5131097
story
Comments: 436 +- Your Rights Online: Judge Rules IP Addresses Not "Personally Identifiable" on Wednesday July 08 2009, @10:52AM
Posted
by
Soulskill
on Wednesday July 08 2009, @10:52AM
from the what-about-the-ip-on-the-chip-in-my-head dept.
from the what-about-the-ip-on-the-chip-in-my-head dept.
background: url(//a.fsdn.com/sd/topics/topicprivacy.gif); width:71px; height:53px;
privacy
background: url(//a.fsdn.com/sd/topics/topicgovt.gif); width:57px; height:80px;
government
background: url(//a.fsdn.com/sd/topics/topicnetworking.gif); width:71px; height:37px;
networking
background: url(//a.fsdn.com/sd/topics/topicdoj.gif); width:50px; height:79px;
court
background: url(//a.fsdn.com/sd/topics/topicnews.gif); width:60px; height:66px;
news
yuna49 writes "Online Media Daily reports that a federal judge in Seattle has held that IP addresses are not personal information. 'In order for "personally identifiable information" to be personally identifiable, it must identify a person. But an IP address identifies a computer,' US District Court Judge Richard Jones said in a written decision. Jones issued the ruling in the context of a class-action lawsuit brought by consumers against Microsoft stemming from an update that automatically installed new anti-piracy software. In that case, which dates back to 2006, consumers alleged that Microsoft violated its user agreement by collecting IP addresses in the course of the updates. This ruling flatly contradicts a recent EU decision to the contrary, as well as other cases in the US. Its potential relevance to the RIAA suits should be obvious to anyone who reads Slashdot."
Related Stories
leverage, n.:
Even if someone doesn't care what the world thinks
about them, they always hope their mother doesn't find out.
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.
Yup (Score:5, Insightful)
There's more to it, though. Any sys admin could explain... Imagine trying to have a conversation with somebody by mail. They couldn't respond if they didn't take note of the return address, no? Fact of the matter is, for strictly technical reasons, use of the IP address is required.
But... For statistical and anti-abuse reasons, a log of IP addresses is kept (on any server, really). But don't get all pissy at microsoft for doing so. I mean, almost every site on the net keeps an http log, it's the default setting! The fact is, if you don't want them knowing who you are- I've got an idea- don't contact their servers.
You have a reasonable right to privacy, but you lose that right when you're in public. You don't get to get pissy when a store's security cameras capture your image. I rarely hear anybody complain about other people seeing you while you're at the grocery store. But the fact is: these small dings in privacy are neccessary to operate. You don't need to go in public. And you don't need to connect to somebody's server.
Now the real problem TM
An IP address DOES identify a computer- but not the way the judge thinks. My IP address identifies my router, which in turn owns 5 to 6 computers. With the wireless open, it could refer to the whole neighborhood, for all I know/care. They need to revise, an IP address identifies a NETWORK, but not neccessarily conclusively any particular computer.
So there's another level there. Not only is an IP address not good for identifying a person, but it's rather useless to discover a particular computer either. (Now, there are cookies and other tracking mechanisms, but they're not fool proof..)
But hey, at least this is a step in the right direction. Anyway, it doesn't really matter whose computer an IP address identifies, if the feds pick up on your ip they'll just take every machine in your house anyway.
Re: (Score:3, Insightful)
They need to revise, an IP address identifies a NETWORK, but not neccessarily conclusively any particular computer.
A network endpoint, yes.
So there's another level there. Not only is an IP address not good for identifying a person, but it's rather useless to discover a particular computer either.
I agree about this, and that's why I think the methodology RIAA is using *should* not really hold in court. They should really provide them with name and date ranges, forget about the IP addresses, it's just an Internet Protocol technicality and should be treated as such.
Re:Yup (Score:5, Funny)
IPv6 addresses should be like MAC addresses for people.
Issued at birth, and tattooed onto your ass.
Actually I hope the RIAA aren't reading this. It will give them ideas.
Parent
Re:Yup (Score:4, Funny)
tattooed onto your ass
Your butt crack can then be interpreted as the :: part in the middle of abbreviated addresses.
Parent
Re:Yup (Score:5, Funny)
... but my butt crack only has one colon. :-(
Parent
Re: (Score:3, Informative)
An IP address DOES identify a computer- but not the way the judge thinks. My IP address identifies my router, which in turn owns 5 to 6 computers. With the wireless open, it could refer to the whole neighborhood, for all I know/care. They need to revise, an IP address identifies a NETWORK, but not neccessarily conclusively any particular computer.
A router is still a computer. An IP address identifies a computer. Whether that computer has other computers connected to it, and forwards traffic from those computers using its IP address, is an entirely separate matter.
Re: (Score:3, Interesting)
At some point there'll have to be a determination as to which is it, evidence that somebody in particular was online or not a form of identifying people. We can't have it both ways. So, all in all it's probably a good
Re: (Score:3, Interesting)
as far as the credit card company is concerned that little piece of plastic just identifies an account not a person.
Correct.
However- Each account is specifically linked to one person. (Sometimes more for joint accounts, but you get the idea.) The agreement you make with the card company usually says something along the lines of 'the person named on the card is the only authorized user of the card...' SO, if they trace certain activity to the card, they can be reasonably sure who used the card.
There is no
And a STREET Address? (Score:5, Insightful)
Identifies a HOUSE!
Not personally identifiable? Right! No reasonable analogy?
The Judge needs a head check.
Parent
Re: (Score:3, Interesting)
Also, it's generally understood in legal circles, and is spelled out in most ISPs' TOS agreements, that the account owner is ultimately responsible for any activity originating from that connection. So, since an IP address can be used to identify a particular DSL/cable/dialup/whatever line, it can effectively be used to identify a person.
Re:Yup (Score:4, Informative)
In case of your examples that is not too hard to prove/disprove: did the person keep the computer reasonably up to date? Can't expect installing patches the minute they are released but at least within a reasonable time span. Did the person have anti-virus, anti-spyware or other security software installed, running and kept up to date? Did they read the manual that came with said wireless device before plugging it in?
Gaddammit, I paid $200 for this 'Winders XP' thing. Now you're tellin me I gotta 'Update' my 'Patches' and thingerwhoose why whatzits?? Anti-spy ware? What am I , a secret Agent? I paid a lotta money for it! It should just work!! I shouldn't have to buy anything else! I shouldn't have to READ anything. It should work right when I plug it in!!
(If you think I'm exaggerating, you don't work in techsupport or any kind of Customer Service).
Parent
Re: (Score:3, Insightful)
Re: (Score:3, Interesting)
I have a business class internet account at home. It comes with static ips which resolve back to my domain name which....guess what...IS PERSONALLY IDENTIFIABLE.
So under many situations an IP address is not personally identifiable, there are also many where it is.
I use an anonymizing service to keep my personal information out of whois, but that still doesn't mean my home IP address isn't uniquely identified as "belonging" to me.
I tend to think of an IP address like a phone n
Re: (Score:3, Insightful)
Contradict just means to take a contrary position. The multiple definitions of contrary allow for the word to be used accurately in this context, in the sense that the opinions are opposite of one another. It does not necessitate, however, that those opinions cause any sort of conflict.
In other words, they are contradictory in the sense that they stake opposite positions, but not in the sense that one opinion will overrule or clash with the other.
Re: (Score:3, Insightful)
Yes, we do get to get pissy.
We just can't do anything about it other than choose not to shop there.
Anonymous Coward (Score:2, Insightful)
Addresses aren't personal information! They point to a house or an apartment, not a person!
Sure, it's not personal at all (Score:5, Insightful)
Re: (Score:2)
Re: (Score:3, Interesting)
And the network equivalent of the "It was my car, but I wasn't driving" defense is "someone haxx0red my (system|network)". Or, maybe, the "secure my wireless network? what do you mean?" defense.
Historically, how well has the "I wasn't driving" defense worked out?
Re: (Score:3, Informative)
I think the "it's my car, but it wasn't me" is a valid defense, and why I so loathe red light cameras and photo radar. All an investigator can say from either of these is that a specific car was captured on film.
Quite so... and in some jurisdictions, red light cameras can be disputed very readily, specifically because of this issue. If your car is caught running a red light, and your teenage kid was the one driving the car, then the ticket can be invalidated by a very simple process: You (as in, the vehicle owner) sign a notarized affidavit stating that you were not the person driving the vehicle at the time of the traffic infraction, and you mail that back to the address indicated on the ticket that was mailed to
Re: (Score:2)
He already did. Read the part about the licence plates identifying cars....
Re: (Score:2)
He did
Re: (Score:3, Interesting)
I feel as though your tone is completely sarcastic, but perhaps it isn't. However, yes indeed your license plate and address are not personal information with an implicit right to privacy. They are public records. I can go to the DMV and look up your license plate to get owner information, and I can go to your local municipality and get owner information about your address. Do you get where this is going?
Re:Sure, it's not personal at all (Score:5, Insightful)
Beyond that, you are aware that cars and the like can't be ticketed, right? If you run a red light and are caught on camera they have to be able to determine who is driving the car for it to be valid. Simply having the plate will not work. The same does not apply to IPs, however. They do not have to prove that it was actually you who committed the act, only that at one point in time you had been randomly assigned that IP.
Parent
Re:Sure, it's not personal at all (Score:5, Insightful)
Depending on state law (at least in the US) you can be ticket for certain things on the basis of license plate. You can be ticketed as the owner of the vehicle. The most obvious ticketing here would be for parking. The meter maid doesn't care who parked your car by the fire hydrant. you will still have to pay fines. This is the same principle as charging the owner of an internet account for nefarious deeds done using an IP address that was assigned to him.
Parent
Re:Sure, it's not personal at all (Score:4, Insightful)
Addresses are not personal. They can be connected to you in some ways, but are not personal per se. For instance, when you get a bill by mail, you have the mail address AND the person name to whom the service is registered. Imagine a situation like this: gunshots are reported as being shot from address x; does that automatically implies the owner did the shooting?
License plates and phone numbers are more or less the same. I'm sure you can come up with some examples of your own to illustrate.
As for your email, that one is on a diferent level. With email you're supposed to have identification AND authentication. (name + password)
Parent
Re: (Score:2)
IP addresses are much less fixed than anything that represents a physical object.
Re: (Score:2)
While that is true, I'm betting your phone number, license plate, and email address do not change on a monthly basis.
Re: (Score:2)
A question... (Score:5, Interesting)
Could this decision be referenced to disqualify the IP as evidence when the MAFIAA goes after someone based on IP addresses they got from WhateverMediaSentryIsCalledNow?
Re: (Score:2)
Actually, no. I clicked on the link to RTFA before I finished. Having an ADD day, evidently. :)
I know, I know. I'm leaving.
Oddly good news ... ? (Score:2)
So, if a particular illegal or actionable activity is traced to a particular IP address, can this ruling be used to indicate:
"It wasn't me, an IP address identifies a computer, not a person, re: so-and-so vs. so-and-so"
or is that just silliness?
Re: (Score:2)
Only if your case is in the same circuit that the original case w/ ruling was.
Otherwise, you have to present your evidence, etc. When 2 circuits in a state have differing opinions, some lucky bastard gets to go to the state supreme court and present evidence there, etc. And then the state supreme court makes a ruling. Multiple state supreme courts make a ruling? Goes to district court. Multiple districts? The SCOTUS.
IANAL, but this is how it was 'splained to me by a lawyer.
Sure (Score:2, Insightful)
A phone number identifies a phone, not a person.
A postal address identifies the location of a building, not a person.
I'm confused... (Score:3, Interesting)
Identifying my computer doesn't identify me personally by inference?
I'm sure this could come in handy in court eventually.
Re: (Score:2, Redundant)
I'm sure this could come in handy in court eventually.
It could come into play immediately with all of those P2P cases going on with the *AA groups. If an IP address isn't personally identifiable (according to the judge), how can you come after me based on that address?
Doesn't Identify a Person Eh? (Score:2)
I suppose this only makes sense. After all, we know that an address isn't personal information - it identifies a house, not a person. Neither is a phone number, which identifies a phone. License plate numbers identify a car. In fact, one could even argue that SSN/SIN numbers identify a card or record in a government database instead of a person. Privacy solved! There is no personal information.
Re: (Score:2)
An SSN or TIN number identifies an entity. In case of SSN that entity is a person. The SSN just gives you a serial number and that serial number is only owned by you and cannot (legally) be used by anyone else. Your birth certificate also identifies you as a person.
A phone however identifies a location, usually the end of the line in the vicinity where the phone is (whether tethered to a hardline or not). It's your phone number because you pay for it but your mom could pick it up, or a burglar that's in you
Am I the only one? (Score:4, Interesting)
Seems logical to me. An IP address no more identifies a person than a house address identifies one. It's tying those two together for investigative purposes that should be illegal without a warrant.
Spartacus-1138 (Score:5, Funny)
I am 192.168.0.1!
No, I am 192.168.0.1!
No, I am 192.168.0.1!
No, I am!
I am!
Re: (Score:3, Funny)
I am 192.168.0.1
That's the IP of my gateway. I am the keymaster are you the gatekeeper?
Re: (Score:3, Funny)
I am 127.0.0.1!
No, I am 127.0.0.1!
No, I am 127.0.0.1!
No, I am!
I am!
There, fixed that for you.
How is this significant to RIAA cases? (Score:2)
Or multiple computers/internet nodes, more accurately.
The significance of this to RIAA cases is nil.
When your ISP fingers you, you've been fingered.
Relates to all online activities (Score:2)
1) RIAA/MPAA sueing people they tracked via IP numbers
2) Pedophiles tracked via IP numbers
3) Online harassment cases tracked via IP numbers (e.g. the mom who harassed some girl until the girl committed suicide)
4) Spammers who are tracked via IP numbers
There are other cases this would effect but basically anything where they link someone via an IP number would be invalidated. I agree with the judge that
Largely irrelevant to RIAA litigation (Score:5, Interesting)
It is true that an ip address identifies a computer or possibly, as another poster pointed out, a router behind which could be many computers, but that fact is largely irrelevant to file sharing litigation. The plaintiffs in those cases do not have to have ironclad evidence that it was the defendant sitting at the computer sharing the files. Instead, the plaintiffs merely have to show that it is more likely than not (aka preponderance of the evidence, 50% + 1) that it was the defendant.
Thus, if the defendant lives at home and only rarely has guests that use his or her computer, it's very likely that a jury will accept that it is more likely than not that the defendant was the one who shared the files, not a guest or an unauthorized user of the wireless network, especially if the files are found on the defendant's hard drive. More complex situations come closer to the line, of course, but in most cases it's fairly clear who the most likely culprit was.
But, even if the defendants live in an apartment with a communal computer or network shared equally by multiple long-term residents, all of whom use the same file-sharing user account, it is not necessarily up to the plaintiff to prove which specific defendant shared the files. A long standing rule in tort law from the case Summers v. Tice, 33 Cal.2d 80 (1948) establishes that where the plaintiff can prove that multiple defendants were negligent, the burden shifts to the defendants to prove which one actually committed the injury. It is quite possible that the file sharing case plaintiffs will be able to successfully argue that it is up to the various users of a computer to prove who actually shared the files or else they will all be jointly liable. This is especially likely if it can be shown that all of the defendants were aware of the file sharing program and the infringing nature of the files.
Legal code for this (Score:5, Funny)
if(individual.sues(evilCorporation)) {
return "IP address is not personal identification";
} else if(evilCorporation.sues(individual) {
return "IP address is personal information";
} else return "Please submit amount available to donate to my election campaign";
}
Is this really a bad thing? (Score:3, Insightful)
Think about it: according to this judge, an IP address identifies a computer (as others have pointed out, "network endpoint" would be a more correct term), not the person behind it. Although this makes it easier for the **AA to collect IP-address information, it also makes such information a lot less useful, because by itself it leaves a hole big enough to establish reasonable doubt. The IP address can establish what computer was used, but it does not prove that the defendant was the one operating the computer in that capacity. Especially in an age of botnets and malware, there's a lot of doubt here unless you can establish a stronger link, and the IP address won't help you on that score.
That leaves open the question: does this really strengthen the **AA, or does it actually hamstring their tactics? This may remain to be seen.
The IP is a lot like a license plate (Score:5, Insightful)
If all they have is a picture of your license plate, that doesn't prove you were driving. We should use this ruling as precedent to get out of automated tickets when there is no clear picture of your face.
Couldn't this be a potentially good thing? (Score:3, Funny)
Re: (Score:3, Insightful)
An IP does not identify the user but it will identify that it's someone's computer doing to sharing (once you've a court order getting the User's details).
How so? If the precedent stands that IP address is not personally identifiable information, then how do you identify the user based on it (to the court's satisfaction?)