Swedish Court Says IP Numbers Privacy Protected

oh2 writes "The highest applicable Swedish court, Regeringsrätten, has ruled that IP numbers are protected (in Swedish) since they can be traced to individuals. This means that only government agencies are allowed to track and store IP addresses, leaving 'anti-piracy' advocates with no legal way to find possible copyright infringers." Update: 06/18 14:42 GMT by KD : The original linked article had been pulled due to factual errors and a new article has been posted (link replaced above). Here is a Google translation. The new article makes clear that the ruling does not affect the anti-piracy efforts of rights-holders.
Update: 06/18 15:08 GMT by KD : Behind the link below is a summary in English of the article sent in by the submitter, oh2.
This autumn Datainspektionen will start monitoring how the IPRED law is applied when it comes to disclosure of personal information. A recent verdict in the Regeringsrätten, Sweden's highest applicable court, has upheld Datainspektionens decision that IP addresses are to be considered personal information and therefore protected under law.

In 2005 Datainspektionen ruled that collecting and storing personal information online like copyright advocates were doing was a breach of the Swedish PUL, Personal information act, that regulates how and what kind of information that can be traced to a single individual that can be stored. The anti-piracy organizations were quickly granted an exemption though, that expired March 31st. Starting April 1st this year IPRED allows holders of copyright to apply to the courts for this information.

Datainspektionen will now monitor closely how any personal information acquired from the courts in this manner is used by copyright holders.

Proxy

[Threni]

I see growing trade for companies who 'launder' access to other sites, and not just warez, but absolutely anything else. Perhaps there'll be more TOR exit nodes there now?

Re:Proxy

[jackharrer]

Rather more VPN servers you can connect to. Those are already quite popular in countries like Sweden, where bandwidth is cheap and plenty.

Also there is a chance of people going for seedboxes as prices of those also dropped.

bad rule

[gmack]

And no way for server admins to track what virus infected bots are trying to break into their systems.

This rule will hurt more than it will help.

Re:bad rule

[master5o1]

Hmm...Nah.

Re:bad rule

[jtev]

First thing I thought of too. That, and almost all servers already log connections by IP address. I mean, I look at /var/log/secure and what I see is a list of IP addresses that have connected to my machine, with what they have been trying to do. Someone didn't have their thinking caps on when they wrote this law.

Re:bad rule

[polle404]

the first article has been removed, since it was wrong on several points.
http://www.dn.se/kultur-noje/nyheter/ny-dom-paverkar-inte-ipredlagen-1.894500
the court says: IP's are personal information, therefore you can only get this information through a court of law, and this ruling does not affect the Ipred law
http://en.wikipedia.org/wiki/IPRED

so a sysadm is not prohibited in managing his own network.

Re:bad rule

[Narpak]

"The highest applicable Swedish court, RegeringsrÃtten, has ruled that IP numbers are protected (in Swedish) since they can be traced to individuals. This means that only government agencies are allowed to track and store IP adresses, leaving "anti-piracy" advocates with no legal way to find possible copyright infringers."

This is pretty much the way things are, and have been, in Norway now for many years. And so far I have heard none of my friends in IT, nor anyone in the media, complain about "And no way for server admins to track what virus infected bots are trying to break into their systems."being a problem.

Re:bad rule

And no way for server admins to track what virus infected bots are trying to break into their systems.

This rule will hurt more than it will help.

Can I use that BS rule next time my system has any problems? What a load of horse .... Any compentent admin can take care of the system without knowing who did it. Yes I would like to know what little snot nosed 13yr old kid is doing the evilness but it could just as well be your grandma that got owned and doesn't know she's doing it.

So your real statement should say, "And no way for server admins to track down WHO is trying to break into there system. This rule will hurt the accountability process more than it will help.

I agree with the second statement, but only in so much as it will hurt accountabily, there are many sides to the IP coin. If you had to live with RIAA and MIAA being total over the top BS artists to sue some 79yr old grandmother who doesn't own a computer then you might look at this from a different perspective.

Re:bad rule

[CarpetShark]

What are you talking about? People attack your servers, and you hunt them down and kill them? When people attack your server, you find the responsible network block's admins abuse address, and report the IP and the problem. If they fail to act, and you continue to see attacks from that ISP, then you report that ISP upstream. None of that requires you knowing the individual(s) involved, and rightly so, since it could be the ISP pretending to be the individuals, for instance.

As for hurting more than helping... a swedish feminist politician recently compared (very directly, in a short post about that subject alone) file sharing to rape. Are you really saying you don't value privacy of your IP address in a world like that, considering that people have been killed in mob violence when they were mistakenly believed to be child molesters, for instance?

Please think a little more about what you're saying. It's often said, but nonetheless true, that those who would sacrifice freedom for security deserve neither.

Re:bad rule

[Rakshasa+Taisab]

It's not a problem as while the agency responsible for pushing companies to secure, delete or reorganize the information they hold on individuals, they haven't really gone after web-server logs and systems used to track virus infected bots. But if you try using logs to catch filesharers, you might suddenly get in trouble. I guess we're just a bit more flexible when it comes to applying common sense.

Re:bad rule

[ShieldW0lf]

As for hurting more than helping... a swedish feminist politician recently compared (very directly, in a short post about that subject alone) file sharing to rape. Are you really saying you don't value privacy of your IP address in a world like that, considering that people have been killed in mob violence when they were mistakenly believed to be child molesters, for instance?

It's true that many mobs throughout history have burned witches at the stake. Even Swedish witches. These are definitely things that we ought to be concerned about...

Re:bad rule

[jonaskoelker]

And no way for server admins to track what virus infected bots are trying to break into their systems.

Even worse than this:

No way for ISPs to store in their DHCP server IP pool which IP addresses have already been given to customer networks.

Let's enforce this against the ISP of the judge who came up with this idea ;-)

Or maybe have them rethink the issue and specify in greater detail what should and shouldn't be allowed. If the problem is using IPs to identify people, instead of banning the storage of IP addresses one should ban the use of stored IP addresses to identify people?

Re:bad rule

[xtracto]

And no way for server admins to track what virus infected bots are trying to break into their systems.

This rule will hurt more than it will help.

I was just thinking, from the following snippet in the summary:
IP numbers are protected (in Swedish) since they can be traced to individuals

The bad thing about this statement is that AFAIK one of the main defense points against the MAFIAA tactics is/was that an IP cannot be deffinitely linked to an individual... how does this decision affect that? does it means that now that the highest Swedish court made this explicit, the sue-friendly groups can backup in this assumption?

Re:bad rule

Not quite. My Postal address is personal information too. But I give it to you whenever I want to have a response by mail. An IP address is like that. You can off course respond to and keep the info that is handed to you, but not sell it or give to other companies. This will hurt though, as you probably want the right to pass those addresses to a security firm or to your provider.

Re:bad rule

As for hurting more than helping... a swedish feminist politician recently compared (very directly, in a short post about that subject alone) file sharing to rape. Are you really saying you don't value privacy of your IP address in a world like that, considering that people have been killed in mob violence when they were mistakenly believed to be child molesters, for instance?

It's true that many mobs throughout history have burned witches at the stake. Even Swedish witches. These are definitely things that we ought to be concerned about...

I do believe you missed one of the witches. Fetch out the torches and pitchforks. Better late then never. ;P

Re:bad rule

[Opportunist]

It's rather common sense that people who get sued as filesharers are usually more interested in how they were found (and press charges if they find out that foul play was the original lead) rather than someone being told by their ISP that they are part of a botnet, which has no legal implications whatsoever.

In the first case you usually stand against a lawyer (hired by the accused) who will do whatever is in his power to punch holes into your argumentation, and if he can't achive anything else, then he'll do whatever he can to maximize your loss, preferably to the benefit of his client (i.e. countersuit for privacy infringment with the goal of a settlement that reduces his client's fine).

In the latter case you stand against a fairly clueless computer user that gets an angry letter from his ISP, a user who usually doesn't even know his IP address can be logged... or what an IP address is in the first place.

Re:bad rule

[Opportunist]

A feminist liking filesharing to rape? This can only mean:

a) She's not really a feminist.
b) She's been fed enough BS about filesharing to actually believe it.
c) She's on the payroll of some media company.
d) All of the above.

Re:bad rule

[PhilHibbs]

When people attack your server, you find the responsible network block's admins abuse address, and report the IP and the problem.

But by reporting the IP address, you are recording and transmitting someone else's private information.

Re:bad rule

[Elektroschock]

Or the smaller brain?

*duck*

Re:bad rule

A feminist liking filesharing to rape? This can only mean:

a) She's not really a feminist.
b) She's been fed enough BS about filesharing to actually believe it.
c) She's on the payroll of some media company.
d) All of the above.

Or!!

e) The idea of filesharing appeals to her :-D

Re:bad rule

[turbidostato]

"This is pretty much the way things are, and have been, in Norway now for many years."

Yes, I'm sure they are. They point is "and the news are?". I know IP address being consired private data subjected to privacy laws in Spain for about ten years and I bet that's the case all around Europe too.

Re:bad rule

[turbidostato]

The bad thing about this statement is that AFAIK one of the main defense points against the MAFIAA tactics "is/was that an IP cannot be deffinitely linked to an individual... how does this decision affect that?"

"May", which is enough to get into consideration when we are talking about fundamental rights as is the one about privacy, versus "for sure" which is what the MAFIAAs around the world want governments to believe.

A city council will mark as "non potable" any water spring that is not under scrutiny. Would that mean it is certainly "poisonous"?

Re:bad rule

[turbidostato]

"Not quite. My Postal address is personal information too. But I give it to you whenever I want to have a response by mail. An IP address is like that"

Exactly. That's why laws all throught Europe will treat your postal address as private data, unless you decide to make it public, and protect it under quite strong barriers too.

No: telling your postal address to someone doesn't allow him to abuse it on ways you didn't allow him too.

Re:bad rule

[lazy_nihilist]

I wonder if logging IP addresses from bit-torrent clients on a personal computer would be illegal under this ruling.
And some people write some damn good bit-torrent clients :-) Thank you for the great program

Far reaching consequences

[bjourne]

This decision doesn't only affect anti-piracy hunters. Virtually all web companies track user ip addresses for various purposes.

Re:Far reaching consequences

Virtually all web companies track user ip addresses for various purposes.

But they don't fall under the Swedish law.
IANAL, but this new law looks like it prevents people from using IP addresses against Swedish people in a Swedish court. It is probably legal to use them against Swedish people in other countries.

Re:Far reaching consequences

[Yvanhoe]

Presumably with their users' consent...
Plus, many web companies prefer to use cookies. Tracking via IP always causes troubles.

Re:Far reaching consequences

Note that it applies to IP numbers as a means to identify individuals.

The law in question is called , loosely translated "the personal information law" and basically says that it is illegal to record data that can be tied to an individual without that individuals consent.

If you connect to a server, your consent is implicit, and the IP address as such is fairly anonymous. But stuff like doubbleclicks cookie tracking is illegal.

Re:Far reaching consequences

It's not legal to store an ip address since according to this ruling an ip address can be used to identify a person. In Sweden you can't store any information that can identify a person according to PUL (personuppgiftslagen, http://sv.wikipedia.org/wiki/PUL) without Datainspektionens (the data inspection) permission.

Re:Far reaching consequences

[turbidostato]

"It's not legal to store an ip address since according to this ruling an ip address can be used to identify a person. In Sweden you can't store any information that can identify a person according to PUL (personuppgiftslagen, http://sv.wikipedia.org/wiki/PUL) without Datainspektionens (the data inspection) permission."

And that's *exactly* the point and the one (almost) everyone here on Slashdot seems to be missing.

It is *not* illegal to retain IP address info. It is illegal to retain IP address info *disregarding* the protections stablished by law about private personal data management.

And that's the case all througth Europe: all countries have similar "private personal data" protection laws that basically read the same: if you are managing personal private data (and IP address are considered as such) you better follow the rules we stablish for such a case (which more or less you can resume like this: make the affected person know you are collecting such data and his lawful rights on the case -like his ability to access what private data a company is collecting about him, to correct it and delete/nullify if there's no legal obligation to retain it -you can't ask a company to delete your financial data if the company is under the obligation to declare it for tax purpouses, for instance; don't use it for any other purpouses than those you said when collecting it; let the proper public organims know you are collecting private data, so they know there's a fair need to collect it; delete the data as soon as the alleged purpouse is vanished and protect the data proportionally to its sensibility as the law defines it -not much more than plain common sense).

Working link:

[bauernakke]

http://www.dn.se/kultur-noje/nyheter/ny-dom-paverkar-inte-ipredlagen-1.894500

No, sorry.

[richie2000]

There's an exception to this law in the recently enacted IPRED-law (based on an EU directive) that basically allows rightsholders to gather IP-addresses anyway.

Re:No, sorry.

[hansraj]

And that means that whoever tagged the story "suddenoutbreakofcommonsense" can only weep when the music industry will keep doing what they already do but many with perfectly sensible reason will not be allowed to store logs including ip addresses.

Sometimes I don't know whether one ought to laugh or cry at the knee-jerk reactions one sees on /. (well everywhere actually).

Re:No, sorry.

[L4t3r4lu5]

Don't you know anything about IT? "Deny" automatically overrules "Allow"

From http://en.wikipedia.org/wiki/Supreme_Administrative_Court_of_Sweden

... [T]he court as an institution is independent of the Riksdag, and the government is not able to interfere with the decisions of the court.

That's the IPRED law out the window, then.

Re:No, sorry.

[CarpetShark]

In some configurations, the rule is deny first, then allow. In others, it's the opposite.

Re:No, sorry.

[L4t3r4lu5]

Turns out that this is total rubbish, as there is a clause in Government law which appears to supersede this. So, the Government CAN interfere (read: ignore) with Supreme Administrative Court decisions.

If the system was in any way similar, this would be like the Commons bring in legislation which contravenes a decision by the Lords. It seems that the systems are not analogous, though.

Re:No, sorry.

[value_added]

Don't you know anything about IT? "Deny" automatically overrules "Allow"

LOL. Do you?

If so, maybe you can explain how the rules relevant to Windows' ACLs (which I assume you're referring to) define IT, generally, how those those rules are relevant to say, packet filtering, and then, how they apply to the Swedish legal system.

So that you don't feel like a complete ass, I'll offer the comment that in the context of women (specifically, the behaviour of the ones I've known), it would be correct to suggest that an inherited deny overrides an inherited allow permission unless overridden by an explicit allow, but if you asked her, she'd insist that it's always the last matching rule that wins.

Re:No, sorry.

[L4t3r4lu5]

but if you asked her

There's your problem, right there.

Re:No, sorry.

[cbiltcliffe]

It also depends on whether it's "first match", or "apply all rules in order, then evaluate result."

Article has been replaced

[mattj452]

The article had a lot of errors and DN has replaced it with a new article: http://www.dn.se/kultur-noje/nyheter/ny-dom-paverkar-inte-ipredlagen-1.894500 In short: They can still do what they want, but they need a permit for it.

Re:Article has been replaced

[EyyySvenne]

If by "them" you mean anti-piracy, no, they already got their "permit" from the IPRED-law.

Exemption...

[Trracer]

Sadly the Swedish anti-pirate bureau has an exemption allowing them to store the IP-addresses. This has already been updated in the Swedish press.

Re:Exemption...

[oh2]

Yes, there was a couple of factual errors in the original article. The upside is that IP numbers ARE now regarded as personal information in Sweden, the downside is that the IPRED law is still an abomination and a major infringement on our civil rights. Even more so now, really.

Storing addresses you say

So If I run a web server in Sweden, all my apache logs are now illegal? Better block all my nationals.

Re:Storing addresses you say

[turbidostato]

"So If I run a web server in Sweden, all my apache logs are now illegal?"

No. That means that if you run a web server in Sweden (and most all Europe for that matter) then you are collecting private personal data so you better follow the laws about private data management.

"Better block all my nationals."

Sweden is a free market economy. Surely there's nobody forcing you to make bussiness there. Only that if you want to make bussiness in Sweden, you'd better follow the rules.

Article's been replaced

Here's the new link.

The bottom line is that despite the ruling from regeringsrÃtten, APB may still collect IP addresses.

Slashdot

News for nerds, stuff that's English.

If only in the U.S.

[elrous0]

I'm going to fire off an email to my friends right now letting the know about this landmark decision. I'll also send it unencrypted so the NSA can hear about it too.

Re:If only in the U.S.

I'm going to fire off an email to my friends right now letting the know about this landmark decision. I'll also send it unencrypted so the NSA can hear about it too.

Your a complete doofus if you think NSA cares about A) your email and B) your encrypted email that they can open any time they want. So send your photos of the dog and get over your paranoid delusions

Re:If only in the U.S.

NSA has access to all american CA root certificates.

Re:If only in the U.S.

[cbiltcliffe]

NSA has access to all american CA root certificates.

Not the one I made myself.
Besides...gpg doesn't use root certificates.

But aren't they addresses?

[LaminatorX]

Isn't the whole point of a publicly routable address to trace to a specific host or gateway? I sense some significant unintended consequences here. A ton of services will have real problems if this gets enforced thoroughly.

I'm comparing this to phone numbers in my head. Even if you have an unlisted number, should it be illegal for someone to write down your number if it shows up on caller ID when you call them?

Re:But aren't they addresses?

[L4t3r4lu5]

If you're going to send it off to a marketing agency to send you targeted advertisements based on the content of your call, then yes it damn well should be.

Re:But aren't they addresses?

Even if you have an unlisted number, should it be illegal for someone to write down your number if it shows up on caller ID when you call them?

There's a difference between you giving your number to someone, and someone using your number to find out who you are. I haven't really read the summary, but at first glance it appears that this law makes it so you can't use information in court, which ties an IP address to a name, and specific limitations may apply (e.g. certain agencies may have exemptions, or you can use it if you've been given the permission by the user, etc.).

This law may not prevent you from using the IP address to recognize your customer, but may make it unusable in court.

Basically, this would be great for the piracy movement (by preventing people from having their names associated with their IP addresses) - except that someone already mentioned above that the anti-piracy group is exempt from it... :( [I have not verified the veracity of that claim]

Re:But aren't they addresses?

[turbidostato]

"Isn't the whole point of a publicly routable address to trace to a specific host or gateway? "

Yes. And since the "whole point" is "to trace to a specific host or gateway" that means it has "no point" being used "to trace to a specific person".

Re:But aren't they addresses?

[LaminatorX]

Well, yes and no. Automobile license plates serve a similar function. If my car were used in the commission of a crime I would certainly be investigated as a likely suspect.

Re:But aren't they addresses?

[turbidostato]

"Well, yes and no. Automobile license plates serve a similar function. If my car were used in the commission of a crime I would certainly be investigated as a likely suspect."

A "likely" as in "there's demonstrable relationship between car plates and people we need to take into consideration" is quite different to "here: that's the bastard, we have his car plates".

Link changed?

[tonk]

The posted link didn't work for me, but http://www.dn.se/kultur-noje/nyheter/ny-dom-paverkar-inte-ipredlagen-1.894500 did.

Re:Link changed?

[oh2]

The original article has been removed due to a few errors. The new version is the one you found.

Double edged sword?

[wamatt]

I think overall this is a win for Copyright lobby and not the other way around.

1) Legitimises IP address being tied to account holder. IE lessens the "TOR/ Wifi Defense"
2) APB have gotten an exemption and are now allowed to track IP's.

Re:Double edged sword?

The law just says that IPs can be brought into connection (traced to) induviduals, not that that individual did something.
If you can prove you didn't do anything, you're fine. I don't see a problem here.
The "it could have been anybody because I run a open WiFi"-excuse makes no sense anyway.

Re:Double edged sword?

[shaitand]

You mean aside from the part that you run an open wifi and therefore are a common carrier and it could have been anybody?

um, honeypots and IDSes?

[Loco3KGT]

So are they now illegal in Sweden?

Law of unintended consequences

[Grond]

If you are a server operator in Sweden, this presumably means you also cannot store IPs for later analysis of where your traffic is coming from. Now, you might say that IPs can be geocoded on the fly, but there are other issues:

You also can't log the IPs of attackers. You can't log IPs to analyze botnets. You can't log the IPs of spammers.

There are lots of legitimate reasons for private individuals and companies to store IP addresses. By forbidding it wholesale, the court is demonstrating its technological ignorance.

Finally, I'll just add that it's a common argument here that IPs don't actually correspond to individuals with any certainty because of shared computers, NAT, insecure wireless networks, dynamic IPs, etc. Clearly, the court here decided otherwise, and gave license to the government to record IP addresses. Thus, in future Swedish criminal court cases, it might be assumed that an IP address is sufficient to tie a defendant to a criminal act. I find that prospect much more disturbing than file sharers winding up in civil court on shaky evidence (which, if it's shaky, should easily be rebutted).

Re:Law of unintended consequences

[L4t3r4lu5]

... shared computers, NAT, insecure wireless networks, dynamic IPs

In all of these cases, it becomes the responsibility of the contract holder to ensure that their connection is not used for illegal purposes, kind of like if you lend you friend a car, and he speeds... Oh, wait, that's not right. Kind of like if you buy a shotgun to go pigeon shooting and... Urm, no that doesn't work... Kind of like if you had a series of tubes...

Huh, I guess you're right. Who'd have thought that big media were talking out of their asses?

Privacy in Sweden

[Biotech9]

Sweden has some strange privacy norms. Asking what someone votes for politically is close to a serious faux pa. In fact some people I know have absolutely no idea how their parents or even partners vote. That is a very private thing. But you can look up car owners on a free and public website by registration number, you can go and check tax returns for anyone in Sweden, and see what they earn. On the other hand, religion is another area that you very much leave alone and don't ask about.

Hopefully the IP information will be considered something a little more private, and after the Pirate party did so well in the European elections maybe there is a chance that common sense will prevail and rules like IPRED will be struck down anyway.

Re:Privacy in Sweden

[mikael_j]

This is thanks to something called "offentlighetsprincipen" which is basically the idea that anything related to the government (taxes, car registration, legislation, police records and so on) should be available to the public. One of the main criticism of the EU that tends to be get brought up in Sweden is actually that the EU doesn't work the same way, that there are a lot of things that are withheld from the public in the EU (or at least kept out of reach by bureaucracy and pointless paperwork).

Personally I rather like our system, if its not explicitly classified as secret then anyone can access it.

/Mikael

Re:Privacy in Sweden

[turbidostato]

"Sweden has some strange privacy norms."

Not that I know about.

"Asking what someone votes for politically is close to a serious faux pa."

It's unpolite which is quite different of being illegal. But it is illegal to force someone to tell you where his vote went or trying to guess it by other covered means. What do you exactly see strange here?

"In fact some people I know have absolutely no idea how their parents or even partners vote."

And what that exactly has to be with the legal system? That only means that they have a culture where the political inclination of somebody is so deep into the privacy camp they better give it alone -and I see it as quite a sane position. Exactly the same kind of culture bias, only on a different field: do you know what your parents' little sexual perversions are? is it illegal for me to ask? still, how do you feel about my little inocent question?

"you can go and check tax returns for anyone in Sweden"

And do you see that as a bad thing exactly why? Taxes are a public affair that affect all public stakeholders by its very nature. Probably you won't have so many billionaires paying by not such quite clear maneouvres not so much if their taxes were to be publicly accesible. Since taxes are "the common pocket of all us citizens" how can that be a bad thing? Give it Caesar that of Caesar's...

"On the other hand, religion is another area that you very much leave alone and don't ask about."

Religion *is* a private matter. Compound it with the fact that people, in the millions, have been killed because other people knowing their religious filation, not so far of Sweeden, not so much time ago and I think you'll get a decent picture of the situation.

Bandwidth use up to "normal" in Sweden

[the_arrow]

In related news, the bandwidth usage in Sweden is back up to the numbers before the IPRED law was enacted. Normally the usage is low during the summertime, but apparently not this summer. It is speculated that the increase is because the law is pretty toothless at the moment, and the bandwith usage may decrease if the current investigation goes to court and leads to a conviction.

Obongo firmware update

PARADIGM_REG ^= (1FASCIST_BIT_OFFSET); /*There ya' go, buddy!*/

Re:Obongo firmware update

Well God damnit. Apparently Slashfuck doesn't honor the HTML escape code for double less than, &#171.

Re:Obongo firmware update

Even though the fascist bit defaults to '1' at power-on, be sure to check that another function didn't already unset it. And don't forget to unset the Uncle Tom bit as well.

that's pretty retarded

[buddyglass]

So if I'm running an online forum or game of some sort, I can't drop IP-bans on offensive parties since that would constitute tracking an IP address?

I'm pretty much of the opinion that if you visit my website then you're volunteering your IP address. It's just like if you mailed me a letter or sent me an email. In either case you're supplying a return address.

Re:that's pretty retarded

[jonwil]

Theres a BIG difference between an IP address (which is public information) and account details i.e. the link between an IP address and the account holder that is holding that account at the time (which should NOT be available to anyone without a valid court order or warrant)

Re:that's pretty retarded

[TheP4st]

It's just like if you mailed me a letter or sent me an email. In either case you're supplying a return address.

Huh? In the case of a letter I have to actively write the return address. In the case of email I can spoof the sender address.

Re:that's pretty retarded

[Dunbal]

So if I'm running an online forum or game of some sort, I can't drop IP-bans on offensive parties

      That would be a pretty foolish thing to do anyway. Ban the account, not the IP. Many different people can use the same IP, especially if they're connected via a cable modem. Banning the IP is a lazy, sloppy way to do it.

      Plus you can ban the IP all you want. You just can't use the IP to trace back to an actual person, and then take legal action from there. Of course if a person signed up for an account and agreed to abide by and be bound by your terms of service... the IP doesn't factor in to it. It's then a contract between you and them, which they happened to violate.

Re:that's pretty retarded

[buddyglass]

I should have been more specific. It's comparable to you sending me a letter or email requesting information from me. That is to say, you actually want a response.

Re:that's pretty retarded

[buddyglass]

Many free games allow people to sign up with just an email address. Or not even that, in some cases. For them, the only way to ban someone is via IP range. And, since they're free, it's not as big of a deal that they might accidentally ban other non-guilty parties.

I guess No more GUI Interfaces in Visual Basic

[R4nm4-kun]

"I'll create a GUI interface in Visual Basic, see if I can track an IP address."
Swedish Court Says: No you won't!

Did you read the summary?

[sirwired]

The summary clearly states that the logging of IPs is to be stopped. As a server admin, no, I don't give a damn about the actual ID of a person using an IP. But how am I to "report the IP" that is causing the problem if I can't log IPs to begin with?

SirWired

Re:Did you read the summary?

[CarpetShark]

I'd be very surprised if that applies to tracking IPs on a webserver for normal (non-business/marketing) IT purposes. In the most extreme interpretation, of "without" it, all TCP-based protocols would be useless. In less extreme interpretations, you'd have TCP, but most of the stateful web apps (the ones that use IP as part of their session key) wouldn't work. In the minimal interpretation, you'd have stateful web apps, but you'd have trouble tracking down faults, doing normal system diagnostics, counteracting fraud, assisting police investigations, etc.

Short summary

[oh2]

The original article has been pulled, new one available (In swedish) here

A short summary in english.

This autumn Datainspektionen will start monitoring how the IPRED law is applied when it comes to disclosure of personal information. A recent verdict in the RegeringsrÃtten, Swedens highest applicable court, has upheld Datainspektionens decision that IP adresses are to be considered personal information and therefore protected under law.

In 2005 Datainspektionen ruled that collecting and storing personal information online like copyright advocates were doing was a breach of the Swedish PUL, Personal information act, that regulates how and what kind of information that can be traced to a single individual that can be stored. The antipiracy organizations were quickly granted an exemption though, that expired march 31st. Starting april 1st this year IPRED allows holders of copyright to apply to the courts for this information. Datainspektionen will now monitor closely how any personal information aquired from the courts in this manner is used by copyright holders.

127.0.0.1.bork.bork.bork

I like that IP numbers are protected when they are in Swedish, but I doubt I can keep up the accent.

tried my own take on the translation bit.

...perhaps a little less googlish: http://www.allende.se/blog/2009/06/en-ipred-fant-balanserade/

From the original document in swedish...

Basically APB argues IP addresses are not personal data and can not be linked to actual persons, thus should not be govenerd by the Personal Data Law (or something like that PUL, Person Uppgifts Lagen).

The court ruled that since APB is using IP addresses to sue people who are participating in illegal file sharing, then obviously IP addresses can be linked to persons and are thus protected by PUL.

The PUL law as google translated it:
http://translate.google.com/translate?hl=en&ie=UTF-8&sl=sv&tl=en&u=http://www.notisum.se/rnp/SLS/lag/19980204.HTM&prev=_t

Re:From the original document in swedish...

IANAL but this should be of substantial intrest for server admins:

5 a  BestÃmmelserna i 9, 10, 13-19, 21-26, 28, 33, 34 och 42  behÃver inte tillÃmpas pÃ¥ behandling av personuppgifter som inte ingÃ¥r i eller Ãr avsedda att ingÃ¥ i en samling av personuppgifter som har strukturerats fÃr att pÃ¥tagligt underlÃtta sÃkning efter eller sammanstÃllning av personuppgifter.
      SÃ¥dan behandling som avses i fÃrsta stycket fÃ¥r inte utfÃras, om den innebÃr en krÃnkning av den registrerades personliga integritet. Lag (2006:398).

In English:
Paragraph 5a: The rulings 9,10,..... 42 does not need to be applied on treatment of personal data that is not part of, or is not intended to be part of a collection of personal information that has been structured for searching and or composing of personal data. Treatment of personal data as above is prohibited if it constitutes a assault on the personal integrity of the registered person.

In BOFHish:
Your apache server logs are perfectly legal as long as you don't compose a database of persons and associate ip addresses with other personal information such as names. You can run your log processing scripts and whatever you want on the ip addresses in your logs as long as you don't structure the logs in such a way that they are used storing "personal" information about the ip address.

What might become a legal grey ground is when you start to generate "usage profiles" for IP addresses, structured so that you can query for usage patterns and otherwise personally sensitive information given an IP number.

Before you start spreading FUD and screaming foul, RTFA and GAFC (Get A Fucking Clue).

Consistency

[Arthur+B.]

I oppose intellectual property, but I am often disappointed that most who do are inconsistent,
Many people explained that DMCA makes numbers illegal. Well, so is this. There's nothing wrong with storing IP adresses.

Information about people is information, just because you like privacy doesn't mean there's ethical magic surrounding this kind of information.

Re:Consistency

[shaitand]

This is being misrepresented. This does NOT prevent storing IP addresses. All it does is require a warrant to get the account holder details from the ISP because the account holder has a reasonable expectation of privacy. The same should be the case anywhere.

slopery slip

Next up: Street addresses and telephone numbers are banned.

Re:Partial vs. Total Info

[TaoPhoenix]

An IP address cannot be *definitely* linked to an individual, but it's not totally random either.

What tiny bit I know about someone/anyone's law across multiple countries, I'd want this basic court level protection in place. Then we can go after removing the exemption for the copyright holders, and reinstating basic IT workflow. But the base law might be a step against the privacy-abusing laws that are a *worldwide* rage these days.

Swedish IPs

It doesn't matter that they are protected or not... I can't read Swedish.

Re:Swedish IPs

[cbiltcliffe]

English: 192.168.24.68
Swedish: 192.168.24.68
German: 192.168.24.68
French: 192.168.24.68
Italian: 192.168.24.68

See how easy that was?

The privacy contradiction...

[Glasswire]

Your IP lease expired by DHCP server because the DHCP server violated privacy policy. You will be asked to go to the ISPs website to "opt-in" to have that data persistnant but - whoops - you have no IP to connect with...

I.P. Address is not DNA or a Fingerprint

[Maxo-Texas]

They tie to a computer, not to a person.

And in many cases, they don't even do that.

Maybe

[Junior+J.+Junior+III]

If I can use a standard protocol (ICMP, ARP, etc.) to determine your IP address, and such tools are available to anyone, then it is not reasonable to expect privacy. If I know your host name, I can get your IP. If you're connecting to my services via TCP or UDP, I have your IP, and kindof need it in order to do anything.

On the other hand, server logs with this info in it should be considered private. Your transactions between you and my server are business between you and me. You should have an reasonable expectation that I will keep that information private. I would not divulge the information unless it were required by due process -- a warrant or subpoena or whatever.

I haven't read the court's decision yet, so I'm not sure what they're really saying, but depending on context the information may be reasonable to consider IP addresses in some sense private.

It's not just that they store. It's how and why.

[BlueParrot]

I don't think this has the implications a lot of people think it has. The courts are very able to say that storing IPs with the purpose of protecting yourself against attacks is acceptable, but doing it the way the APB has been doing it is not. In fact, if I'm not mistaken Swedish law actually does specify how information is to be used when you supply a service over the net. ISPs ( as an example ) are required to delete details when they are no longer used. Due to EU directives they may soon be required to store it for 6 months, but regardless it is clear that Swedish law does permit "service providers" to store information for as long as is necessary to supply their service ( and afterwards they are required to delete it). What is considered "necessary" is down to the courts to decide I guess.

It would appear that the courts have simply ruled that APB stored personal details in a manner that is not consistent with Swedish law. I.e, it's not just the fact that they stored it. It is also a matter of how they stored it, and why they did it. I very much doubt that a Swedish court is going to convict you for having an IP ban in your server config as an example.

Oh, and because this is Sweden I don't have to rant about how I'm not a lawyer.

Hallelujah

Can I get a amen!?

Really?

[DaveV1.0]

Then I guess they are busy bringing charges against LiveJournal and every other website that stores IP addresses.

IP is the "Last Frontier"

[macraig]

Once upon a time it was possession and control of land, real estate, that caused friction, conflict, and wars. No more: land is a finite commodity. The new Last Frontier is this so-called intellectual property, where an infinite amount of things to control can be created out of thin air. These things don't require armies of soldiers to control them, instead they require armies of lawyers and expert witnesses. There seems to be an economy of scale to this new IP real estate, though, because it requires a whole lot less investment in hardware and human resources to control this IP than a coveted patch of land with armies and tanks and planes and guns.

implications for

[droidsURlooking4]

!{those who are not{anti{privacy{piracy}}}};

Wrong Interpretation

[The+Raven]

If I understand correctly, this ruling does NOT affect webserver logs, because that person came TO YOU. It would, however, affect the legality of you selling or giving away those logs.

This is analogous to a doctor being able to keep records of his patients, but not able for that same doctor to sell or even disclose those records to a third party.

Semi-official translation of the law in question

Personal Data Act (1998:204)

Swedish vs. English IP adresses?

[ehaggis]

"IP numbers are protected (in Swedish)". I did not know you could translate IP numbers from one language to another! Perhaps you pronounce it with diphthongs.

Re:Swedish vs. English IP adresses?

[selven]

My IP address is LXX.XXVI.CLXXIX.CCVII you insensitive clod!

Re:It's not just that they store. It's how and why

[cdrguru]

I would imagine that storing logs that show someone trying to brute-force attack your server would also be against the law. I would hope that any illegal act would be made pretty much impossible to prosecute because of a lack of identifying information from this.

That is the idea, isn't it?