Archive

Archive for July 22nd, 2009

Getting Personal with IP Addresses

July 22nd, 2009 jmolini 5 comments

In words that may go down in history, on July 6, 2009, U.S. District Court Judge Richard Jones wrote: “In order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer,” An overview of the ruling is here.

This ruling dismissed a case by certain people against Microsoft, claiming that Microsoft’s recording of their IP addresses constituted a violation of Microsoft’s End User License Agreement or EULA.  The plaintiffs claimed that a user’s IP is personally identifiable.  Microsoft, claimed otherwise.  In this case, the judge agreed that an IP is not PII.  That’s a good thing for all of us in the security business, but it’s also the right logical conclusion at this time in history.  Here’s why.

  1. IP addresses are assigned by ISPs.  They are not assigned by end users.  Most computers only obtain a lease on an IP address for days or hours.  As such, the IP address is often just a temporary association between a computer and the Internet.  It’s not the same as the relationship between a user and the user’s computer.
  2. You can’t buy an IP address, you can only lease one.  In this regard, it is not “property” as would be defined in many legal circles.
  3. IP addresses are easily computed and many attack programs generate IP addresses randomly and attempt to connect to those addresses.  If you look up a specific IP address via reverse DNS, you can associate it with a domain, but users can also mask their personal information in the domain record – if they work through an ISP or other representative.  If IP addresses are considered PII, it will destroy the long term viability of DNS.
  4. Finally, the Internet is not a government owned or regulated entity, as are the phone companies in many parts of the world.  Although certain governments may choose to limit use of the Internet as a matter of national policy, those regulations would not and should not apply across national borders.  In short, they can’t tell the Internet what to do.  The Internet is flat and those who would unflatten it are swimming upstream. Just ask people who want to tax Internet sales.

There are other issues, but I think you get the idea. 

Of course, this means that I think the EU made a mistake when they required ISPs to restrict access to IP information.  It is harming the competitiveness of IT companies over there.  If you disagree, let me know why.  I’m interested in your opinion.

Jim Molini, CISSP, CSSLP

Categories: Information Security Tags: