Home / Blogs

IP Addresses and Privacy Sensitive Data - A Level Playing Field Needed

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
Wout de Natris

Reading Peter Olthoorn's book on Google (a link is found here), I ran into a passage on IP addresses. Where Google states that it does not see an IP address as privacy sensitive. An IP address could be used by more than one person, it claims. The Article 29 Working Party, the EU privacy commissioners, states that it is privacy sensitive as a unique identifier of a private person. It got me wondering whether it is this simple. Here is a blog post meant to give some food for thought and debate. I invite you to think about the question 'how private is an IP address'?

One person, one IP address

There is no doubt that if one person sits behind one IP address, that this unique address will tell everything about this person as far as his online behaviour is concerned. But how unique is an IP address? There may be more examples, but these stick out most for me.

Carrier-graded NAT

In a world in which IPv4 is depleting fast, although a lot slower than predicted over the past years, ISPs prepare for the depletion by stacking more an more persons behind one IP address. Instead of migrating to IPv6 with a sheer endless range of IP addresses. The technique of stacking is called Çarrier-Graded NAT (An explanation is found on Wikipedia.) This means that more than one person is behind an IP address, perhaps a whole building, a village or more. So this takes away from an IP address' uniqueness.

Mobile (and wifi)

The same goes for the mobile environment, where an IP address is used for one session and is given to the next person in line requesting access to the Internet. There's nothing unique about this particular IP address as it is in use by different persons during time constantly. Also just think of the use of wifi in a hotel, bar, train station, airport, etc.

Court verdicts

What complicates matters is the fact that judges do not seem to acknowledge an IP address as a unique qualifier where proving the guild of spammers and scammers is concerned. In the case of Nigerian 419 scammers in Amsterdam, a judge ruled that it could not be proven who pushed the button on a specific pc at a specific address. The defendants claimed that anybody in the neighbourhood walked in and used the pc, so anyone could have operated the scam. If this is the only proof a judge allows, there's only one thing to it: be in the room when the perpetrator pushes the button. Of course this is (near) impossible.

OPTA recognised this problem from the first investigation and researches for any circumstantial evidence in spam cases. However in the latest case the CBb (College van Beroep voor het bedrijfsleven) ruled out the evidence provided by OPTA that it could not be proven beyond doubt that two of the defendants, even as they profited hugely, could be seen as "the sender". (The third fled the country after the visitation by OPTA and never filed for appeal.)

In other words the IP address used by the spammers and scammers is not seen as sufficient in evidence. If this is the case, it may be time that the article 29 Working Party reviews its advice on IP addresses. In my opinion it can't be that on the one hand an IP address is privacy sensitive data, while on the other this same address is not seen as substantial evidence in court. This hampers law enforcers double. Not to speak of different rules and rulings in different countries on privacy (sensitive data). It makes cooperation and sharing data a very difficult thing to do.

International cooperation

It is about time that there is one clear ruling on what data can be exchanged between law enforcers of different elk, cyber incident and security personnel, NGO's dealing with botnet mitigation and industry. And in what form. E.g. Is warning an ISP that one of his clients is infected by a trojan allowed, including the IP address? Some think that the answer is no. Or warning that one of its clients is attacking a critical infrastructure as part of a DDoS attack?

If the necessary exchange of data happens insufficiently or worse, not at all, because of rules concerning privacy are unclear, cyber criminals and other offenders are dealt an all too successful hand this way. It is time to create a level playing field so that it is clear to all what data can be exchanged under what circumstance, so that international and national cooperation can take off in a justified, accountable and verifiable, but across the board fashion. Our very lives may depend on it.

IGF Baku

Hence the importance of Workshops #87 and #90 at the upcoming IGF in Baku, Azerbaijan that NLIGF, in cooperation with myself, is organising for November. iFreedom, privacy and law enforcement and international cooperation and privacy on critical infrastructure cyber incidents. What is the way forward? Who should take the lead? And how to create that much needed level playing field? These are questions that need to be dealt with at the global level to protect the Internet, you and me.

By Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement. More blog posts from Wout de Natris can also be read here.

Related topics: Cybercrime, DDoS, Internet Governance, IP Addressing, IPv6, Law, Malware, Policy & Regulation, Security, Spam



To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Michele Neylon Appointed Chair Elect of i2Coalition

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?