Slashdot Mirror

← Back to Stories (view on slashdot.org)

E.U. Regulator Says IP Addresses Are Personal Data

Posted by samzenpus on from the do-not-share dept.

NewsCloud writes "Germany's data-protection commissioner, Peter Scharr told a European Parliament hearing on online data protection that when someone is identified by an IP, or Internet protocol, address, 'then it has to be regarded as personal data.' Scharr acknowledged that IP addresses for a computer may not always be personal or linked to an individual. If the E.U. rules that IP addresses are personal, then it could regulate the way search engines record this data. According to the article, Google does an incomplete job of anonymizing this data while Microsoft does not record IP addresses for anonymous search."

38 of 164 comments (clear)

  1. Is a license plate personal data? by Anonymous Coward · · Score: 5, Insightful

    Because that's today's car analogy for an IP address.

    1. Re:Is a license plate personal data? by Respawner · · Score: 4, Insightful

      actually, if you're using it to identify somebody, or if you keep it as general information about somebody(access log), then yes, yes it is
      just like a social security number is personal data, or the number on your id-card or your home-address and so on
      ooh yeah, don't confuse US-law with EU-law ;)
      and offcourse, IANAL

    2. Re:Is a license plate personal data? by barocco · · Score: 2, Interesting

      Don't quite agree... I don't think when you pull into the pharmacy to 'GET' a small-size condom you need to utter your license plate number to initiate a conversation & transaction with the cashier (well, in which case you'd probably avoid any conversation but just have the transaction done).

    3. Re:Is a license plate personal data? by LordSnooty · · Score: 2, Informative

      Yup, in my country whenever a car is shown on a news report for example they blur out the registration number. This is in line with data protection legislation of the late 90s.

  2. He's totally right by smittyoneeach · · Score: 4, Funny

    Now bow to your Redmond overlord, miscreants!

    --
    Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
    1. Re:He's totally right by unlametheweak · · Score: 5, Funny

      Don't believe everything you read. The Onion has about as much credibility with me as Fox News.

    2. Re:He's totally right by packeteer · · Score: 4, Funny

      Lies! Not only is fox fair and balanced but the Onion is "America's finest news source."

      --
      unzip; strip; touch; finger; mount; fsck; more; yes; unmount; sleep
  3. Strange idea by geek · · Score: 3, Interesting

    Never really looked at it this way. I think it's become ingrained in us that IP's are a way of tracking instead of a way of communicating. Being able to track them is just a side issue. If we look at an IP as a means of communication then does that not make it private in some way? I don't know exactly how I feel about this but I'd certainly like to have more rights rather than less of them.

    1. Re:Strange idea by Amorymeltzer · · Score: 4, Insightful

      I always visualized it akin to your telephone number - yeah, it's your number, but anyone can look it up in the pages. You work a bit to get on the no-call list and taken out of the directory, and of course, you can change your number or hide it from caller ID.

      --
      I live in constant fear of the Coming of the Red Spiders.
  4. So... by deepershade · · Score: 3, Interesting

    Does that mean that if passed, then the RIAA can't use my personal data 'IP' to sue me? TFA was a little short on details of the reprecushions of this.

    1. Re:So... by alx5000 · · Score: 5, Informative

      There's no European equivalent to RIAA... maybe there's such an organization on a country level, but I can assure you that sharing is completely legal in Spain, since fair use covers any kind of private copy, no matter whether you own the original or not (and yes, P2P falls into that category).

      --
      My 0.02 cents
    2. Re:So... by SharpFang · · Score: 2, Interesting

      In Poland, there's such an organization, ZAIKS. They request the IP-physical address mappings from the ISPs before sending the police to raid the people. ISPs are in no way obligated to give them the info, or withhold it - but since ZAIKS coperates with the Police, ISPs usually yield, just not to anger the Police - they can't really hurt them, but they can make their life more difficult, so the ISPs usually hand over the info.

      Now with this decision in effect, ZAIKS would still sue you for copyright violation, just the same. But now you can sue your ISP for illegally distributing your personal data (it IS protected here!) and ISPs confronted with alternative between "inconveniences from the Police" and a serious threat of a valid legal action from the customer, are much more likely to make the right decision: "Sorry, this is personal data, we're not authorised to share it."

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  5. And they plan to implement this how?! by CaptainPatent · · Score: 5, Informative

    The only way to check and see if your IP is being kept is by changing the protocol entirely or by checking the company's servers. I'm guessing that not too many companies would appreciate people routinely rooting around, and if something to check if an IP is stored were to be implemented, the protocol would have to be vastly overhauled and it could slow down the internet 80% or more because of the extra time needed to "check."

    The bottom line is this is much like the ruling in the US that companies had to keep a record of working memory (which is entirely impossible,) This seems to be more legislators talking about something they know very little about.

    Don't get me wrong, I do appreciate the fact that it would make it harder for the ad industry to hunt you down which is always appreciated, I just don't think any reasonable implementation will work.

    --
    Well, back to rejecting software patent applications.
    1. Re:And they plan to implement this how?! by alx5000 · · Score: 2, Informative

      And, yes, while we're at it, let's not prosecute fiscal fraud (since it's so hard to check the company's books, and not too many companies want theirs scrutinized).

      The same can be applied to websites collecting info on users to sell it to spammers. It's really, really (really!) hard to prove they've sold it, but that wouldn't stop legislators from sanctioning that law, would it?

      If the EU passes a law that adds IP addresses to the list of protected private data, that only means it is illegal to collect them and store them. And if you get caught, face the consequencies, just like with any other law.

      --
      My 0.02 cents
    2. Re:And they plan to implement this how?! by dleigh · · Score: 3, Informative

      TFA (and some slashdot readers) seem to be assuming that he is calling for a ban on logging IPs. TFA is pretty thin on what was actually said at the meeting, just taking the assumption and asking a few search company spokespeople for their opinion on that assumption. The comissioner doesn't seem to be claiming anywhere that IP addresses should not be stored, or that regulators should check to see if they are not stored, or that any "implementation" of anything is or should be required. The only statement from him seems to boil down to "something which identifies a person should be considered personal data".

    3. Re:And they plan to implement this how?! by mxs · · Score: 5, Insightful

      You misunderstand the issue. If IP addresses are considered personal data, they can still be used during the connection and for tasks immediately related to servicing that connection -- akin to buying something with your credit card (which does not allow the store to store your personal information for purposes other than payment processing).

      In Germany's current privacy and data protection laws, everybody has the right to decide what happens to their own personal information if it is being processed by computers. For instance, you can tell Amazon to delete all personally identifiable data they have about you, and they have to comply -- and you can ask any company that has personal data about you (such as your phone number, your address, etc. in telemarketing and plain old snailmail spam) to tell you where they got it from, what basis they have for keeping it, and to delete it from their databases. If they do not comply, you have a strong legal standing to compel them to give out this information (Mr. Sharr, who is quoted here, is the national representative for data protection, though there are more local ones as well -- if they suspect foul play, they /can/ raid businesses, and do so if warranted.

      The legislators know very well what they are talking about. The scope of "personal data" is narrowly confined (anything that can be used to identify you or is saved in relation to data that can personally identify you or anything that could automatically be tied to you by a third party; IP addresses fall into the latter category; while a webhost will not be able to do the IP -> Name&Address resolution, the user's ISP could -- therefore the IP address is personally identifiable to a specific party through a third party and thus personal data protected under stringent data protection laws. This has been tested in court (the German DoJ, for instance, is no longer allowed to log IP addresses on their web servers by court order).

      These laws don't "just" exist to combat the ad industry, but rather are an extension of one of our constitutions human rights, that is, the right to free self expression; this includes, under German law, the right to decide what happens to your data. There are, of course, certain restrictions (for instance, the DMV can process this data, as can other governmental bodies -- IF SPECIFICALLY AFFORDED THAT RIGHT BY LAW -- for their (narrow) purposes. You can waive this right (i.e. you can give your address to Reader's Digest for them to spam you with as they see fit -- if you give the permission (which is always revocable), they can do with your data whatever you allowed them to; Sweepstakes, for instance, are often designed to gather this data and get permission).

      As for implementation thereof : I don't see a problem. The ip address can still be used to commmunicate same as before; it just can't be logged indefinitely nor used for purposes other than the intended one (i.e. connection establishment, communication, teardown vs. ad tracking) UNLESS the person in question has given permission. What this boils down to in Apache is adding mod_removeip. If no other information personally identifies your visitors (even through a third party), you can now log this data and do with it as you wish. Another possibility would be pseudonymizing the IP addresses with one-way hashes (though some care will have to be taken that this is not reversible easily, which may become a problem since there are only 32 bits in an IP address and thus bruteforcing is a viable tactic).

      Nothing needs to be implemented to "check" whether the IP is stored. If you have a reasonable assumption that your contract partner is screwing you over, you can lodge a complaint with the Landesdatenschutzbeauftragter or Bundesdatenschutzbeauftragter (Mr. Scharr in this case), who will investigate -- same as when you suspect they are selling your address information illegally or engage in other illegal activites.

      I for one am glad that there are some privacy advocates who thing about this s

    4. Re:And they plan to implement this how?! by unlametheweak · · Score: 2, Insightful

      The real issue would be how any privacy protections like storing IPs would be enforced. It is doubtful that a company would willfully admit to storing IPs if it is against the law to do so. I know if I were running a server (Web, FTP, IRC, etc), then I would store IPs despite the law, just because it makes sense from a security perspective (I would want to know who is online, who to ban, etc).

      IP's contain less value over time (most consumers have dynamic IP's, can switch ISPs, use proxies, etc), so storing them for years wouldn't make a lot of practical sense anyways in most cases. Calling something as ephemeral and virtual as an IP personal property may be fine for politicians, but the utility of this is yet to be seen.

      The more practical solution would be to legislate what a company or individual actually does with an IP. Do they sell it to spammers or crackers? or do they store it so that they can ban known spammers or crackers from entering their servers?

    5. Re:And they plan to implement this how?! by thannine · · Score: 2, Informative

      The comissioner doesn't seem to be claiming anywhere that IP addresses should not be stored, or that regulators should check to see if they are not stored, or that any "implementation" of anything is or should be required. The only statement from him seems to boil down to "something which identifies a person should be considered personal data". And this would be the logical thing to say. Many posters have been wondering "how are they going to implement this?". Well, the thing is that laws like that are already in place (at least in Finland, but I'm assuming the rest of EU also), it's just the question of whether they apply to IP addresses as well as phone numbers, addresses, social security numbers etc. It's not illegal as such to store those, it's just regulated.
  6. Just Addresses by excelblue · · Score: 4, Insightful

    I am truly disappointed in this. If IP addresses are a means of communications, wouldn't that be similar to phone numbers?

    It shouldn't be any more personal than a phone number is. Whenever someone calls me, I like to log them on my caller ID. I don't see a difference here.

    1. Re:Just Addresses by davetpa · · Score: 2, Insightful

      It shouldn't be any more personal than a phone number is. Whenever someone calls me, I like to log them on my caller ID. I don't see a difference here. But what about if the phone company sells your phone number (no other information attached) along with a record of all the numbers you called and all the numbers that called you? Now your phone number is no longer just a means of communication.

      The scary part is that they've been doing that for years WITH your other personal information!
    2. Re:Just Addresses by mr_matticus · · Score: 4, Insightful

      Yeah.

      That's exactly what's going on. Your phone number is personal data, too.

      I don't understand the source of your disappointment, unless you think that personal data is private information. It's not.

    3. Re:Just Addresses by Beriaru · · Score: 5, Informative

      Your name is personal data, but not private.
      Your phone number is personal data, but not private.
      Your Address is personal data, but not private.
      And of course, your IP is not private... but is part of your personal data.

      Maybe in USA there is no difference between private and personal data, but in EU there's a big difference: nobody can NOT store your personal data without warning you and giving methods to correct AND ERASE your data.

    4. Re:Just Addresses by QuantumG · · Score: 4, Funny

      nobody can NOT store your personal data without warning you Well shit, I better warn you right now that I'm not storing your personal data.. that goes for everyone else reading this: I AM NOT STORING YOUR PERSONAL DATA!

      Whew, lucky I got that out of the way.

      --
      How we know is more important than what we know.
  7. Whoa by MattPat · · Score: 2

    I can't believe what I'm seeing. Is this actually a semi-responsible technology-related decision made by a legislative body?

    I'm not saying I necessarily agree with the complete "scrubbing" of Google et al.'s records, as it were, but the classification of an IP address as personally-identifiable information is definitely a positive step towards Internet freedom, and a reasonable expectation of some degree of privacy. At the very least, it gives you a leg to stand on when you find out that some company has been selling your browsing habits to an advertiser.

  8. Trust Microsoft by Doc+Ruby · · Score: 3, Interesting

    According to the article, Google does an incomplete job of anonymizing this data while Microsoft does not record IP addresses for anonymous search.


    Unless Microsoft is just lying. How can they be trusted, with their track record?
    --

    --
    make install -not war

  9. Ok, more craziness by Psychotria · · Score: 2, Interesting

    How is an IP address more "personal" than my GPS location at any given point in time? Sure an IP address can be "mine" if I have my own domain etc. This is not usually the case though. Most IP addresses are "owned" by the ISP and assigned to people via DHCP (except for static ones). This is not too much unlike a restaurant reserving tables for a customer, and sometimes reserving a table for a customer for a long time. It doesn't make the table being reserved the customers the customers personal property; the restaurant still owns it--it is no more personal than, well, any other table in an anonymous bar (for example). I can't see how IP addresses can be "personal".

  10. Begs the question... by __aaclcg7560 · · Score: 2, Interesting

    If IP addresses are personal data, who owns 127.0.0.1?

    1. Re:Begs the question... by lexarius · · Score: 3, Funny

      Well, that's my computer's IP address, so it's obviously mine, and I'll have to ask you to stop waving it around like that.

  11. Re:Citation needed by Your.Master · · Score: 2, Insightful

    The report isn't released yet. It's from an EU regulator. These guys aren't noted for being particularly sympathetic toward Microsoft. This sort of question is kind of tinfoil-hattish.

    Look at the privacy policies of Microsoft and Google. Search them out yourself. Google them, or live search them if you don't want your IP logged. MS's official position on privacy is generally fairly strict, and they consider it a selling point. Google's is less so, and they consider it a non-issue.

    If you disbelieve these stated corporate policies, then you really should get in contact with a lawyer and take some action.

  12. Re:Citation needed by Kamokazi · · Score: 2, Funny

    With a statement like that I really doubt you'd even believe it coming from your own mother holding a document signed by Bill Gates and notorized by a Supreme Court judge. Because, you know, Microsoft doing something better than Google completely contradicts the Slashdot Theory of Logic.

    --
    As our way of thanking you for your positive contributions to Slashdot, you are eligible to disable Slashdot 2.0.
  13. Major legal issues arising? by DigitAl56K · · Score: 2, Interesting

    If IP addresses are personal data, and you visit my web page, and my access logs show I served an IP that you used at a certain time (or even just that I served an IP you used), am I now subject to laws regarding the holding of personal information? If you were to contact me and request that information how would I authenticate you? If I was to disclose certain parts of the "personal data" that you claimed belonged to you, how could I know that I was not disclosing someone else's personal information, given that I can't necessarily authenticate you or anyone else and IP's can be re-allocated? If I ban an IP address for abusing my server and it is later re-allocated to someone else, is that slander? If I forward an e-mail whose headers contain IP addresses of relay servers, is that unlawful disclosure of personal information?

    This is totally ridiculous.

    1. Re:Major legal issues arising? by arkhan_jg · · Score: 2, Informative

      You're assuming the restrictions on personal data are greater than they are. If IP's are judged personal data, that makes them like a telephone number or an address (The Act covers any data which can be used to identify a living person). Still, you do have some responsibilities, *if you're in the EU* with regards handling personal data. Basically, there are restrictions on publishing it or sharing it around without permission, and you can only use it for the original purpose for which it was collected. (Sensitive personal data, i.e. really private stuff, is more strictly controlled)

      For example, say you were to publish your webserver access logs; you'd be better off anonymising the IP's somewhat first. Just as if I call you on the phone, you're allowed to store the caller ID, call me back or even put me on your internal call-list - but publishing my phone number, along with transcripts of our conversations without permission would be a no-no. Nor can you flog it off on the open market to cold callers. When you sign up for a phone line here, you're asked if you want the number to appear in the phone book, or go ex-directory.

      Again, this only applies if you live in an EU country with data protection laws.

      If IP addresses are personal data, and you visit my web page, and my access logs show I served an IP that you used at a certain time (or even just that I served an IP you used), am I now subject to laws regarding the holding of personal information?
      If you're an individual holding the data for your own personal use, you are exempt from much of the data protection act, including having to tell people when they ask what data you hold on them. If you're a company, when given a proper request and the fee to handle the request, would have to look in the logs when given the IP, and would have to report that yes, you hold 7 instances of that IP in your log. If your log expires before you have to answer the request (40 days I think) , you don't have to give anything.

      If you were to contact me and request that information how would I authenticate you? If I was to disclose certain parts of the "personal data" that you claimed belonged to you,how could I know that I was not disclosing someone else's personal information, given that I can't necessarily authenticate you or anyone else and IP's can be re-allocated?
      You don't have to disclose the other data that goes with the IP, just the IP itself that they supply to you. You then say whether you hold that or not.

      If I ban an IP address for abusing my server and it is later re-allocated to someone else, is that slander?
      It'd be libel as it's written, not slander as that's spoken. Libel only applies if you *publish* lies about someone, such as 'this IP searches for goat porn' (when they don't). Storing it for your own blacklist is fine. If you're a company, the new holder of the IP could ask that you correct your record under data protection law though.

      If I forward an e-mail whose headers contain IP addresses of relay servers, is that unlawful disclosure of personal information?
      No, because relay servers do not identify a living human. Also, it's the processing and storage of personal identifying data for later use that's covered, not mere transmission. The owners of servers that store those emails would likely have responsibilities under the data protection act, but then they do anyway because of the contents of the email itself!

      --
      Remember kids, it's all fun and games until someone commits wholesale galactic genocide.
  14. Doesn't quite work as an analogy by CaptainZapp · · Score: 2, Insightful

    yeah, it's your number, but anyone can look it up in the pages

    While everybody can check a directory such directories don't exist for IP numbers. Respectively the information needs to be obtained from the ISP.

    I never heard of the requirement of a court order before checking a phone directory.

    --
    ich bin der musikant

    mit taschenrechner in der hand

    kraftwerk

  15. It's Peter SCHAAR by Doctor+O · · Score: 3, Informative

    His name is Peter Schaar, not Scharr. One would think the editors would at least *skim* TFA.

    Oh, and he's a great guy BTW, responding to email in a timely and thoughtful manner, and investigating the questions he's being asked.

    --
    Who is General Failure and why is he reading my hard disk?
  16. Re:worry about the German government first by Yvanhoe · · Score: 2, Insightful

    Germans learned from nazism and sovietism that privacy was a damn serious issue. That any entity with personal information about several million people can turn into something nasty. They completely understand how IP logs could be used in a bad way, Americans tend to be optimistic about this but Germans already have undergone two periods of oppression that relied on an extensive invasion of privacy.

    --
    The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
  17. How will this affect Wikipedia? by ta+bu+shi+da+yu · · Score: 2, Insightful

    Wikipedia records IP addresses for all anonymous editors. I wonder how this will affect the project?

    --
    XML is like violence. If it doesn't solve the problem, use more.
  18. Data Protection by stevenmu · · Score: 2, Insightful

    Wow, even for /. there's a lot of people who didn't even read the summary, let alone TFA. And there's a lot of FUD being spread. What this means is that IP address information might be considered personal data under EU data protection laws. This means that companies/corporations/organisations which log your IP address will have to have a privacy policy in place governing how that information is used. There are also certain requirements, such as they have to make people's own information available to them if requested, they have to disclose breaches of information to those affected and so on. It doesn't stop logging IP addresses, it won't stop webservers using client IPs to maintain statefull connections, it won't stop google associating IP addresses with search data, it won't stop wikipedia or forums storing the IP of posters. It just means that organisations doing this need need a privacy policy in place to protect this data (which most of them already have to protect other private data they store). It's just acknowledging that IP addresses can/may be used, in some cases (the summary points out that they already acknowledge IP addresses are often dynamic), to identify a person and deserves the same level of protection that things like phone numbers and home addresses already have.

  19. Yahoo Germany Helpdesk by Anonymous Coward · · Score: 2, Funny

    Helpdesk: "Hello, this is the Yahoo Germany Helpdesk"
    Caller: "Yes, I want you to delete all your records with my IP address in it..."
    Helpdesk: "OK"
    Caller: "and I want you to tell me who gave you my IP address."
    Helpdesk: "Umm, well your computer will have sent us your IP address when you connected to the website"
    Caller: "Oh, I don't think so, I have a very good firewall."

    Helpdesk: "Hello, this the German National Bank Helpdesk"
    Caller: "Yes, I want you to delete all your records with my IP address in it..."
    Helpdesk: "Sure, and what is that IP address?"
    Caller: "10.0.0.10"

    Helpdesk: "Hello this is Ebay Germany, how can I help you."
    Caller: "Could you please delete all records relating to my IP address."
    Helpdesk: "Sure, do you know what the number is?"
    Caller: "Didn't you make a note when you recorded it!"