Home / Blogs

IP Addresses and Personally Identifiable Information

Terry Zink

I don't normally cheer for Google when I don't own shares in the company, but this time I will make an exception.

Alma Whitten, Software Engineer at Google, today posted to their Public Policy Blog that IP addresses shouldn't be considered Personally Identifiable Information (PII). This is not a problem in the United States but it is in the EU, and if the EU actually were to legislate this it would most definitely affect Microsoft and Google's business functionality in the EU.

Whereas Google has an interest in collecting IP addresses in terms of doing geographical search targeting and marketing, for spam filtering purposes this affects us greatly. Can we collect and record IP addresses for data mining purposes? Part of fighting spam is knowing who the people are behind the spam storm. If the EU restricted what we could do with IP addresses, we wouldn't be able to mine through our data in order to look for patterns of spamminess. The ruling would be that we could potentially use IP information to identify a specific person, which is a no-no, according to the EU.

I would think that blacklist operators like Spamhaus could be impacted by this as well. They publish a blacklist of known spam operators and they quite deliberately go to the trouble of identifying IPs to individuals. I could see how a spammer could mount a legal challenge to have themselves removed from Spamhaus. Of course, I am not a lawyer but lawsuits can drain the life out of you.

I come down on the side of IP addresses not being PII. I was a little surprised that this was coming from Germany; I would have thought a law this bad would have originated from the French (that's just a joke).

You may want to check out the original article, it's a good read.

A couple of months ago we ran into the exact same issue here in Exchange Hosted Services. While Whitten does make valid points that a laptop user can move their IP address around (from home to the office to the cafe), there is another case. What about the home user that has a static IP address on their home server? Perhaps its reverse DNS is mail.homeuser.com or something like that. In that case, their IP address would not be subject to change and therefore you could, quite conceivably, learn their identity.

That seems to be the situation that the EU is targeting. I don't really agree with it since it only identifies a machine and not a user. A home PC can be infected with malware that sends out spam. Somebody other than the traditional user could be browsing to a web site. However, the question surrounding PII is a legal one and not a technical one. Of course, if it were a technical question, it still wouldn't provide absolute proof of identity, it only suggests it.

By Terry Zink, Program Manager. More blog posts from Terry Zink can also be read here.

Related topics: DNS, Internet Governance, IP Addressing, Malware, Policy & Regulation, Spam

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


Re: IP Addresses and Personally Identifiable Information Larry Seltzer  –  Mar 19, 2008 8:41 AM PST

From today (3/19)'s Gigalaw feed:

Italian Rule Bans Spying on Illegal File Sharers
Italian companies may not spy on individuals who engage in illegal file-sharing, according to a controversial new ruling. The ruling of Francesco Pizzetti, president of the official Italian body for Guaranteeing the Protection of Private Data, follows the attempts of a German record label, Peppermint, which last year began using the Swiss computer firm Logistep to gather the IP addresses of at least 300 Italians who were illegally sharing files.
Read more: http://www.gigalaw.com/news/2008/03/italian-rule-bans-spying-on-illegal.html (Source: Billboard)

[emphasis mine]

To post comments, please login or create an account.

Related Blogs

Regulation and Reason

Zero Rating, a Poisoned Chalice for the Developing World

As WHOIS Transitions to RDAP, How Do We Avoid the Same Mistakes?

RIPE 71 Meeting Report


Related News


Industry Updates – Sponsored Posts

Computerworld Names Afilias' Ram Mohan a Premier 100 Technology Leader

Protect Your Privacy - Opt Out of Public DNS Data Collection

Measuring DNS Performance for the User Experience

"The Market Has No Morality" Sophia Bekele Speaks on Business Ethics and Accountability

Introducing Verisign Public DNS: A Free Recursive DNS Service That Respects Your Privacy

Internet Grows to 296 Million Domain Names in Q2 2015

Dyn Comments on ICG Proposal for IANA Transition

Protect Your Network From BYOD Malware Threats With The Verisign DNS Firewall

Introducing the Verisign DNS Firewall

TLD Security, Spec 11 and Business Implications

Verisign Named to the Online Trust Alliance's 2015 Honor Roll

3 Key Steps for SMBs to Protect Their Website and Critical Internet Services

Key Considerations for Selecting a Managed DNS Provider

DotConnectAfrica on "CONNECTing the Dots: Options for Future Action" at UNESCO, Paris

IBCA Presentation to ICANN GAC on Protection of Geographic Names in New gTLDs

Help Ensure the Availability and Security of Your Enterprise DNS with Verisign Recursive DNS

Verisign iDefense 2015 Cyber-Threats and Trends

Season's Greetings - 2014 End of Year Message from DotConnectAfrica

Domain Name .Africa Faces Hurdles - Q&A with Sophia Bekele

Join Paul Vixie & Robert Edmonds at the Upcoming Distinguished Speaker Series

Sponsored Topics