E.U. Regulator Says IP Addresses Are Personal Data

NewsCloud writes "Germany's data-protection commissioner, Peter Scharr told a European Parliament hearing on online data protection that when someone is identified by an IP, or Internet protocol, address, 'then it has to be regarded as personal data.' Scharr acknowledged that IP addresses for a computer may not always be personal or linked to an individual. If the E.U. rules that IP addresses are personal, then it could regulate the way search engines record this data. According to the article, Google does an incomplete job of anonymizing this data while Microsoft does not record IP addresses for anonymous search."

Is a license plate personal data?

Because that's today's car analogy for an IP address.

And they plan to implement this how?!

[CaptainPatent]

The only way to check and see if your IP is being kept is by changing the protocol entirely or by checking the company's servers. I'm guessing that not too many companies would appreciate people routinely rooting around, and if something to check if an IP is stored were to be implemented, the protocol would have to be vastly overhauled and it could slow down the internet 80% or more because of the extra time needed to "check."

The bottom line is this is much like the ruling in the US that companies had to keep a record of working memory (which is entirely impossible,) This seems to be more legislators talking about something they know very little about.

Don't get me wrong, I do appreciate the fact that it would make it harder for the ad industry to hunt you down which is always appreciated, I just don't think any reasonable implementation will work.

Re:And they plan to implement this how?!

[mxs]

You misunderstand the issue. If IP addresses are considered personal data, they can still be used during the connection and for tasks immediately related to servicing that connection -- akin to buying something with your credit card (which does not allow the store to store your personal information for purposes other than payment processing).

In Germany's current privacy and data protection laws, everybody has the right to decide what happens to their own personal information if it is being processed by computers. For instance, you can tell Amazon to delete all personally identifiable data they have about you, and they have to comply -- and you can ask any company that has personal data about you (such as your phone number, your address, etc. in telemarketing and plain old snailmail spam) to tell you where they got it from, what basis they have for keeping it, and to delete it from their databases. If they do not comply, you have a strong legal standing to compel them to give out this information (Mr. Sharr, who is quoted here, is the national representative for data protection, though there are more local ones as well -- if they suspect foul play, they /can/ raid businesses, and do so if warranted.

The legislators know very well what they are talking about. The scope of "personal data" is narrowly confined (anything that can be used to identify you or is saved in relation to data that can personally identify you or anything that could automatically be tied to you by a third party; IP addresses fall into the latter category; while a webhost will not be able to do the IP -> Name&Address resolution, the user's ISP could -- therefore the IP address is personally identifiable to a specific party through a third party and thus personal data protected under stringent data protection laws. This has been tested in court (the German DoJ, for instance, is no longer allowed to log IP addresses on their web servers by court order).

These laws don't "just" exist to combat the ad industry, but rather are an extension of one of our constitutions human rights, that is, the right to free self expression; this includes, under German law, the right to decide what happens to your data. There are, of course, certain restrictions (for instance, the DMV can process this data, as can other governmental bodies -- IF SPECIFICALLY AFFORDED THAT RIGHT BY LAW -- for their (narrow) purposes. You can waive this right (i.e. you can give your address to Reader's Digest for them to spam you with as they see fit -- if you give the permission (which is always revocable), they can do with your data whatever you allowed them to; Sweepstakes, for instance, are often designed to gather this data and get permission).

As for implementation thereof : I don't see a problem. The ip address can still be used to commmunicate same as before; it just can't be logged indefinitely nor used for purposes other than the intended one (i.e. connection establishment, communication, teardown vs. ad tracking) UNLESS the person in question has given permission. What this boils down to in Apache is adding mod_removeip. If no other information personally identifies your visitors (even through a third party), you can now log this data and do with it as you wish. Another possibility would be pseudonymizing the IP addresses with one-way hashes (though some care will have to be taken that this is not reversible easily, which may become a problem since there are only 32 bits in an IP address and thus bruteforcing is a viable tactic).

Nothing needs to be implemented to "check" whether the IP is stored. If you have a reasonable assumption that your contract partner is screwing you over, you can lodge a complaint with the Landesdatenschutzbeauftragter or Bundesdatenschutzbeauftragter (Mr. Scharr in this case), who will investigate -- same as when you suspect they are selling your address information illegally or engage in other illegal activites.

I for one am glad that there are some privacy advocates who thing about this s

Re:So...

[alx5000]

There's no European equivalent to RIAA... maybe there's such an organization on a country level, but I can assure you that sharing is completely legal in Spain, since fair use covers any kind of private copy, no matter whether you own the original or not (and yes, P2P falls into that category).

Re:Just Addresses

[Beriaru]

Your name is personal data, but not private.
Your phone number is personal data, but not private.
Your Address is personal data, but not private.
And of course, your IP is not private... but is part of your personal data.

Maybe in USA there is no difference between private and personal data, but in EU there's a big difference: nobody can NOT store your personal data without warning you and giving methods to correct AND ERASE your data.

Re:He's totally right

[unlametheweak]

Don't believe everything you read. The Onion has about as much credibility with me as Fox News.