Home / Blogs

IP Addresses and Personally Identifiable Information

Terry Zink

I don't normally cheer for Google when I don't own shares in the company, but this time I will make an exception.

Alma Whitten, Software Engineer at Google, today posted to their Public Policy Blog that IP addresses shouldn't be considered Personally Identifiable Information (PII). This is not a problem in the United States but it is in the EU, and if the EU actually were to legislate this it would most definitely affect Microsoft and Google's business functionality in the EU.

Whereas Google has an interest in collecting IP addresses in terms of doing geographical search targeting and marketing, for spam filtering purposes this affects us greatly. Can we collect and record IP addresses for data mining purposes? Part of fighting spam is knowing who the people are behind the spam storm. If the EU restricted what we could do with IP addresses, we wouldn't be able to mine through our data in order to look for patterns of spamminess. The ruling would be that we could potentially use IP information to identify a specific person, which is a no-no, according to the EU.

I would think that blacklist operators like Spamhaus could be impacted by this as well. They publish a blacklist of known spam operators and they quite deliberately go to the trouble of identifying IPs to individuals. I could see how a spammer could mount a legal challenge to have themselves removed from Spamhaus. Of course, I am not a lawyer but lawsuits can drain the life out of you.

I come down on the side of IP addresses not being PII. I was a little surprised that this was coming from Germany; I would have thought a law this bad would have originated from the French (that's just a joke).

You may want to check out the original article, it's a good read.

A couple of months ago we ran into the exact same issue here in Exchange Hosted Services. While Whitten does make valid points that a laptop user can move their IP address around (from home to the office to the cafe), there is another case. What about the home user that has a static IP address on their home server? Perhaps its reverse DNS is mail.homeuser.com or something like that. In that case, their IP address would not be subject to change and therefore you could, quite conceivably, learn their identity.

That seems to be the situation that the EU is targeting. I don't really agree with it since it only identifies a machine and not a user. A home PC can be infected with malware that sends out spam. Somebody other than the traditional user could be browsing to a web site. However, the question surrounding PII is a legal one and not a technical one. Of course, if it were a technical question, it still wouldn't provide absolute proof of identity, it only suggests it.

By Terry Zink, Program Manager. More blog posts from Terry Zink can also be read here.

Related topics: DNS, Internet Governance, IP Addressing, Malware, Policy & Regulation, Spam

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Re: IP Addresses and Personally Identifiable Information Larry Seltzer  –  Mar 19, 2008 9:41 AM PDT

From today (3/19)'s Gigalaw feed:

Italian Rule Bans Spying on Illegal File Sharers
Italian companies may not spy on individuals who engage in illegal file-sharing, according to a controversial new ruling. The ruling of Francesco Pizzetti, president of the official Italian body for Guaranteeing the Protection of Private Data, follows the attempts of a German record label, Peppermint, which last year began using the Swiss computer firm Logistep to gather the IP addresses of at least 300 Italians who were illegally sharing files.
Read more: http://www.gigalaw.com/news/2008/03/italian-rule-bans-spying-on-illegal.html (Source: Billboard)

[emphasis mine]

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

3 Questions to Ask Your DNS Host About DDoS

Introducing Our Special Edition Managed DNS Service for Top-Level Domain Operators

Afilias Director Wins ICANN's 2014 Leadership Award

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

DotConnectAfrica Contributes at the 9th IGF in Istanbul, Turkey

Nominum Announces Future Ready DNS

ICANN London Recap Webinar

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

Neustar to Launch usTLD Stakeholder Council

Sophia Bekele Weighs in on Obama's August US-Africa Leader Summit at the NYF Africa

Dyn Acquires Internet Intelligence Company, Renesys

DotConnectAfrica's Expert Selected to Attend the Hague Institute of Global Justice

DotConnectAfrica Delegates Attend the KHRC Internet & Human Rights Breakfast Roundtable in Nairobi

Smokescreening: Data Theft Makes DDoS More Dangerous

Introducing getdns: a Modern, Extensible, Open Source API for the DNS

Why We Decided to Stop Offering Free Accounts

Internet Business Council for Africa Participates at the EU-Africa 2014 Business Forum, Brussels

Tony Kirsch Announced As Head of Global Consulting of ARI Registry Services

Sponsored Topics