Getting Personal with IP Addresses
In words that may go down in history, on July 6, 2009, U.S. District Court Judge Richard Jones wrote: “In order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer,” An overview of the ruling is here.
This ruling dismissed a case by certain people against Microsoft, claiming that Microsoft’s recording of their IP addresses constituted a violation of Microsoft’s End User License Agreement or EULA. The plaintiffs claimed that a user’s IP is personally identifiable. Microsoft, claimed otherwise. In this case, the judge agreed that an IP is not PII. That’s a good thing for all of us in the security business, but it’s also the right logical conclusion at this time in history. Here’s why.
- IP addresses are assigned by ISPs. They are not assigned by end users. Most computers only obtain a lease on an IP address for days or hours. As such, the IP address is often just a temporary association between a computer and the Internet. It’s not the same as the relationship between a user and the user’s computer.
- You can’t buy an IP address, you can only lease one. In this regard, it is not “property” as would be defined in many legal circles.
- IP addresses are easily computed and many attack programs generate IP addresses randomly and attempt to connect to those addresses. If you look up a specific IP address via reverse DNS, you can associate it with a domain, but users can also mask their personal information in the domain record – if they work through an ISP or other representative. If IP addresses are considered PII, it will destroy the long term viability of DNS.
- Finally, the Internet is not a government owned or regulated entity, as are the phone companies in many parts of the world. Although certain governments may choose to limit use of the Internet as a matter of national policy, those regulations would not and should not apply across national borders. In short, they can’t tell the Internet what to do. The Internet is flat and those who would unflatten it are swimming upstream. Just ask people who want to tax Internet sales.
There are other issues, but I think you get the idea.
Of course, this means that I think the EU made a mistake when they required ISPs to restrict access to IP information. It is harming the competitiveness of IT companies over there. If you disagree, let me know why. I’m interested in your opinion.
Jim Molini, CISSP, CSSLP
Every good web developer knows, that when analytics tells you that you’ve received 1,000 unique visitors in the past 3 months, you take it with a grain of salt. People might use 3 different computers to view your site. Or their IP leases may very well have refreshed a few times in that period. IP addresses are used a lot to approximate unique visitors, but most power users know that that can’t be relied on.
I’m glad the judge was able to learn that much in time for his decision.
I’ve heard other analysis on this that likened that line about the IP identifying a computer to how an address identifies a house. There are serious differences with IP. Most people don’t change addresses every month, and most people don’t live in more than one house either. DNS is effective because it’s fexible, far too flexible to be used in a courtroom.
This also is a great ruling with regards to the abusive suits filed by the RIAA on a regular basis!
I agree that IP addresses are not personally identifiable information. Most change every day. They are collected automatically by all servers for logging purposes. If you choose to send a request to the server, that gives the server the right to collect and log certain information about you, such as your Operating System, web browser, IP address. This information is all sent automatically by your web browser. Tor is an option for anonymity on the internet. If you don’t want people collecting your ip address, you must be doing something that you don’t want people to know about. Great blog Mr. Molini, I will be coming back often.
Sorry, I have to disagree.
Speaking as not-a-lawyer, my opinion isn’t meant as one bound by legal definition of property, etc. In fact, I gladly defer to your reading of the ruling; so fine, it isn’t ‘property’ per se.
Nevertheless, because the ISPs who own (hmmmmm, not really) the addresses are often required by one regulating/governing body or another to keep track of who the IP addresses they control are assigned to, and are sometimes subpoenaed for that information, an IP address IS personal identifying information, at least transiently.
If your point is to remove ownership ‘rights’ then of course you want to see IP addresses as not PII. But if you are afraid that someone hitching a ride on your network (yes, it ought to be protected, but still) might do something illegal while there and you could get left holding the bag, then you have to be afraid and err the other way.
In other words, if a case can get built against me based on my IP address (and we’ve seen this many times, now), then call it what it is: PII. And plan your actions from there.
Jeff Yablon
President & CEO
Virtual VIP Business Coaching and Virtual Assistant Services
@Jeff Yablon
Jeff,
If a case can be built against you based on your IP address, I guess you’re saying that removing your anonymity makes the IP address PII. It’s kind of like saying that seeing you driving a Pontiac GTO after you’ve robbed a bank makes the GTO a personally identifiable vehicle. I don’t think that’s covered by most laws. If the IP address is not owned by you, can you make a claim against it? I hope they don’t say that anyone using an IP address can claim that it’s somehow supposed to be protected on their behalf. That would really hammer the system.
I guess this is going to be sorted out in court sooner or later. Thanks for your comment.