E.U. Regulator Says IP Addresses Are Personal Data

NewsCloud writes "Germany's data-protection commissioner, Peter Scharr told a European Parliament hearing on online data protection that when someone is identified by an IP, or Internet protocol, address, 'then it has to be regarded as personal data.' Scharr acknowledged that IP addresses for a computer may not always be personal or linked to an individual. If the E.U. rules that IP addresses are personal, then it could regulate the way search engines record this data. According to the article, Google does an incomplete job of anonymizing this data while Microsoft does not record IP addresses for anonymous search."

Is a license plate personal data?

[Anonymous Coward]

Because that's today's car analogy for an IP address.

Just Addresses

[excelblue]

I am truly disappointed in this. If IP addresses are a means of communications, wouldn't that be similar to phone numbers?

It shouldn't be any more personal than a phone number is. Whenever someone calls me, I like to log them on my caller ID. I don't see a difference here.

Re:Just Addresses

[davetpa]

It shouldn't be any more personal than a phone number is. Whenever someone calls me, I like to log them on my caller ID. I don't see a difference here.

But what about if the phone company sells your phone number (no other information attached) along with a record of all the numbers you called and all the numbers that called you? Now your phone number is no longer just a means of communication.

The scary part is that they've been doing that for years WITH your other personal information!

Re:Is a license plate personal data?

[Respawner]

actually, if you're using it to identify somebody, or if you keep it as general information about somebody(access log), then yes, yes it is
just like a social security number is personal data, or the number on your id-card or your home-address and so on
ooh yeah, don't confuse US-law with EU-law ;)
and offcourse, IANAL

Re:Citation needed

[Your.Master]

The report isn't released yet. It's from an EU regulator. These guys aren't noted for being particularly sympathetic toward Microsoft. This sort of question is kind of tinfoil-hattish.

Look at the privacy policies of Microsoft and Google. Search them out yourself. Google them, or live search them if you don't want your IP logged. MS's official position on privacy is generally fairly strict, and they consider it a selling point. Google's is less so, and they consider it a non-issue.

If you disbelieve these stated corporate policies, then you really should get in contact with a lawyer and take some action.

Re:Just Addresses

[mr_matticus]

Yeah.

That's exactly what's going on. Your phone number is personal data, too.

I don't understand the source of your disappointment, unless you think that personal data is private information. It's not.

Re:Strange idea

[Amorymeltzer]

I always visualized it akin to your telephone number - yeah, it's your number, but anyone can look it up in the pages. You work a bit to get on the no-call list and taken out of the directory, and of course, you can change your number or hide it from caller ID.

Re:And they plan to implement this how?!

[mxs]

You misunderstand the issue. If IP addresses are considered personal data, they can still be used during the connection and for tasks immediately related to servicing that connection -- akin to buying something with your credit card (which does not allow the store to store your personal information for purposes other than payment processing).

In Germany's current privacy and data protection laws, everybody has the right to decide what happens to their own personal information if it is being processed by computers. For instance, you can tell Amazon to delete all personally identifiable data they have about you, and they have to comply -- and you can ask any company that has personal data about you (such as your phone number, your address, etc. in telemarketing and plain old snailmail spam) to tell you where they got it from, what basis they have for keeping it, and to delete it from their databases. If they do not comply, you have a strong legal standing to compel them to give out this information (Mr. Sharr, who is quoted here, is the national representative for data protection, though there are more local ones as well -- if they suspect foul play, they /can/ raid businesses, and do so if warranted.

The legislators know very well what they are talking about. The scope of "personal data" is narrowly confined (anything that can be used to identify you or is saved in relation to data that can personally identify you or anything that could automatically be tied to you by a third party; IP addresses fall into the latter category; while a webhost will not be able to do the IP -> Name&Address resolution, the user's ISP could -- therefore the IP address is personally identifiable to a specific party through a third party and thus personal data protected under stringent data protection laws. This has been tested in court (the German DoJ, for instance, is no longer allowed to log IP addresses on their web servers by court order).

These laws don't "just" exist to combat the ad industry, but rather are an extension of one of our constitutions human rights, that is, the right to free self expression; this includes, under German law, the right to decide what happens to your data. There are, of course, certain restrictions (for instance, the DMV can process this data, as can other governmental bodies -- IF SPECIFICALLY AFFORDED THAT RIGHT BY LAW -- for their (narrow) purposes. You can waive this right (i.e. you can give your address to Reader's Digest for them to spam you with as they see fit -- if you give the permission (which is always revocable), they can do with your data whatever you allowed them to; Sweepstakes, for instance, are often designed to gather this data and get permission).

As for implementation thereof : I don't see a problem. The ip address can still be used to commmunicate same as before; it just can't be logged indefinitely nor used for purposes other than the intended one (i.e. connection establishment, communication, teardown vs. ad tracking) UNLESS the person in question has given permission. What this boils down to in Apache is adding mod_removeip. If no other information personally identifies your visitors (even through a third party), you can now log this data and do with it as you wish. Another possibility would be pseudonymizing the IP addresses with one-way hashes (though some care will have to be taken that this is not reversible easily, which may become a problem since there are only 32 bits in an IP address and thus bruteforcing is a viable tactic).

Nothing needs to be implemented to "check" whether the IP is stored. If you have a reasonable assumption that your contract partner is screwing you over, you can lodge a complaint with the Landesdatenschutzbeauftragter or Bundesdatenschutzbeauftragter (Mr. Scharr in this case), who will investigate -- same as when you suspect they are selling your address information illegally or engage in other illegal activites.

I for one am glad that there are some privacy advocates who thing about this s

Re:And they plan to implement this how?!

[unlametheweak]

The real issue would be how any privacy protections like storing IPs would be enforced. It is doubtful that a company would willfully admit to storing IPs if it is against the law to do so. I know if I were running a server (Web, FTP, IRC, etc), then I would store IPs despite the law, just because it makes sense from a security perspective (I would want to know who is online, who to ban, etc).

IP's contain less value over time (most consumers have dynamic IP's, can switch ISPs, use proxies, etc), so storing them for years wouldn't make a lot of practical sense anyways in most cases. Calling something as ephemeral and virtual as an IP personal property may be fine for politicians, but the utility of this is yet to be seen.

The more practical solution would be to legislate what a company or individual actually does with an IP. Do they sell it to spammers or crackers? or do they store it so that they can ban known spammers or crackers from entering their servers?

Doesn't quite work as an analogy

[CaptainZapp]

yeah, it's your number, but anyone can look it up in the pages

While everybody can check a directory such directories don't exist for IP numbers. Respectively the information needs to be obtained from the ISP.

I never heard of the requirement of a court order before checking a phone directory.

Re:worry about the German government first

[Yvanhoe]

Germans learned from nazism and sovietism that privacy was a damn serious issue. That any entity with personal information about several million people can turn into something nasty. They completely understand how IP logs could be used in a bad way, Americans tend to be optimistic about this but Germans already have undergone two periods of oppression that relied on an extensive invasion of privacy.

How will this affect Wikipedia?

[ta bu shi da yu]

Wikipedia records IP addresses for all anonymous editors. I wonder how this will affect the project?

Data Protection

[stevenmu]

Wow, even for /. there's a lot of people who didn't even read the summary, let alone TFA. And there's a lot of FUD being spread. What this means is that IP address information might be considered personal data under EU data protection laws. This means that companies/corporations/organisations which log your IP address will have to have a privacy policy in place governing how that information is used. There are also certain requirements, such as they have to make people's own information available to them if requested, they have to disclose breaches of information to those affected and so on. It doesn't stop logging IP addresses, it won't stop webservers using client IPs to maintain statefull connections, it won't stop google associating IP addresses with search data, it won't stop wikipedia or forums storing the IP of posters. It just means that organisations doing this need need a privacy policy in place to protect this data (which most of them already have to protect other private data they store). It's just acknowledging that IP addresses can/may be used, in some cases (the summary points out that they already acknowledge IP addresses are often dynamic), to identify a person and deserves the same level of protection that things like phone numbers and home addresses already have.