IP is Personal Says Head of the European Union

Home / News

IP is Personal Says Head of the European Union

Jan 22, 2008 9:32 AM PST
Comments: 1
Views: 3,166

Associated Press

IP addresses should generally be regarded as personal information, the head of the European Union's group of data privacy regulators said Monday.

Germany's data protection commissioner, Peter Scharr, leads the EU group preparing a report on how well the privacy policies of Internet search engines operated by Google Inc., Yahoo Inc., Microsoft Corp. and others comply with EU privacy law. He told a European Parliament hearing on online data protection that when someone is identified by an IP address "then it has to be regarded as personal data."

Update - Jan 23, 2008: Internet privacy concerns cause very public row in Brussels

Read full story: Associated Press

See related topics: IP Addressing, Privacy

Master Feed (more feeds)

Twitter

Mobile

Bookmark / Email This Post

Print Comment

Comments

Re: IP is Personal Says Head of the European Union Thomas Kuehne – Jan 22, 2008 12:19 PM PST

But these exceptions have not stopped the emergence of a host of "whois" Internet sites that apply the general rule that typing in an IP address will generate a name for the person or company linked to it.

Huh? Those "whois" services have been around almost since the first coordinated IP assignments. For more detailed information simply googleing the IP or it's rDNS label is sufficient (unless it is a frequently dynamically reassigned IP).

Internet 'click fraud' can be tracked down by showing that the same IP address is jumping repeatedly to the same ad. Advertisers pay for each time a different person views the ad, so dozens of views by the same person can rack up costs without giving the company the publicity it wanted.

This is only the case with "non-professional" click fraud. Professionals use distributed systems (e.g. bot nets or social networking sites). Identifying "non-professional" click fraud doesn't require any stored IPs. A very simple protection is a hash of client fingerprints like the IP and OS specific TCP behaviour. If a hash is seen too frequently - it may be click fraud or simply a web proxy - should the IPs be logged for further investigation. I think this incident specific logging is already a well regulated right in most legal systems. Thus treating IPs as personal/confidential information wouldn't cause any issues.

The really interesting legal case are not web hosters/click fraud but IP blacklists like spamhouse.org. The problem is that they provide the information not only within one organisation but often to anybody that asks. I'm unaware of any way to effectively anonymous the data while retaining the blacklist function. A simple hash - like the one described above - can be easily reversed even if it was a salted one. There are only a very limited number of IP addresses thus even plain brute forcing requires no special hardware or knowledge.
In a sense the IP blacklists represent virtual credit rating agencies. However the real live agencies in most countries have some kind of written contract. In this case it would be either the client (IP address) or the network provider that is responsible for the IP range. Issue is, spam frequently originates from un-cooperative networks and thus an explicit contract with the blacklist provider is unlikely. An obvious solution would be to switch from a black-list model to a white-list model. However the data gathering for the black-lists can be implemented far easier on a global scale than that for with-lists.

Reply | Link | Report Problems

To post comments, please login or create an account.