Home / Blogs

IP Addresses and Personally Identifiable Information

Terry Zink

I don't normally cheer for Google when I don't own shares in the company, but this time I will make an exception.

Alma Whitten, Software Engineer at Google, today posted to their Public Policy Blog that IP addresses shouldn't be considered Personally Identifiable Information (PII). This is not a problem in the United States but it is in the EU, and if the EU actually were to legislate this it would most definitely affect Microsoft and Google's business functionality in the EU.

Whereas Google has an interest in collecting IP addresses in terms of doing geographical search targeting and marketing, for spam filtering purposes this affects us greatly. Can we collect and record IP addresses for data mining purposes? Part of fighting spam is knowing who the people are behind the spam storm. If the EU restricted what we could do with IP addresses, we wouldn't be able to mine through our data in order to look for patterns of spamminess. The ruling would be that we could potentially use IP information to identify a specific person, which is a no-no, according to the EU.

I would think that blacklist operators like Spamhaus could be impacted by this as well. They publish a blacklist of known spam operators and they quite deliberately go to the trouble of identifying IPs to individuals. I could see how a spammer could mount a legal challenge to have themselves removed from Spamhaus. Of course, I am not a lawyer but lawsuits can drain the life out of you.

I come down on the side of IP addresses not being PII. I was a little surprised that this was coming from Germany; I would have thought a law this bad would have originated from the French (that's just a joke).

You may want to check out the original article, it's a good read.

A couple of months ago we ran into the exact same issue here in Exchange Hosted Services. While Whitten does make valid points that a laptop user can move their IP address around (from home to the office to the cafe), there is another case. What about the home user that has a static IP address on their home server? Perhaps its reverse DNS is mail.homeuser.com or something like that. In that case, their IP address would not be subject to change and therefore you could, quite conceivably, learn their identity.

That seems to be the situation that the EU is targeting. I don't really agree with it since it only identifies a machine and not a user. A home PC can be infected with malware that sends out spam. Somebody other than the traditional user could be browsing to a web site. However, the question surrounding PII is a legal one and not a technical one. Of course, if it were a technical question, it still wouldn't provide absolute proof of identity, it only suggests it.

By Terry Zink, Program Manager. More blog posts from Terry Zink can also be read here.

Related topics: DNS, Internet Governance, IP Addressing, Malware, Policy & Regulation, Spam

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


Re: IP Addresses and Personally Identifiable Information Larry Seltzer  –  Mar 19, 2008 9:41 AM PDT

From today (3/19)'s Gigalaw feed:

Italian Rule Bans Spying on Illegal File Sharers
Italian companies may not spy on individuals who engage in illegal file-sharing, according to a controversial new ruling. The ruling of Francesco Pizzetti, president of the official Italian body for Guaranteeing the Protection of Private Data, follows the attempts of a German record label, Peppermint, which last year began using the Swiss computer firm Logistep to gather the IP addresses of at least 300 Italians who were illegally sharing files.
Read more: http://www.gigalaw.com/news/2008/03/italian-rule-bans-spying-on-illegal.html (Source: Billboard)

[emphasis mine]

To post comments, please login or create an account.

Related Blogs

World Body Declares Cyber Security Top Issue

The Mission Has Already Crept

ICANN Should Curb Anonymous Domain Name Abuses

DNS Deregulation (Part 1 of 3)

Are Botnets Really the Spam Problem?

Related News


Industry Updates – Sponsored Posts

Protect Your Network From BYOD Malware Threats With The Verisign DNS Firewall

Introducing the Verisign DNS Firewall

TLD Security, Spec 11 and Business Implications

Verisign Named to the Online Trust Alliance's 2015 Honor Roll

3 Key Steps for SMBs to Protect Their Website and Critical Internet Services

Key Considerations for Selecting a Managed DNS Provider

DotConnectAfrica on "CONNECTing the Dots: Options for Future Action" at UNESCO, Paris

IBCA Presentation to ICANN GAC on Protection of Geographic Names in New gTLDs

Help Ensure the Availability and Security of Your Enterprise DNS with Verisign Recursive DNS

Verisign iDefense 2015 Cyber-Threats and Trends

Season's Greetings - 2014 End of Year Message from DotConnectAfrica

Domain Name .Africa Faces Hurdles - Q&A with Sophia Bekele

Join Paul Vixie & Robert Edmonds at the Upcoming Distinguished Speaker Series

LogicBoxes Announces Automation Solutions for ccTLD

3 Questions to Ask Your DNS Host About DDoS

Introducing Our Special Edition Managed DNS Service for Top-Level Domain Operators

Afilias Director Wins ICANN's 2014 Leadership Award

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

Sponsored Topics