Your Dynamic IP Address Is Now Protected Personal Data Under EU Law

Europe's top court has ruled that dynamic IP addresses can constitute "personal data," just like static IP addresses, affording them some protection under EU law against being collected and stored by websites. ArsTechnica UK adds: But the Court of Justice of the European Union (CJEU) also said in its judgment on Wednesday that one legitimate reason for a site operator to store them is "to protect itself against cyberattacks." The case was referred to the CJEU by the German Federal Court of Justice, after an action brought by German Pirate Party politician Patrick Breyer. He asked the courts to grant an injunction to prevent websites that he consults, run by federal German bodies, from collecting and storing his dynamic IP addresses. Breyer's fear is that doing so would allow the German authorities to build up a picture of his interests. Site operators argue that they need to store the data in order to prevent "cybernetic attacks and make it possible to bring criminal proceedings" against those responsible, the CJEU said.

Re:

[Impy the Impiuos Imp]

He might have made a first post years ago if he had tried instead of waiting 10 years first.

Re:

[bluelip]

I've been waiting at least that long for Natalie Portman, hold the hot grits.

Re:

[Oswald McWeany]

I could only wait for about 2 minutes... ... Sorry Natalie!

Re:

[aliquis]

I've been waiting at least that long for Natalie Portman, hold the hot grits.

I guess this isn't the time to say "fuck her" but I would had taken and waited for Alizee instead. However I had missed she had become single and I thought she had more children (but that was Jolie) and now she's found someone new again.

It's such BS. Alizee, you know I deserved you when you were young and hot, it should had been us, but chances by now I can't do better so you may still have a chance! ;D

Re:

[alisande]

and yet gone so fast.

ps - probably my first post in over 10 years; actually had to re-create my old yahoo account to get the password... HA!

Re:

[KingBenny]

I didnt quite see the legal text. Does this mean its officially forbidden for anyone and any server anywhere getting EU traffic to keep logs ?
thats probably a good thing then but how do i turn it off ? this /var/log/ thing ? it just keeps coming faster than i can delete it ?

Open source software == NSA

[CajunArson]

Well, it looks like practically every default logger for Apache/Nginx/etc. can be considered NSA spyware according to this edict.

That means you too, Slashdot.

Re:

[Calydor]

Oh, so it isn't just because English is not my native language that I think of cybernetics purely in the context of cyborgs, androids and the like?

Re:

[EtCeteralodz]

I do not know

Re:

[Anonymous Coward]

Attacks by the Cybermen, but the Doctor will protect us.

Reasonable

[ADRA]

It is 'reasonable' that your IP address is considered personal information 'offered' to the web sites in question.

What this law 'should' mean (I can't speak for the wording specifically) is that a site's owner should treat a user's data as privileged, meaning it isn't handed out to others without reasonable justification. Law enforcement should still be able to subpoena these records as they probably have been able to in the past. My hope is that the law makes it harder for 'non-subpoena' requests for a given user's IP address harder to obtain since it would now be a privacy violation to disclose it.

That's all fine, but as the blow-back illustrates, just because an IP address makes a physical connection with a service you're hosting, it doesn't mean that said service is in any way being transmitted by the person in question. DOS attacks happen all over the place, and unless you have services which share information about these attack vectors, its significantly harder to track and get take-downs of the offenders (maybe I'm being too optimistic..).

Maybe the best trade-off is when an IP address is logically tied to further information from the site (site profile, name, email, etc..). If so, the information is considered 'personal information' while a random drive-by DOS is just considered infrastructure data.

Re:

[Anonymous Coward]

Seeing as how we're headed towards worldwide adoption of SSL as a standard it's reasonable to assume that everything will be considered private soon. IP addresses are not "an offering", they are required in the handshake process for communication. In my opinion the protocol determines whether a connection can be assumed private or not. HTTP no, HTTPS yes. That's why there's such a huge push for everything to be HTTPS now. It's a good thing for everyone. NSA can't scoop up tons of public traffic anymor

Re:

[MooseTick]

"an IP Address is like a physical address on a house: it does not identify a person"

Would you be ok with any business giving away your home address however they saw fit?

Re:

[account_deleted]

Comment removed based on user account deletion

Public or private?

[unixisc]

The ruling is somewhat laughable depending on what sort of dynamic address we are talking about here. If it is an address from RFC1918 - something like 192.168.7.11, then it's really silly, given that it's the address of any number of people in that number of separate networks. If it's a public /128 IPv6 address, I see the point - although given that a subscriber would usually get at least a /64, question that would arise - why not protect that entire /64 subnet?

Re:

[truedfx]

I'm the only one living in my house and I have a static IP address. Both my physical address and my IP address do identify me. You cannot know just by looking at them whether they identify a person, and that by itself should already be reason enough to treat them as potential personal data. That said, you're being inconsistent. Date of birth does not identify a person. Date of birth in combination with other facts may. Party affiliation does not identify a person. Party affiliation in combination with othe

Re:

[Oswald McWeany]

Yeah, well I can see UP!

Re:

[Luthair]

The issue is that the IP address is trackable.

NAT

[Karrham]

What about ISP that use NAT? In this case many users have the same ip address. Public WiFi hotspots usually have one ip address in Internet for its clients. I don't think that site owner can easy get information about persons that used some IPs from ISP, when users didn't some bad things.

192.168.0.3

[jfdavis668]

Sorry, you can't store it, it's personal protected data!

Re:

[Obfuscant]

If that's the address you connect to someone's website with, they don't need to store it because you aren't getting any connections to start with.

Are you confusing dynamic IP addresses with private netblocks?

Re:

[Coren22]

Well, mine is 127.0.0.1, hack that all you horrible internet hackers!

I thought my IP address....

[mark-t]

... was the property of my ISP.

Sort of like how my physical street address is property of the municipality, my phone number is property of the phone company... etc.

I do not own any of the information that could potentially be used to track me down unless I can live entirely independently of using property that belongs to other people.

No to IP address, phone number

[raymorris]

> I thought my IP address was the property of my ISP.

It is explicitly NOT. The agreement an ISP signs to get numbers includes these terms:
--
Legacy Holder acknowledges and agrees that: (a) the number resources are not property (real, personal, or intellectual) of Legacy Holder; (b) Legacy Holder does not and will not have or acquire any property rights in or to any number resources for any reason
---

See also:
https://www.arin.net/policy/nr... [arin.net]

The most important practical implication of that fact is that ARIN

Re:

[mark-t]

Phone numbers are only as portable as the phone companies that govern them allow them to be. If you have a land line, try moving to another city in the same area code and see if they let you keep the same phone number.

Re:

[Luthair]

I believe that was part of the regulation, and in general it makes sense for routing reasons.