Home / Blogs

IP Addresses and Privacy Sensitive Data - A Level Playing Field Needed

Wout de Natris

Reading Peter Olthoorn's book on Google (a link is found here), I ran into a passage on IP addresses. Where Google states that it does not see an IP address as privacy sensitive. An IP address could be used by more than one person, it claims. The Article 29 Working Party, the EU privacy commissioners, states that it is privacy sensitive as a unique identifier of a private person. It got me wondering whether it is this simple. Here is a blog post meant to give some food for thought and debate. I invite you to think about the question 'how private is an IP address'?

One person, one IP address

There is no doubt that if one person sits behind one IP address, that this unique address will tell everything about this person as far as his online behaviour is concerned. But how unique is an IP address? There may be more examples, but these stick out most for me.

Carrier-graded NAT

In a world in which IPv4 is depleting fast, although a lot slower than predicted over the past years, ISPs prepare for the depletion by stacking more an more persons behind one IP address. Instead of migrating to IPv6 with a sheer endless range of IP addresses. The technique of stacking is called Çarrier-Graded NAT (An explanation is found on Wikipedia.) This means that more than one person is behind an IP address, perhaps a whole building, a village or more. So this takes away from an IP address' uniqueness.

Mobile (and wifi)

The same goes for the mobile environment, where an IP address is used for one session and is given to the next person in line requesting access to the Internet. There's nothing unique about this particular IP address as it is in use by different persons during time constantly. Also just think of the use of wifi in a hotel, bar, train station, airport, etc.

Court verdicts

What complicates matters is the fact that judges do not seem to acknowledge an IP address as a unique qualifier where proving the guild of spammers and scammers is concerned. In the case of Nigerian 419 scammers in Amsterdam, a judge ruled that it could not be proven who pushed the button on a specific pc at a specific address. The defendants claimed that anybody in the neighbourhood walked in and used the pc, so anyone could have operated the scam. If this is the only proof a judge allows, there's only one thing to it: be in the room when the perpetrator pushes the button. Of course this is (near) impossible.

OPTA recognised this problem from the first investigation and researches for any circumstantial evidence in spam cases. However in the latest case the CBb (College van Beroep voor het bedrijfsleven) ruled out the evidence provided by OPTA that it could not be proven beyond doubt that two of the defendants, even as they profited hugely, could be seen as "the sender". (The third fled the country after the visitation by OPTA and never filed for appeal.)

In other words the IP address used by the spammers and scammers is not seen as sufficient in evidence. If this is the case, it may be time that the article 29 Working Party reviews its advice on IP addresses. In my opinion it can't be that on the one hand an IP address is privacy sensitive data, while on the other this same address is not seen as substantial evidence in court. This hampers law enforcers double. Not to speak of different rules and rulings in different countries on privacy (sensitive data). It makes cooperation and sharing data a very difficult thing to do.

International cooperation

It is about time that there is one clear ruling on what data can be exchanged between law enforcers of different elk, cyber incident and security personnel, NGO's dealing with botnet mitigation and industry. And in what form. E.g. Is warning an ISP that one of his clients is infected by a trojan allowed, including the IP address? Some think that the answer is no. Or warning that one of its clients is attacking a critical infrastructure as part of a DDoS attack?

If the necessary exchange of data happens insufficiently or worse, not at all, because of rules concerning privacy are unclear, cyber criminals and other offenders are dealt an all too successful hand this way. It is time to create a level playing field so that it is clear to all what data can be exchanged under what circumstance, so that international and national cooperation can take off in a justified, accountable and verifiable, but across the board fashion. Our very lives may depend on it.

IGF Baku

Hence the importance of Workshops #87 and #90 at the upcoming IGF in Baku, Azerbaijan that NLIGF, in cooperation with myself, is organising for November. iFreedom, privacy and law enforcement and international cooperation and privacy on critical infrastructure cyber incidents. What is the way forward? Who should take the lead? And how to create that much needed level playing field? These are questions that need to be dealt with at the global level to protect the Internet, you and me.

By Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement. More blog posts from Wout de Natris can also be read here.

Related topics: Cybercrime, Cybersecurity, DDoS, Internet Governance, IP Addressing, IPv6, Law, Malware, Policy & Regulation, Spam


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

DNS Security

Sponsored by Afilias


Sponsored by Verisign

IP Addressing

Sponsored by Avenue4 LLC

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative IPv4 trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Join Neustar's Town Hall Meeting and Help Shape the Future Of .US

Avenue4 Helps IPv4 Sellers and Buyers Gain Market Access, Overcome Complexities

Introduction to ACCELR/8 - Fast Lane to the IPv4 Market

Avenue4 Launches ACCELR/8, Transforming the IPv4 Market with Automated Order-Driven Trading

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Michele Neylon Appointed Chair Elect of i2Coalition

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure