Home / Blogs

IP Addresses and Personally Identifiable Information

Terry Zink

I don't normally cheer for Google when I don't own shares in the company, but this time I will make an exception.

Alma Whitten, Software Engineer at Google, today posted to their Public Policy Blog that IP addresses shouldn't be considered Personally Identifiable Information (PII). This is not a problem in the United States but it is in the EU, and if the EU actually were to legislate this it would most definitely affect Microsoft and Google's business functionality in the EU.

Whereas Google has an interest in collecting IP addresses in terms of doing geographical search targeting and marketing, for spam filtering purposes this affects us greatly. Can we collect and record IP addresses for data mining purposes? Part of fighting spam is knowing who the people are behind the spam storm. If the EU restricted what we could do with IP addresses, we wouldn't be able to mine through our data in order to look for patterns of spamminess. The ruling would be that we could potentially use IP information to identify a specific person, which is a no-no, according to the EU.

I would think that blacklist operators like Spamhaus could be impacted by this as well. They publish a blacklist of known spam operators and they quite deliberately go to the trouble of identifying IPs to individuals. I could see how a spammer could mount a legal challenge to have themselves removed from Spamhaus. Of course, I am not a lawyer but lawsuits can drain the life out of you.

I come down on the side of IP addresses not being PII. I was a little surprised that this was coming from Germany; I would have thought a law this bad would have originated from the French (that's just a joke).

You may want to check out the original article, it's a good read.

A couple of months ago we ran into the exact same issue here in Exchange Hosted Services. While Whitten does make valid points that a laptop user can move their IP address around (from home to the office to the cafe), there is another case. What about the home user that has a static IP address on their home server? Perhaps its reverse DNS is mail.homeuser.com or something like that. In that case, their IP address would not be subject to change and therefore you could, quite conceivably, learn their identity.

That seems to be the situation that the EU is targeting. I don't really agree with it since it only identifies a machine and not a user. A home PC can be infected with malware that sends out spam. Somebody other than the traditional user could be browsing to a web site. However, the question surrounding PII is a legal one and not a technical one. Of course, if it were a technical question, it still wouldn't provide absolute proof of identity, it only suggests it.

By Terry Zink, Program Manager. More blog posts from Terry Zink can also be read here.

Related topics: DNS, Internet Governance, IP Addressing, Malware, Policy & Regulation, Spam

 
   
WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Re: IP Addresses and Personally Identifiable Information Larry Seltzer  –  Mar 19, 2008 9:41 AM PDT

From today (3/19)'s Gigalaw feed:

Italian Rule Bans Spying on Illegal File Sharers
Italian companies may not spy on individuals who engage in illegal file-sharing, according to a controversial new ruling. The ruling of Francesco Pizzetti, president of the official Italian body for Guaranteeing the Protection of Private Data, follows the attempts of a German record label, Peppermint, which last year began using the Swiss computer firm Logistep to gather the IP addresses of at least 300 Italians who were illegally sharing files.
Read more: http://www.gigalaw.com/news/2008/03/italian-rule-bans-spying-on-illegal.html (Source: Billboard)

[emphasis mine]

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Dyn Partners with the Internet Systems Consortium to Host Global F-Root Nameservers

Is Your TLD Threat Mitigation Strategy up to Scratch?

Domain Management Handbook from MarkMonitor

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

What Holds Firms Back from Choosing Cloud-Based External DNS?

The Framework for Resilient Cybersecurity (Webinar)

2015 Trends: Multi-channel, Streaming Media and the Growth of Fraud

Dyn Weighs In On Whois

Season's Greetings - 2015 End of Year Message from DotConnectAfrica

Computerworld Names Afilias' Ram Mohan a Premier 100 Technology Leader

Protect Your Privacy - Opt Out of Public DNS Data Collection

Measuring DNS Performance for the User Experience

"The Market Has No Morality" Sophia Bekele Speaks on Business Ethics and Accountability

Introducing Verisign Public DNS: A Free Recursive DNS Service That Respects Your Privacy

Internet Grows to 296 Million Domain Names in Q2 2015

Dyn Comments on ICG Proposal for IANA Transition

Sponsored Topics

Port25

Email

Sponsored by
Port25
Afilias - Mobile & Web Services

Mobile

Sponsored by
Afilias - Mobile & Web Services
Verisign

Security

Sponsored by
Verisign
Afilias

DNS Security

Sponsored by
Afilias