doesn't identify me personally by inference?

    I'm sure this could come in handy in court eventually.

  • by Anonymous Coward on Wednesday July 08, 2009 @12:04PM (#28623571)

    I feel as though your tone is completely sarcastic, but perhaps it isn't. However, yes indeed your license plate and address are not personal information with an implicit right to privacy. They are public records. I can go to the DMV and look up your license plate to get owner information, and I can go to your local municipality and get owner information about your address. Do you get where this is going?

  • by idontgno (624372) on Wednesday July 08, 2009 @12:05PM (#28623593) Journal

    And the network equivalent of the "It was my car, but I wasn't driving" defense is "someone haxx0red my (system|network)". Or, maybe, the "secure my wireless network? what do you mean?" defense.

    Historically, how well has the "I wasn't driving" defense worked out?

  • Am I the only one? (Score:4, Interesting)

    by DarrenBaker (322210) <darren@fl3.1415926im.net minus pi> on Wednesday July 08, 2009 @12:05PM (#28623595) Homepage

    Seems logical to me. An IP address no more identifies a person than a house address identifies one. It's tying those two together for investigative purposes that should be illegal without a warrant.

  • by Grond (15515) on Wednesday July 08, 2009 @12:15PM (#28623731) Homepage

    It is true that an ip address identifies a computer or possibly, as another poster pointed out, a router behind which could be many computers, but that fact is largely irrelevant to file sharing litigation. The plaintiffs in those cases do not have to have ironclad evidence that it was the defendant sitting at the computer sharing the files. Instead, the plaintiffs merely have to show that it is more likely than not (aka preponderance of the evidence, 50% + 1) that it was the defendant.

    Thus, if the defendant lives at home and only rarely has guests that use his or her computer, it's very likely that a jury will accept that it is more likely than not that the defendant was the one who shared the files, not a guest or an unauthorized user of the wireless network, especially if the files are found on the defendant's hard drive. More complex situations come closer to the line, of course, but in most cases it's fairly clear who the most likely culprit was.

    But, even if the defendants live in an apartment with a communal computer or network shared equally by multiple long-term residents, all of whom use the same file-sharing user account, it is not necessarily up to the plaintiff to prove which specific defendant shared the files. A long standing rule in tort law from the case Summers v. Tice, 33 Cal.2d 80 (1948) establishes that where the plaintiff can prove that multiple defendants were negligent, the burden shifts to the defendants to prove which one actually committed the injury. It is quite possible that the file sharing case plaintiffs will be able to successfully argue that it is up to the various users of a computer to prove who actually shared the files or else they will all be jointly liable. This is especially likely if it can be shown that all of the defendants were aware of the file sharing program and the infringing nature of the files.

  • Re:Yup (Score:3, Interesting)

    by fredklein (532096) on Wednesday July 08, 2009 @12:20PM (#28623831)

    as far as the credit card company is concerned that little piece of plastic just identifies an account not a person.

    Correct.

    However- Each account is specifically linked to one person. (Sometimes more for joint accounts, but you get the idea.) The agreement you make with the card company usually says something along the lines of 'the person named on the card is the only authorized user of the card...' SO, if they trace certain activity to the card, they can be reasonably sure who used the card.

    There is no such guarantee when it comes to IP addresses. As someone else posted, their IP is to their router, with 5-6 PCs behind it. Wireless confuses the issue more. Tracing certain packets to a router does NOT tell them what PC it came from, much less who was using that PC.

  • Re:Yup (Score:3, Interesting)

    by eln (21727) on Wednesday July 08, 2009 @12:36PM (#28624057) Homepage
    IF the person has a home network, then it only identifies that network. If the person lives alone and only has one computer, it does effectively identify the person.

    Also, it's generally understood in legal circles, and is spelled out in most ISPs' TOS agreements, that the account owner is ultimately responsible for any activity originating from that connection. So, since an IP address can be used to identify a particular DSL/cable/dialup/whatever line, it can effectively be used to identify a person.

    Things get muddier when talking about open wireless access points, but in general it's been held that if you open up your wireless connection, you're responsible for any illegal activity people might use it for. You only escape responsibility if you've taken some measure to restrict access and the perpetrator has defeated it.

    Even if you don't buy any of that, identifying the home network itself is already an invasion of privacy. It may not identify you personally, but it almost certainly identifies your family or the group of people living in your house. Isn't that an invasion of privacy?
  • Re:Yup (Score:3, Interesting)

    by Sir_Dill (218371) <slashdot@@@zachula...com> on Wednesday July 08, 2009 @12:42PM (#28624165) Homepage
    Consider this for a moment.

    I have a business class internet account at home. It comes with static ips which resolve back to my domain name which....guess what...IS PERSONALLY IDENTIFIABLE.

    So under many situations an IP address is not personally identifiable, there are also many where it is.

    I use an anonymizing service to keep my personal information out of whois, but that still doesn't mean my home IP address isn't uniquely identified as "belonging" to me.

    I tend to think of an IP address like a phone number. Are phone numbers considered personally identifiable?

    if yes then IP addresses should be treated accordingly.

  • by Anonymous Coward on Wednesday July 08, 2009 @01:27PM (#28624981)

    Double-edge sword for big business. The RIAA in their suits try to identify individuals based on the IP addresses and such so now they will not be able to do so based on this FEDERAL court ruling.

  • Re:Yup (Score:3, Interesting)

    by hedwards (940851) on Wednesday July 08, 2009 @01:50PM (#28625403)
    I've got mixed feelings about this. On the one hand I would consider this sort of monitoring questionable in terms of privacy issues. But on the other hand if this interpretation is upheld it represents a serious set back to the RIAA in its endeavor to bring lawsuits against alleged pirates.

    At some point there'll have to be a determination as to which is it, evidence that somebody in particular was online or not a form of identifying people. We can't have it both ways. So, all in all it's probably a good thing, if for no other reason than the issue might finally be resolved in the legal sense.
  • by rvel (1118797) on Wednesday July 08, 2009 @02:34PM (#28626145)
    This will have no effect on RIAA cases. I believe the RIAA investigators use an IP address to identify an alleged lawbreaker, then grabs their hard drives and looks for evidence of file sharing, illegal downloads, etc. You cannot simply convict someone for illegal online activity simply because they have the same IP address as an alleged abuser. In this context, an IP address is like a license plate. Example: someone is involved in a hit-and-run. The cops track the license plate to your house and checks your car for damage.
  • by dotgain (630123) on Wednesday July 08, 2009 @04:57PM (#28628247) Homepage Journal
    In New Zealand it works similarly, except you must provide information about the person who was driving, or that it was stolen at the time, again in a notarized affidavit. Seems reasonable, barring the theft of it you should be aware of every person that drives your car.

    Say the car was involved in a fatal hit/run or bank robbery, it's not going to do you much good to say that anybody could have been driving your car. Similarly if you left your keys in it and it was stolen, you are somewhat liable for making your car too easy to steal.

To thine own self be true. (If not that, at least make some money.)

Working...