E.U. Regulator Says IP Addresses Are Personal Data

NewsCloud writes "Germany's data-protection commissioner, Peter Scharr told a European Parliament hearing on online data protection that when someone is identified by an IP, or Internet protocol, address, 'then it has to be regarded as personal data.' Scharr acknowledged that IP addresses for a computer may not always be personal or linked to an individual. If the E.U. rules that IP addresses are personal, then it could regulate the way search engines record this data. According to the article, Google does an incomplete job of anonymizing this data while Microsoft does not record IP addresses for anonymous search."

Is a license plate personal data?

[Anonymous Coward]

Because that's today's car analogy for an IP address.

Re:Is a license plate personal data?

[Respawner]

actually, if you're using it to identify somebody, or if you keep it as general information about somebody(access log), then yes, yes it is
just like a social security number is personal data, or the number on your id-card or your home-address and so on
ooh yeah, don't confuse US-law with EU-law ;)
and offcourse, IANAL

Re:

[Nullav]

Yes, a license plate won't end up on a car six miles away in a matter of months/years. (Hours in the case of dial-up.)

Re:

[barocco]

Don't quite agree... I don't think when you pull into the pharmacy to 'GET' a small-size condom you need to utter your license plate number to initiate a conversation & transaction with the cashier (well, in which case you'd probably avoid any conversation but just have the transaction done).

Re:

[gallwapa]

Dealer? You insensitive clod! Try cooker!

Re:

[LordSnooty]

Yup, in my country whenever a car is shown on a news report for example they blur out the registration number. This is in line with data protection legislation of the late 90s.

Re:

[malsdavis]

Many IP addresses are static though. I don't really understand what NAT has to do with it in the vast majority of cases.

He's totally right

[smittyoneeach]

Now bow to your Redmond overlord, miscreants! [theonion.com]

Re:He's totally right

[unlametheweak]

Don't believe everything you read. The Onion has about as much credibility with me as Fox News.

Re:He's totally right

[packeteer]

Lies! Not only is fox fair and balanced but the Onion is "America's finest news source."

Re:

[smittyoneeach]

Are you saying that you can differentiate among any of the cable news channels and an open sewer?
Do go on, sir.

That's insulting!

[SanityInAnarchy]

How dare you compare the fine folks at The Onion to Fox news!?

doubtful

[no-body]

if the flood of greed to tracking ($$'s) everyone's move can still be held back:

In email source:

HTML comment tag open [WEBTRENDS-Tracking] HTML comment tag close

img alt="DCSIMG" id="DCSIMG" width="1" height="1" src="http://statse.webtrendslive.com/dcskvlalu100004rfxyw......

Re:

[MadMidnightBomber]

That's why I read all my mail with 'less /var/spool/mail/...'

Strange idea

[geek]

Never really looked at it this way. I think it's become ingrained in us that IP's are a way of tracking instead of a way of communicating. Being able to track them is just a side issue. If we look at an IP as a means of communication then does that not make it private in some way? I don't know exactly how I feel about this but I'd certainly like to have more rights rather than less of them.

Re:Strange idea

[Amorymeltzer]

I always visualized it akin to your telephone number - yeah, it's your number, but anyone can look it up in the pages. You work a bit to get on the no-call list and taken out of the directory, and of course, you can change your number or hide it from caller ID.

Doesn't quite work as an analogy

[CaptainZapp]

yeah, it's your number, but anyone can look it up in the pages

While everybody can check a directory such directories don't exist for IP numbers. Respectively the information needs to be obtained from the ISP.

I never heard of the requirement of a court order before checking a phone directory.

Re:

[h2_plus_O]

Either way you look at this issue, in the end What we have here is a political authority decreeing something, which only goes as far as they can enforce it. After all, Spam and phishing and all manner of such activity is illegal where I live, but that doesn't stop torrents of the stuff from ending up in all our inboxes. So the EU folks now define your IP addy as 'personal'- the impact of this will fall solely upon entities that care.

I'm also always leery of legislating on technology- it has the funny e

So...

[deepershade]

Does that mean that if passed, then the RIAA can't use my personal data 'IP' to sue me? TFA was a little short on details of the reprecushions of this.

Re:

[mr_matticus]

No. They'll still use your IP to sue you, just like they'd use your license plate to find you if you ran someone over with your car, or the registered customer of your cell phone if you made threatening calls.

This has potential implications for how easy it will be for them to get your IP and may legitimize some obfuscation methods.

Just like Target doesn't keep a list of all the phone numbers of customers that come in or out, websites you visit will now have to use a higher standard of care with your IP. T

Re:So...

[alx5000]

There's no European equivalent to RIAA... maybe there's such an organization on a country level, but I can assure you that sharing is completely legal in Spain, since fair use covers any kind of private copy, no matter whether you own the original or not (and yes, P2P falls into that category).

Re:

[zoney_ie]

It's interesting how the various anti-piracy groups complete ignore national laws. Copyright warnings on films here in Ireland for example still state how public performance is illegal, including schools, etc. Except that under Irish copyright law, schools have an exemption (which remains even in the latest version of the law that is designed to implement EU directives on copyright). It is entirely legal to screen an ordinary film in a school here in Ireland.

Re:

[SharpFang]

In Poland, there's such an organization, ZAIKS. They request the IP-physical address mappings from the ISPs before sending the police to raid the people. ISPs are in no way obligated to give them the info, or withhold it - but since ZAIKS coperates with the Police, ISPs usually yield, just not to anger the Police - they can't really hurt them, but they can make their life more difficult, so the ISPs usually hand over the info.

Now with this decision in effect, ZAIKS would still sue you for copyright violatio

Re:

[smittyoneeach]

Seeing as how the VP is such a VIP, shouldn't we keep the PC on the QT? 'Cause if it leaks to the VC he could end up MIA, and then we'd all be put out in KP

And they plan to implement this how?!

[CaptainPatent]

The only way to check and see if your IP is being kept is by changing the protocol entirely or by checking the company's servers. I'm guessing that not too many companies would appreciate people routinely rooting around, and if something to check if an IP is stored were to be implemented, the protocol would have to be vastly overhauled and it could slow down the internet 80% or more because of the extra time needed to "check."

The bottom line is this is much like the ruling in the US that companies had to keep a record of working memory (which is entirely impossible,) This seems to be more legislators talking about something they know very little about.

Don't get me wrong, I do appreciate the fact that it would make it harder for the ad industry to hunt you down which is always appreciated, I just don't think any reasonable implementation will work.

Re:

[alx5000]

And, yes, while we're at it, let's not prosecute fiscal fraud (since it's so hard to check the company's books, and not too many companies want theirs scrutinized).

The same can be applied to websites collecting info on users to sell it to spammers. It's really, really (really!) hard to prove they've sold it, but that wouldn't stop legislators from sanctioning that law, would it?

If the EU passes a law that adds IP addresses to the list of protected private data, that only means it is illegal to collect them

Re:

[unlametheweak]

The real issue would be how any privacy protections like storing IPs would be enforced. It is doubtful that a company would willfully admit to storing IPs if it is against the law to do so. I know if I were running a server (Web, FTP, IRC, etc), then I would store IPs despite the law, just because it makes sense from a security perspective (I would want to know who is online, who to ban, etc).

IP's contain less value over time (most consumers have dynamic IP's, can switch ISPs, use proxies, etc), so storing

Re:

[dleigh]

TFA (and some slashdot readers) seem to be assuming that he is calling for a ban on logging IPs. TFA is pretty thin on what was actually said at the meeting, just taking the assumption and asking a few search company spokespeople for their opinion on that assumption. The comissioner doesn't seem to be claiming anywhere that IP addresses should not be stored, or that regulators should check to see if they are not stored, or that any "implementation" of anything is or should be required. The only statement f

Re:

[thannine]

The comissioner doesn't seem to be claiming anywhere that IP addresses should not be stored, or that regulators should check to see if they are not stored, or that any "implementation" of anything is or should be required. The only statement from him seems to boil down to "something which identifies a person should be considered personal data".

And this would be the logical thing to say. Many posters have been wondering "how are they going to implement this?". Well, the thing is that laws like that are already in place (at least in Finland, but I'm assuming the rest of EU also), it's just the question of whether they apply to IP addresses as well as phone numbers, addresses, social security numbers etc. It's not illegal as such to store those, it's just regulated.

Re:And they plan to implement this how?!

[mxs]

You misunderstand the issue. If IP addresses are considered personal data, they can still be used during the connection and for tasks immediately related to servicing that connection -- akin to buying something with your credit card (which does not allow the store to store your personal information for purposes other than payment processing).

In Germany's current privacy and data protection laws, everybody has the right to decide what happens to their own personal information if it is being processed by computers. For instance, you can tell Amazon to delete all personally identifiable data they have about you, and they have to comply -- and you can ask any company that has personal data about you (such as your phone number, your address, etc. in telemarketing and plain old snailmail spam) to tell you where they got it from, what basis they have for keeping it, and to delete it from their databases. If they do not comply, you have a strong legal standing to compel them to give out this information (Mr. Sharr, who is quoted here, is the national representative for data protection, though there are more local ones as well -- if they suspect foul play, they /can/ raid businesses, and do so if warranted.

The legislators know very well what they are talking about. The scope of "personal data" is narrowly confined (anything that can be used to identify you or is saved in relation to data that can personally identify you or anything that could automatically be tied to you by a third party; IP addresses fall into the latter category; while a webhost will not be able to do the IP -> Name&Address resolution, the user's ISP could -- therefore the IP address is personally identifiable to a specific party through a third party and thus personal data protected under stringent data protection laws. This has been tested in court (the German DoJ, for instance, is no longer allowed to log IP addresses on their web servers by court order).

These laws don't "just" exist to combat the ad industry, but rather are an extension of one of our constitutions human rights, that is, the right to free self expression; this includes, under German law, the right to decide what happens to your data. There are, of course, certain restrictions (for instance, the DMV can process this data, as can other governmental bodies -- IF SPECIFICALLY AFFORDED THAT RIGHT BY LAW -- for their (narrow) purposes. You can waive this right (i.e. you can give your address to Reader's Digest for them to spam you with as they see fit -- if you give the permission (which is always revocable), they can do with your data whatever you allowed them to; Sweepstakes, for instance, are often designed to gather this data and get permission).

As for implementation thereof : I don't see a problem. The ip address can still be used to commmunicate same as before; it just can't be logged indefinitely nor used for purposes other than the intended one (i.e. connection establishment, communication, teardown vs. ad tracking) UNLESS the person in question has given permission. What this boils down to in Apache is adding mod_removeip. If no other information personally identifies your visitors (even through a third party), you can now log this data and do with it as you wish. Another possibility would be pseudonymizing the IP addresses with one-way hashes (though some care will have to be taken that this is not reversible easily, which may become a problem since there are only 32 bits in an IP address and thus bruteforcing is a viable tactic).

Nothing needs to be implemented to "check" whether the IP is stored. If you have a reasonable assumption that your contract partner is screwing you over, you can lodge a complaint with the Landesdatenschutzbeauftragter or Bundesdatenschutzbeauftragter (Mr. Scharr in this case), who will investigate -- same as when you suspect they are selling your address information illegally or engage in other illegal activites.

I for one am glad that there are some privacy advocates who thing about this s

worry about the German government first

[nguy]

In Germany's current privacy and data protection laws, everybody has the right to decide what happens to their own personal information if it is being processed by computers.

Well, that is, except for all the ways in which the German government uses that information to track you and spy on you. German privacy attitudes are schizophrenic: they live in a country with a history of governments perpetrating genocidal mass murder based, in large part, on personal information and connections between citizens. You

Re:

[Yvanhoe]

Germans learned from nazism and sovietism that privacy was a damn serious issue. That any entity with personal information about several million people can turn into something nasty. They completely understand how IP logs could be used in a bad way, Americans tend to be optimistic about this but Germans already have undergone two periods of oppression that relied on an extensive invasion of privacy.

Re:

[nguy]

Germans learned from nazism and sovietism that privacy was a damn serious issue. That any entity with personal information about several million people can turn into something nasty.

Well, apparently Germans didn't learn:

http://www.heise.de/newsticker/meldung/98747 [heise.de]

http://www.tagesschau.de/inland/vorratsdatenspeicherung22.html [tagesschau.de]

Americans tend to be optimistic about this

Optimistic? Americans are deeply distrustful of their government and protective of their ability to remain anonymous, far more than Germans.

but

Re:

[Crayon Kid]

[..]Americans tend to be optimistic about this but Germans already have undergone two periods of oppression that relied on an extensive invasion of privacy.

That's why, in this context, the approach on topics such as mandatory ID's strikes me as strange in the two countries.

Most of the European countries, especially those that used to be behind the Iron Curtain, have grown used to mandatory ID's. When they finally got a taste of actual freedom and democracy they kept the ID's, but they also payed a lot more

Re:

[mxs]

Sorry, but no. Even the German government is bound by its privacy laws -- in fact, they privacy laws are even tougher for governmental data processing since they are backed by the Grundgesetz, i.e. our constitution (which technically is law to protect the individual from governmental action). East Germany doesn't exist as a state or a government anymore. The third reich does not exist anymore (but thanks for Godwin'ing this conversation). Those days did NOT have data protection laws, let alone computers the

Re:

[nguy]

Phones need to be registered -- sure, with your carrier. The one who bills you. Same as the US and other countries

This is quite incorrect. In the US and other nations, you can get a phone for cash or with just a credit card number (and you can get anonymous credit cards if you like). In Germany, you need to give your home address to the carrier, because of government regulations. This is one of the reasons getting a Skype number in Germany is such a problem.

(In addition, in Germany, your home address its

Re:

[mxs]

You should specify cellphone when you are talking about phones. Though in that you are correct, you need to leave your home address with your carrier. NOT the government though. The carrier needs to have this information on file, but there is no obligation to turn this information over to any government agency absent a judge-ordered legal subpoeana.

No, I do not need to pay a fee to leave that field blank. It is also quite common NOT to have that field filled out, after all, having it filled out means that y

Re:

[nguy]

You should specify cellphone when you are talking about phones.

The law applies to all phones: land line, Internet, and cell phones.

No, I do not need to pay a fee to leave that field blank.

You can't "leave" that field blank; that field is filled in automatically on your tax forms every year unless you take explicit action. In order to change it, you need to explicitly file a form with the government, and there's a fee associated with that. http://www.kirchenaustritt.de/ [kirchenaustritt.de]

And no, the police does not have acce

Re:

[mxs]

Well, for regular landlines it's quite natural that your CARRIER will know where to install your phoneline and where to send the bills -- anywhere in the world. The case you seem to be concerned about is prepaid cellphones requiring address information, though.

As for change of affiliation costing a fee, you seem to be correct for some states. I did not have to pay anything when I did it, since I'm in one of those states where it does not cost anything.

Sources would be the BDSG (Bundesdatenschutzgesetz). Per

Re:

[nguy]

Sources would be the BDSG (Bundesdatenschutzgesetz). Personal data of a special nature (religious affiliation is of that kind, specifically mentioned) gets even more protection.

http://www.gesetze-im-internet.de/bdsg_1990/BJNR029550990.html [gesetze-im-internet.de]

In 14(2)(6), 14(2)(7), and 14(5)(1), that law effectively permits the use personal data collected by any government agency for police purposes, including highly personal information, like religion and sexuality. That's in addition to several other loopholes in that law th

Re:

[mxs]

Neither 14(2)(6) nor 14(2)(7) apply without cause ("Präventive Strafverfolgung" in and of itself is not allowed as per PolG, "Straftatprävention" has to meet a proportionality-test as it affects article 2 GG). If your privacy is eroded without cause (i.e. Verdachtsmoment), you always have the option to seek recourse under Art. 2 GG. "Verdachtsunabhängige Datenerhebung" (i.e. data collection without existing suspicion) is not covered by these 14(1) exceptions -- this limits the scope further.

Re:

[nguy]

(i.e. data collection without existing suspicion) is not covered by these 14(1) exceptions

Section 14 doesn't talk about data collection at all; it talks about how government agencies can use data already collected by other agencies for new purposes. And evidently they do.

Neither 14(2)(6) nor 14(2)(7) apply without cause ("Präventive Strafverfolgung" in and of itself is not allowed as per PolG, "Straftatprävention" has to meet a proportionality-test as it affects article 2 GG).

You claimed that the

Re:

[mxs]

14 implicitly covers collected data, as it talks about storage. Though yes, 13 is about the collection thereof, while 14 goes to the meat of the matter when we talk about access by law enforcement.

I claimed police could ge the data under lawful order from a judge, not that it was impossible for them to get it. In retrospect (while this does apply to private entity data collection), that was too strong a statement. There are, however, restrictions and usage-bound rules. It has been a while since I studied th

Re:

[nguy]

submitted that these values and traditions exist more in Germany currently than they do in the US; don't throw with stones when sitting in a glass house, as they say.

Where do you think modern German values come from? Post-WWII Germany was shaped by the victors of WWII, its constitution was written under US supervision, it was de-nazified and re-educated under allied control, and Germany was integrated into a complex web of economic and military relationships. In fact, you might say that today's Germany is

Re:

[mxs]

It is true that the allied forces shaped Germany post-1945. It has to be recognized that the leadership of the allied forces at that time did some brave and brilliant things in order to not just end the war, but also help (re)build a society integratable into the day-to-day workings of the world. However, please don't paint it with a broad-brushed Americanization; The system is sufficiently different from what the US is modeled on, and the US is not the only allied force. It's also folly to assume that guid

Re:

[nguy]

However, please don't paint it with a broad-brushed Americanization; The system is sufficiently different from what the US is modeled on, and the US is not the only allied force

I didn't claim that Germany society was a carbon copy of the US, I said that German democratic values and traditions are largely derived from American ones (which are basically the same as the allied ones).

but no, democracy existed in these parts before it, with tradition.

Really? Like where? German intellectuals liked to talk a lot

Re:

[mxs]

True enough, the first proper democracy would be considered the Weimar Republic (which ultimately buckled under the depression).

The state of a society is influenced by its history, but you cannot derive its state thereof; That would require a mighty crystal ball (i.e. in how history is interpreted and used in that society). There are of course some ways do gauge the general trends in a society (pollsters make their living doing that, and some even have a scientific foundation). I couldn't paint a picture of

Re:

[nguy]

I couldn't paint a picture of any society with just history alone; it sets the surroundings, it doesn't force an outcome.

Neither can I. But I'm not saying that Germany is a bad democracy, I'm disagreeing with you that the world should look to Germany as a model of privacy protection and democracy. Germany has not faced a major crisis change since WWII, so nobody knows how it would hold up.

That's where stuff is going awry, IMHO. If that is how DEMOCRACY should work, then it is not democracy we are talking

Re:

[mxs]

I'm not advocating that the world be modeled after German governance, nor adopt all its laws. To suggest so is ridiculous. Nevertheless, to dismiss an analysis by Mr. Schaar out of hand just because he is from Germany, well-versed in the intricacies of data protection (it's his job), and an expert in the field (it's his job and he's well-recognized in that capacity), is equally patently ridiculous. The rights afforded to German citizens w.r.t. data protection are of a higher base level than those afforded t

Re:

[nguy]

issue, and neither can one seriously claim that Mr. Schaar has no idea what he is talking about and thus his testimony or advice not be heard.

Where do you get that from? Of course, his testimony should be heard. I'm saying people need to look at his and Germany's record and not just believe the German myth that Germany has strong data protection laws.

I find it interesting that you seem to consider low voter turnout a good thing, and the reason given for it.

Where do you get that from? I said "Voter turnou

Re:

[mxs]

Where do you get that from? Of course, his testimony should be heard. I'm saying people need to look at his and Germany's record and not just believe the German myth that Germany has strong data protection laws.

So you did not imply for the EU and the US to tell him to go take a hike, get his house in order first before he can make a valid point one should listen to ?


Where do you get that from? I said "Voter turnout tells you little about the health of a democracy. The relatively low voter turnout in the US

Re:

[pipatron]

Without some form of [at least somewhat] verifiable logs, there is no record proving that real users were ever shown the ads.

Great! This would mean that there's no ads on television, because such a model could never work. I guess I stopped watching TV because I'm crazy and see things that doesn't exist then.

Re:

[Fastolfe]

Web ads are not billed based on placement, with the "hope" that some number of eyeballs will see it. Web ads are billed based on the number of impressions or clicks. SOX is a HUGE deal for these types of arrangements. If you're suggesting that web ads move to the TV ads model, that's a fairly significant change and I'm not really sure that would work out very well. You'd need some sort of awkward payment schedule for the millions of tiny sites out there that generate just enough traffic for a few bucks

Re:

[jez9999]

Don't get me wrong, I do appreciate the fact that it would make it harder for the ad industry to hunt you down which is always appreciated,

That's an idiotic opinion. If you find a way to block ads, then it doesn't matter either way; if not, at least personalized ads will be personalized. Your fear of them 'tracking you down' is irrational, as if you think they're kidnappers or something.

Re:

[Midnight Thunder]

The only way to check and see if your IP is being kept is by changing the protocol entirely or by checking the company's servers. I'm guessing that not too many companies would appreciate people routinely rooting around, and if something to check if an IP is stored were to be implemented, the protocol would have to be vastly overhauled and it could slow down the internet 80% or more because of the extra time needed to "check."

I doubt they will systematically check companies, but rather when something does t

Just Addresses

[excelblue]

I am truly disappointed in this. If IP addresses are a means of communications, wouldn't that be similar to phone numbers?

It shouldn't be any more personal than a phone number is. Whenever someone calls me, I like to log them on my caller ID. I don't see a difference here.

Re:

[davetpa]

It shouldn't be any more personal than a phone number is. Whenever someone calls me, I like to log them on my caller ID. I don't see a difference here.

But what about if the phone company sells your phone number (no other information attached) along with a record of all the numbers you called and all the numbers that called you? Now your phone number is no longer just a means of communication.

The scary part is that they've been doing that for years WITH your other personal information!

Re:

[SnowZero]

But what about if the phone company sells your phone number (no other information attached) along with a record of all the numbers you called and all the numbers that called you? Now your phone number is no longer just a means of communication.

I would say that we need laws that differentiate between storing and selling?

I don't care if Joe the barber keeps a record of all the appointments I've ever made with him, and the phone number I used to make each appointment. What I do care about is that he does not give away or sell this information, and that he uses due diligence to protect the information from being stolen.

Anything else is getting far too close to a world like 1984, where keeping a diary can become illegal.

Re:

[mvdwege]

The use you hypothetical Joe the barber would put your telephone number to is exactly within the scope of the EU privacy directive upon which German law is based. Joe must tell you what info he stores, and what use he puts it to. If that use is vital to his business relationship with you, it is allowed. All other uses need your specific consent.

So Joe can store your appointment information. Without your consent, he may have to remove all telephone numbers except on the latest appointment. He can most defin

Re:

[SnowZero]

German law on this matter sounds like a pretty good compromise. If we applied this in the US though, the business would need sufficient records to pass a tax audit, which for an appointment-based service would generally include enough information to recontact customers (so one can prove that they indeed exist). A tax audit can go back up to 7 years, thus a small single-proprietor business would have to keep records that long (It may be different for large companies, I'm not sure). That puts a big dent i

Re:

[Harmonious Botch]

Or is my street address personal data? Or how about "the girl next door"? That is a unique identifier too.

Re:Just Addresses

[mr_matticus]

Yeah.

That's exactly what's going on. Your phone number is personal data, too.

I don't understand the source of your disappointment, unless you think that personal data is private information. It's not.

Re:Just Addresses

[Beriaru]

Your name is personal data, but not private.
Your phone number is personal data, but not private.
Your Address is personal data, but not private.
And of course, your IP is not private... but is part of your personal data.

Maybe in USA there is no difference between private and personal data, but in EU there's a big difference: nobody can NOT store your personal data without warning you and giving methods to correct AND ERASE your data.

Re:Just Addresses

[QuantumG]

nobody can NOT store your personal data without warning you

Well shit, I better warn you right now that I'm not storing your personal data.. that goes for everyone else reading this: I AM NOT STORING YOUR PERSONAL DATA!

Whew, lucky I got that out of the way.

Re:

[xaxa]

In the EU any company storing personal data has to register with someone (the Information Commissioner's Office in the UK) and say what data they store and what it's used for. They can only use it for what they say they use it for.

Re:

[QuantumG]

In Australia a company or government agency or individual has to state why they are collecting data and what they will use it for, and they are legally prohibited from using it for any other purpose.. oh, and you can demand to see what data they have stored about you and how they are using it and have it erased if you desire. These are called "privacy" laws. So, sounds about the same as Europe.. USA, behind again.

Re:

[xaxa]

Quoting a lawyer, in England: "The biggest threat to Europeans' privacy is American corporations."
I expect you can s/European/Australian/ in that.

Re:

[Tavor]

Indeed. Should us Americans use a similar setup, I believe the RIAA would not be able to do it's I.P. address drift-net tactics. Though, as always, IANAL. Though I would love to hear NYCL's take on it.

Re:

[neoform]

I'd say it's more like a home address. Would you get in trouble for writing down someone's address? Why should an IP address be any more 'personal'? I'd say both are quite impersonal.

Re:

[Zironic]

You're not allowed to store my address either without my permission.

Whoa

[MattPat]

I can't believe what I'm seeing. Is this actually a semi-responsible technology-related decision made by a legislative body?

I'm not saying I necessarily agree with the complete "scrubbing" of Google et al.'s records, as it were, but the classification of an IP address as personally-identifiable information is definitely a positive step towards Internet freedom, and a reasonable expectation of some degree of privacy. At the very least, it gives you a leg to stand on when you find out that some company has

Trust Microsoft

[Doc Ruby]

According to the article, Google does an incomplete job of anonymizing this data while Microsoft does not record IP addresses for anonymous search.

Unless Microsoft is just lying. How can they be trusted, with their track record?

Re:

[Doc Ruby]

Moderation +2
    50% Interesting
    30% Insightful
    20% Flamebait

At least 20% of modders trust Microsoft more than their own lying eyes.

Ok, more craziness

[Psychotria]

How is an IP address more "personal" than my GPS location at any given point in time? Sure an IP address can be "mine" if I have my own domain etc. This is not usually the case though. Most IP addresses are "owned" by the ISP and assigned to people via DHCP (except for static ones). This is not too much unlike a restaurant reserving tables for a customer, and sometimes reserving a table for a customer for a long time. It doesn't make the table being reserved the customers the customers personal property; the restaurant still owns it--it is no more personal than, well, any other table in an anonymous bar (for example). I can't see how IP addresses can be "personal".

Re:

[mxs]

How about IP address + timestamp ?

Your address ISP Webhost IP + Timestamp GET /hot/brunette/doing/funky/stuff/naked/001.jpg --> Your address --> GET /hot/brunette/doing/funky/stuff/naked/001.jpg (and that is personal data since it identifies you as a person doing something.

Re:

[Psychotria]

Yeah; your IP address still isn't private though, so I stand by my original argument. There are ways to get around that of course.

Re:

[mxs]

Your original argument was "personal data" not "private data". There is a difference. It's not about hiding your personal data, it's your right to decide what happens to your personal data -- in particular whether it can be used for stuff other than the purpose you intended, legally.

Begs the question...

[__aaclcg7560]

If IP addresses are personal data, who owns 127.0.0.1?

Re:Begs the question...

[lexarius]

Well, that's my computer's IP address, so it's obviously mine, and I'll have to ask you to stop waving it around like that.

Re:

[jroysdon]

Same guy that owns ::1 [hp.com]

Re:

[Swampash]

More to the point, who owns 192.168.1.1????

I had it first!

Major legal issues arising?

[DigitAl56K]

If IP addresses are personal data, and you visit my web page, and my access logs show I served an IP that you used at a certain time (or even just that I served an IP you used), am I now subject to laws regarding the holding of personal information? If you were to contact me and request that information how would I authenticate you? If I was to disclose certain parts of the "personal data" that you claimed belonged to you, how could I know that I was not disclosing someone else's personal information, given that I can't necessarily authenticate you or anyone else and IP's can be re-allocated? If I ban an IP address for abusing my server and it is later re-allocated to someone else, is that slander? If I forward an e-mail whose headers contain IP addresses of relay servers, is that unlawful disclosure of personal information?

This is totally ridiculous.

Re:

[arkhan_jg]

You're assuming the restrictions on personal data are greater than they are. If IP's are judged personal data, that makes them like a telephone number or an address (The Act covers any data which can be used to identify a living person). Still, you do have some responsibilities, *if you're in the EU* with regards handling personal data. Basically, there are restrictions on publishing it or sharing it around without permission, and you can only use it for the original purpose for which it was collected. (Sen

Re:

[GryMor]

How does this work exactly? Due to dynamic ips, NAP, non routable addresses and other network idiosyncrasies, an ip doesn't identify a specific person without further context any more than the name John Smith identifies a specific person without further context. Can I really make a request of a company to identify how they got every occurrence of John Smith in their database? As this provides context, how does it fail to infringe on the privacy of the other John Smiths? Similarly, if an well formed inquiry

IP addresses are personal data...

[nguy]

... and that's why the German government collects them, just like all other personal data.

Germany's positions on issues of privacy are rather two-faced, having one of the most intrusive surveillance states in the world, while at the same time proclaiming itself to defend personal freedoms.

It's Peter SCHAAR

[Doctor O]

His name is Peter Schaar, not Scharr. One would think the editors would at least *skim* TFA.

Oh, and he's a great guy BTW, responding to email in a timely and thoughtful manner, and investigating the questions he's being asked.

Re:

[Doctor O]

And the posting is correctly tagged as concerning schaar, not scharr[1].

I know, because I tagged it as such, and I guess several others followed me in this, either because they're German and know Mr Schaar, too, or because they've read my comment.

I think Peter Schaar's name stems from Schar, which means group of people.

Might be, then again I went to school with someone whose name was also Schaar, and he told me it was of Dutch origin and had to do with some medieval profession, but I don't remember which it was. Maybe someone from Benelux can elaborate. ;)

How will this affect Wikipedia?

[ta bu shi da yu]

Wikipedia records IP addresses for all anonymous editors. I wonder how this will affect the project?

Re:

[JasterBobaMereel]

Yes but...

1) Wikipedia is US based so these laws do not apply (they do not have the data protection act)

2) Wikipedia states on it's edit screen that everything you submit will be covered by the GNU Free Documentation Licence and so the people who IP address have been logged have voluntarily given up their rights by submitting ...

Re:

[Curmudgeonlyoldbloke]

Taking the second point first, I don't think that it's relevant - the ICO's "Facebook decision" would apply just as much to Wikipedia anonymous edits as to Facebook:
http://news.bbc.co.uk/1/hi/7196803.stm [bbc.co.uk]

However, regardless of where a company is based, the link above suggests if they're "established" in the UK they're subject to law in the UK (presumably the law of whichever bit of the UK they're established in). Presumably it is up to a court has to establish that. In the case of someone with an actual ad

Data Protection

[stevenmu]

Wow, even for /. there's a lot of people who didn't even read the summary, let alone TFA. And there's a lot of FUD being spread. What this means is that IP address information might be considered personal data under EU data protection laws. This means that companies/corporations/organisations which log your IP address will have to have a privacy policy in place governing how that information is used. There are also certain requirements, such as they have to make people's own information available to them

Yahoo Germany Helpdesk

[Anonymous Coward]

Helpdesk: "Hello, this is the Yahoo Germany Helpdesk"
Caller: "Yes, I want you to delete all your records with my IP address in it..."
Helpdesk: "OK"
Caller: "and I want you to tell me who gave you my IP address."
Helpdesk: "Umm, well your computer will have sent us your IP address when you connected to the website"
Caller: "Oh, I don't think so, I have a very good firewall."

Helpdesk: "Hello, this the German National Bank Helpdesk"
Caller: "Yes, I want you to delete all your records with my IP address in it

IP addressare NEVER linked to a user

[geekoid]

always a computer. Always.

If you read just one comment, read this one.

[Flambergius]

First: This is a good thing. It is a good thing especially for the individual.

Second: This is how things have been always been in most of Europe. The commissioner didn't change a ruling, he just said that he agrees with the consensus view. (Of course I don't know what the situation is in every European country, only for the ten or so.)

Personal data doesn't mean private. If fact, in many cases it is the opposite of private. In European practice, an individual has control over their own personal data. To use

Re:

[Anonymous Coward]

No problem [google.com]

Re:

[Your.Master]

The report isn't released yet. It's from an EU regulator. These guys aren't noted for being particularly sympathetic toward Microsoft. This sort of question is kind of tinfoil-hattish.

Look at the privacy policies of Microsoft and Google. Search them out yourself. Google them, or live search them if you don't want your IP logged. MS's official position on privacy is generally fairly strict, and they consider it a selling point. Google's is less so, and they consider it a non-issue.

If you disbelieve th

Re:

[GreatBunzinni]

You are being rather silly here. It's one thing for a corporation to offer vague promises in the form of a glorified press release. Having those promises being enforced by law is a whole different thing. How many times have corporations swore to something (Google's "don't do evil", Apple's "laptops should not be used on laps", Microsoft's "we take standards very seriously/ security is our prime objective", etc...) to then see them blatantly breaking their promise?

Re:

[Your.Master]

There's a massive difference between "we won't do evil" and "we do not store any passwords granted through site X / we store them for only 1 week, and shred the backups". One is a vague assertion and open to interpretation, and the other is not. And neither Microsoft is not very vague on this fact. Google is more vague, but in some cases does come out and say they make no promise.

Furthermore, a Press Release is not legally binding. Policies like this *are*

Re:

[Kamokazi]

With a statement like that I really doubt you'd even believe it coming from your own mother holding a document signed by Bill Gates and notorized by a Supreme Court judge. Because, you know, Microsoft doing something better than Google completely contradicts the Slashdot Theory of Logic.

Re:

[Zironic]

They're fine as long as they don't give away the IP to anyone else.