Home / Blogs

IP Addresses and Privacy Sensitive Data - A Level Playing Field Needed

Wout de Natris

Reading Peter Olthoorn's book on Google (a link is found here), I ran into a passage on IP addresses. Where Google states that it does not see an IP address as privacy sensitive. An IP address could be used by more than one person, it claims. The Article 29 Working Party, the EU privacy commissioners, states that it is privacy sensitive as a unique identifier of a private person. It got me wondering whether it is this simple. Here is a blog post meant to give some food for thought and debate. I invite you to think about the question 'how private is an IP address'?

One person, one IP address

There is no doubt that if one person sits behind one IP address, that this unique address will tell everything about this person as far as his online behaviour is concerned. But how unique is an IP address? There may be more examples, but these stick out most for me.

Carrier-graded NAT

In a world in which IPv4 is depleting fast, although a lot slower than predicted over the past years, ISPs prepare for the depletion by stacking more an more persons behind one IP address. Instead of migrating to IPv6 with a sheer endless range of IP addresses. The technique of stacking is called Çarrier-Graded NAT (An explanation is found on Wikipedia.) This means that more than one person is behind an IP address, perhaps a whole building, a village or more. So this takes away from an IP address' uniqueness.

Mobile (and wifi)

The same goes for the mobile environment, where an IP address is used for one session and is given to the next person in line requesting access to the Internet. There's nothing unique about this particular IP address as it is in use by different persons during time constantly. Also just think of the use of wifi in a hotel, bar, train station, airport, etc.

Court verdicts

What complicates matters is the fact that judges do not seem to acknowledge an IP address as a unique qualifier where proving the guild of spammers and scammers is concerned. In the case of Nigerian 419 scammers in Amsterdam, a judge ruled that it could not be proven who pushed the button on a specific pc at a specific address. The defendants claimed that anybody in the neighbourhood walked in and used the pc, so anyone could have operated the scam. If this is the only proof a judge allows, there's only one thing to it: be in the room when the perpetrator pushes the button. Of course this is (near) impossible.

OPTA recognised this problem from the first investigation and researches for any circumstantial evidence in spam cases. However in the latest case the CBb (College van Beroep voor het bedrijfsleven) ruled out the evidence provided by OPTA that it could not be proven beyond doubt that two of the defendants, even as they profited hugely, could be seen as "the sender". (The third fled the country after the visitation by OPTA and never filed for appeal.)

In other words the IP address used by the spammers and scammers is not seen as sufficient in evidence. If this is the case, it may be time that the article 29 Working Party reviews its advice on IP addresses. In my opinion it can't be that on the one hand an IP address is privacy sensitive data, while on the other this same address is not seen as substantial evidence in court. This hampers law enforcers double. Not to speak of different rules and rulings in different countries on privacy (sensitive data). It makes cooperation and sharing data a very difficult thing to do.

International cooperation

It is about time that there is one clear ruling on what data can be exchanged between law enforcers of different elk, cyber incident and security personnel, NGO's dealing with botnet mitigation and industry. And in what form. E.g. Is warning an ISP that one of his clients is infected by a trojan allowed, including the IP address? Some think that the answer is no. Or warning that one of its clients is attacking a critical infrastructure as part of a DDoS attack?

If the necessary exchange of data happens insufficiently or worse, not at all, because of rules concerning privacy are unclear, cyber criminals and other offenders are dealt an all too successful hand this way. It is time to create a level playing field so that it is clear to all what data can be exchanged under what circumstance, so that international and national cooperation can take off in a justified, accountable and verifiable, but across the board fashion. Our very lives may depend on it.

IGF Baku

Hence the importance of Workshops #87 and #90 at the upcoming IGF in Baku, Azerbaijan that NLIGF, in cooperation with myself, is organising for November. iFreedom, privacy and law enforcement and international cooperation and privacy on critical infrastructure cyber incidents. What is the way forward? Who should take the lead? And how to create that much needed level playing field? These are questions that need to be dealt with at the global level to protect the Internet, you and me.

By Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement. More blog posts from Wout de Natris can also be read here.

Related topics: Cybercrime, DDoS, Internet Governance, IP Addressing, IPv6, Law, Malware, Policy & Regulation, Security, Spam

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum

Encrypting Inbound and Outbound Email Connections with PowerMTA

US Court Grants DCA Trust's Motion for Preliminary Injunction on .Africa gTLD

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

Verisign Releases Q4 2015 DDoS Trends - DDoS Attack Activity Increasing by 85% Year Over Year

Best Practices from Verizon - Proactively Mitigating Emerging Fraudulent Activities

Neustar Data Identifies Most Popular Times of Year for DDoS Attacks in 2015

The Framework for Resilient Cybersecurity (Webinar)

2015 Trends: Multi-channel, Streaming Media and the Growth of Fraud

Dyn Weighs In On Whois

Season's Greetings - 2015 End of Year Message from DotConnectAfrica

Data Volumes and Network Stress to Be Top IoT Concerns

DKIM for ESPs: The Struggle of Living Up to the Ideal

Verisign Mitigates More Attack Activity in Q3 2015 Than Any Other Quarter During Last Two Years

Verisign & Forrester Webinar: Defending Against Cyber Threats in Complex Hybrid-Cloud Environments

"The Market Has No Morality" Sophia Bekele Speaks on Business Ethics and Accountability

Introducing Verisign Public DNS: A Free Recursive DNS Service That Respects Your Privacy

Faster DDoS Mitigation - Introducing Verisign OpenHybrid Customer Activated Mitigation

Sponsored Topics

Afilias - Mobile & Web Services


Sponsored by
Afilias - Mobile & Web Services


Sponsored by

DNS Security

Sponsored by


Sponsored by