Slashdot Mirror

← Back to Stories (view on slashdot.org)

Judge Rules IP Addresses Not "Personally Identifiable"

Posted by Soulskill on from the what-about-the-ip-on-the-chip-in-my-head dept.

yuna49 writes "Online Media Daily reports that a federal judge in Seattle has held that IP addresses are not personal information. 'In order for "personally identifiable information" to be personally identifiable, it must identify a person. But an IP address identifies a computer,' US District Court Judge Richard Jones said in a written decision. Jones issued the ruling in the context of a class-action lawsuit brought by consumers against Microsoft stemming from an update that automatically installed new anti-piracy software. In that case, which dates back to 2006, consumers alleged that Microsoft violated its user agreement by collecting IP addresses in the course of the updates. This ruling flatly contradicts a recent EU decision to the contrary, as well as other cases in the US. Its potential relevance to the RIAA suits should be obvious to anyone who reads Slashdot."

47 of 436 comments (clear)

  1. Yup by FredFredrickson · · Score: 5, Insightful

    So on one end of the stick, you've got privacy advocates who hate Microsoft, who are thinking that collecting our IP addresses is wrong and violates our privacy.

    There's more to it, though. Any sys admin could explain... Imagine trying to have a conversation with somebody by mail. They couldn't respond if they didn't take note of the return address, no? Fact of the matter is, for strictly technical reasons, use of the IP address is required.

    But... For statistical and anti-abuse reasons, a log of IP addresses is kept (on any server, really). But don't get all pissy at microsoft for doing so. I mean, almost every site on the net keeps an http log, it's the default setting! The fact is, if you don't want them knowing who you are- I've got an idea- don't contact their servers.

    You have a reasonable right to privacy, but you lose that right when you're in public. You don't get to get pissy when a store's security cameras capture your image. I rarely hear anybody complain about other people seeing you while you're at the grocery store. But the fact is: these small dings in privacy are neccessary to operate. You don't need to go in public. And you don't need to connect to somebody's server.

    Now the real problem TM
    An IP address DOES identify a computer- but not the way the judge thinks. My IP address identifies my router, which in turn owns 5 to 6 computers. With the wireless open, it could refer to the whole neighborhood, for all I know/care. They need to revise, an IP address identifies a NETWORK, but not neccessarily conclusively any particular computer.

    So there's another level there. Not only is an IP address not good for identifying a person, but it's rather useless to discover a particular computer either. (Now, there are cookies and other tracking mechanisms, but they're not fool proof..)

    But hey, at least this is a step in the right direction. Anyway, it doesn't really matter whose computer an IP address identifies, if the feds pick up on your ip they'll just take every machine in your house anyway.

    --
    Belief? Hope? Preference?The Existential Vortex
    1. Re:Yup by Jugalator · · Score: 2, Insightful

      They need to revise, an IP address identifies a NETWORK, but not neccessarily conclusively any particular computer.

      A network endpoint, yes.

      So there's another level there. Not only is an IP address not good for identifying a person, but it's rather useless to discover a particular computer either.

      I agree about this, and that's why I think the methodology RIAA is using *should* not really hold in court. They should really provide them with name and date ranges, forget about the IP addresses, it's just an Internet Protocol technicality and should be treated as such.

      --
      Beware: In C++, your friends can see your privates!
    2. Re:Yup by sakdoctor · · Score: 4, Funny

      IPv6 addresses should be like MAC addresses for people.
      Issued at birth, and tattooed onto your ass.

      Actually I hope the RIAA aren't reading this. It will give them ideas.

    3. Re:Yup by fredklein · · Score: 2, Interesting

      as far as the credit card company is concerned that little piece of plastic just identifies an account not a person.

      Correct.

      However- Each account is specifically linked to one person. (Sometimes more for joint accounts, but you get the idea.) The agreement you make with the card company usually says something along the lines of 'the person named on the card is the only authorized user of the card...' SO, if they trace certain activity to the card, they can be reasonably sure who used the card.

      There is no such guarantee when it comes to IP addresses. As someone else posted, their IP is to their router, with 5-6 PCs behind it. Wireless confuses the issue more. Tracing certain packets to a router does NOT tell them what PC it came from, much less who was using that PC.

    4. Re:Yup by eln · · Score: 2, Interesting

      IF the person has a home network, then it only identifies that network. If the person lives alone and only has one computer, it does effectively identify the person.

      Also, it's generally understood in legal circles, and is spelled out in most ISPs' TOS agreements, that the account owner is ultimately responsible for any activity originating from that connection. So, since an IP address can be used to identify a particular DSL/cable/dialup/whatever line, it can effectively be used to identify a person.

      Things get muddier when talking about open wireless access points, but in general it's been held that if you open up your wireless connection, you're responsible for any illegal activity people might use it for. You only escape responsibility if you've taken some measure to restrict access and the perpetrator has defeated it.

      Even if you don't buy any of that, identifying the home network itself is already an invasion of privacy. It may not identify you personally, but it almost certainly identifies your family or the group of people living in your house. Isn't that an invasion of privacy?

    5. Re:Yup by cml4524 · · Score: 3, Insightful

      Contradict just means to take a contrary position. The multiple definitions of contrary allow for the word to be used accurately in this context, in the sense that the opinions are opposite of one another. It does not necessitate, however, that those opinions cause any sort of conflict.

      In other words, they are contradictory in the sense that they stake opposite positions, but not in the sense that one opinion will overrule or clash with the other.

    6. Re:Yup by Sir_Dill · · Score: 2, Interesting
      Consider this for a moment.

      I have a business class internet account at home. It comes with static ips which resolve back to my domain name which....guess what...IS PERSONALLY IDENTIFIABLE.

      So under many situations an IP address is not personally identifiable, there are also many where it is.

      I use an anonymizing service to keep my personal information out of whois, but that still doesn't mean my home IP address isn't uniquely identified as "belonging" to me.

      I tend to think of an IP address like a phone number. Are phone numbers considered personally identifiable?

      if yes then IP addresses should be treated accordingly.

    7. Re:Yup by Penguin+Programmer · · Score: 2, Informative

      An IP address DOES identify a computer- but not the way the judge thinks. My IP address identifies my router, which in turn owns 5 to 6 computers. With the wireless open, it could refer to the whole neighborhood, for all I know/care. They need to revise, an IP address identifies a NETWORK, but not neccessarily conclusively any particular computer.

      A router is still a computer. An IP address identifies a computer. Whether that computer has other computers connected to it, and forwards traffic from those computers using its IP address, is an entirely separate matter.

    8. Re:Yup by R0UTE · · Score: 2, Funny

      An IP address DOES identify a computer- but not the way the judge thinks. My IP address identifies my router, which in turn owns 5 to 6 computers.

      That's a kick ass router, I wish my router would get a job and buy more computers.

    9. Re:Yup by Anonymous Coward · · Score: 4, Funny

      tattooed onto your ass

      Your butt crack can then be interpreted as the :: part in the middle of abbreviated addresses.

    10. Re:Yup by Shadowland · · Score: 2, Funny

      > IPv6 addresses should be like MAC addresses for people. > Issued at birth, and tattooed onto your ass. Wouldn't that make them IPv666 addresses? IP address of the Beast. :^)

    11. Re:Yup by fredklein · · Score: 3, Informative

      In case of your examples that is not too hard to prove/disprove: did the person keep the computer reasonably up to date? Can't expect installing patches the minute they are released but at least within a reasonable time span. Did the person have anti-virus, anti-spyware or other security software installed, running and kept up to date? Did they read the manual that came with said wireless device before plugging it in?

      Gaddammit, I paid $200 for this 'Winders XP' thing. Now you're tellin me I gotta 'Update' my 'Patches' and thingerwhoose why whatzits?? Anti-spy ware? What am I , a secret Agent? I paid a lotta money for it! It should just work!! I shouldn't have to buy anything else! I shouldn't have to READ anything. It should work right when I plug it in!!

      (If you think I'm exaggerating, you don't work in techsupport or any kind of Customer Service).

    12. Re:Yup by hedwards · · Score: 2, Interesting

      I've got mixed feelings about this. On the one hand I would consider this sort of monitoring questionable in terms of privacy issues. But on the other hand if this interpretation is upheld it represents a serious set back to the RIAA in its endeavor to bring lawsuits against alleged pirates.

      At some point there'll have to be a determination as to which is it, evidence that somebody in particular was online or not a form of identifying people. We can't have it both ways. So, all in all it's probably a good thing, if for no other reason than the issue might finally be resolved in the legal sense.

    13. Re:Yup by zmollusc · · Score: 5, Funny

      ... but my butt crack only has one colon. :-(

      --
      They whose government reduces their essential liberties for temporary security, receive neither liberty nor security.
    14. Re:Yup by wvmarle · · Score: 2, Insightful

      There is a difference between "the device works out of the box" and "the user knows how to use it". Big difference.

  2. Anonymous Coward by Anonymous Coward · · Score: 2, Insightful

    Addresses aren't personal information! They point to a house or an apartment, not a person!

  3. Sure, it's not personal at all by AtomicDevice · · Score: 5, Insightful

    If this is true, I suppose addresses and license plates aren't personal either, they just identify cars and houses, it's not as though those things usually contain the same people. Or what about phone numbers, that really only identifies my phone, not me the individual. And when you stop to think about it, my email is really just a code so the mailserver knows where to put some bytes it receives, it doesn't really have anything to do with me.

    --
    Ze Atomic Device! It iz Ztolen!
    1. Re:Sure, it's not personal at all by Anonymous Coward · · Score: 3, Interesting

      I feel as though your tone is completely sarcastic, but perhaps it isn't. However, yes indeed your license plate and address are not personal information with an implicit right to privacy. They are public records. I can go to the DMV and look up your license plate to get owner information, and I can go to your local municipality and get owner information about your address. Do you get where this is going?

    2. Re:Sure, it's not personal at all by Reason58 · · Score: 5, Insightful

      A license plate, street address and phone number are both unique and tied to a specific person until the person chooses to end that connection. An IP address (dynamic) is randomly assigned to a user and then changed with little or no control from the user's end. This isn't IPv6. Everyone can't be issued a permanent address when they sign up for an ISP.

      Beyond that, you are aware that cars and the like can't be ticketed, right? If you run a red light and are caught on camera they have to be able to determine who is driving the car for it to be valid. Simply having the plate will not work. The same does not apply to IPs, however. They do not have to prove that it was actually you who committed the act, only that at one point in time you had been randomly assigned that IP.

    3. Re:Sure, it's not personal at all by idontgno · · Score: 2, Interesting

      And the network equivalent of the "It was my car, but I wasn't driving" defense is "someone haxx0red my (system|network)". Or, maybe, the "secure my wireless network? what do you mean?" defense.

      Historically, how well has the "I wasn't driving" defense worked out?

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    4. Re:Sure, it's not personal at all by wtfamidoinghere · · Score: 4, Insightful

      Addresses are not personal. They can be connected to you in some ways, but are not personal per se. For instance, when you get a bill by mail, you have the mail address AND the person name to whom the service is registered. Imagine a situation like this: gunshots are reported as being shot from address x; does that automatically implies the owner did the shooting?

      License plates and phone numbers are more or less the same. I'm sure you can come up with some examples of your own to illustrate.

      As for your email, that one is on a diferent level. With email you're supposed to have identification AND authentication. (name + password)

    5. Re:Sure, it's not personal at all by gcatullus · · Score: 5, Insightful

      Depending on state law (at least in the US) you can be ticket for certain things on the basis of license plate. You can be ticketed as the owner of the vehicle. The most obvious ticketing here would be for parking. The meter maid doesn't care who parked your car by the fire hydrant. you will still have to pay fines. This is the same principle as charging the owner of an internet account for nefarious deeds done using an IP address that was assigned to him.

    6. Re:Sure, it's not personal at all by zarmanto · · Score: 3, Informative

      I think the "it's my car, but it wasn't me" is a valid defense, and why I so loathe red light cameras and photo radar. All an investigator can say from either of these is that a specific car was captured on film.

      Quite so... and in some jurisdictions, red light cameras can be disputed very readily, specifically because of this issue. If your car is caught running a red light, and your teenage kid was the one driving the car, then the ticket can be invalidated by a very simple process: You (as in, the vehicle owner) sign a notarized affidavit stating that you were not the person driving the vehicle at the time of the traffic infraction, and you mail that back to the address indicated on the ticket that was mailed to you. The ticket is immediately dismissed without question.

      Of course, in my example above (and frankly, in most cases) the owner of the vehicle knows perfectly well who the driver of the vehicle was... so the premise behind these mailed out tickets is that the owners outrage at the person who ran through the red light is going to exceed their outrage at the system which misidentified the owner as the person who violated the law. So the number of people who avoid the fine by taking the trouble to actually get a signed affidavit is likely negligible compared to the profitability of the cameras overall.

      (Unfortunately, I can't really find a good way to relate all of that to the primary discussion about IP addresses...)

    7. Re:Sure, it's not personal at all by IchNiSan · · Score: 2, Informative

      They will just break your windows!

    8. Re:Sure, it's not personal at all by dotgain · · Score: 2, Interesting
      In New Zealand it works similarly, except you must provide information about the person who was driving, or that it was stolen at the time, again in a notarized affidavit. Seems reasonable, barring the theft of it you should be aware of every person that drives your car.

      Say the car was involved in a fatal hit/run or bank robbery, it's not going to do you much good to say that anybody could have been driving your car. Similarly if you left your keys in it and it was stolen, you are somewhat liable for making your car too easy to steal.

  4. A question... by geminidomino · · Score: 4, Interesting

    Could this decision be referenced to disqualify the IP as evidence when the MAFIAA goes after someone based on IP addresses they got from WhateverMediaSentryIsCalledNow?

  5. Sure by ringm000 · · Score: 2, Insightful
    A vehicle registration number identifies a car, not a person.

    A phone number identifies a phone, not a person.

    A postal address identifies the location of a building, not a person.

  6. I'm confused... by clone53421 · · Score: 2, Interesting

    Identifying my computer doesn't identify me personally by inference?

    I'm sure this could come in handy in court eventually.

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
    1. Re:I'm confused... by JumpDrive · · Score: 2, Insightful

      Because you are the owner of the computer.
      They have never gone after a said individual, but the owner of a computer. Remember the case where the ladies kids were downloading all the crap. She wasn't responsible because she was the guardian of the children, she was responsible because she was responsible for the computer.
      So if your room mate uses your laptop to download a bunch of music via your computer, you will be held responsible, until you can prove that your roommate had equal access and usage of the computer.

  7. Am I the only one? by DarrenBaker · · Score: 3, Interesting

    Seems logical to me. An IP address no more identifies a person than a house address identifies one. It's tying those two together for investigative purposes that should be illegal without a warrant.

  8. Spartacus-1138 by Junior+J.+Junior+III · · Score: 4, Funny

    I am 192.168.0.1!

    No, I am 192.168.0.1!
    No, I am 192.168.0.1!
    No, I am!
    I am!

    --
    You see? You see? Your stupid minds! Stupid! Stupid!
    1. Re:Spartacus-1138 by istartedi · · Score: 2, Funny

      I am 192.168.0.1

      That's the IP of my gateway. I am the keymaster are you the gatekeeper?

      --
      For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
    2. Re:Spartacus-1138 by crimsonknave · · Score: 3, Funny

      I am 127.0.0.1!

      No, I am 127.0.0.1!

      No, I am 127.0.0.1!

      No, I am!

      I am!

      There, fixed that for you.

  9. Re:Not all that relevant to the RIAA by geminidomino · · Score: 2, Insightful

    An IP does not identify the user but it will identify that it's someone's computer doing to sharing (once you've a court order getting the User's details).

    How so? If the precedent stands that IP address is not personally identifiable information, then how do you identify the user based on it (to the court's satisfaction?)

  10. Largely irrelevant to RIAA litigation by Grond · · Score: 5, Interesting

    It is true that an ip address identifies a computer or possibly, as another poster pointed out, a router behind which could be many computers, but that fact is largely irrelevant to file sharing litigation. The plaintiffs in those cases do not have to have ironclad evidence that it was the defendant sitting at the computer sharing the files. Instead, the plaintiffs merely have to show that it is more likely than not (aka preponderance of the evidence, 50% + 1) that it was the defendant.

    Thus, if the defendant lives at home and only rarely has guests that use his or her computer, it's very likely that a jury will accept that it is more likely than not that the defendant was the one who shared the files, not a guest or an unauthorized user of the wireless network, especially if the files are found on the defendant's hard drive. More complex situations come closer to the line, of course, but in most cases it's fairly clear who the most likely culprit was.

    But, even if the defendants live in an apartment with a communal computer or network shared equally by multiple long-term residents, all of whom use the same file-sharing user account, it is not necessarily up to the plaintiff to prove which specific defendant shared the files. A long standing rule in tort law from the case Summers v. Tice, 33 Cal.2d 80 (1948) establishes that where the plaintiff can prove that multiple defendants were negligent, the burden shifts to the defendants to prove which one actually committed the injury. It is quite possible that the file sharing case plaintiffs will be able to successfully argue that it is up to the various users of a computer to prove who actually shared the files or else they will all be jointly liable. This is especially likely if it can be shown that all of the defendants were aware of the file sharing program and the infringing nature of the files.

  11. Legal code for this by Kupfernigk · · Score: 5, Funny

    private static String getRuling(LitigationObject individual, RichLitigationObject evilCorporation) throws NYCLException {
    if(individual.sues(evilCorporation)) {
    return "IP address is not personal identification";
    } else if(evilCorporation.sues(individual) {
    return "IP address is personal information";
    } else return "Please submit amount available to donate to my election campaign";
    }

    --
    From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
    1. Re:Legal code for this by Anonymous Coward · · Score: 2, Funny

      Q: How do you make a RichLitigationObject?
      A: Inherit from a LitigationObject.

  12. Is this really a bad thing? by Millennium · · Score: 2, Insightful

    Think about it: according to this judge, an IP address identifies a computer (as others have pointed out, "network endpoint" would be a more correct term), not the person behind it. Although this makes it easier for the **AA to collect IP-address information, it also makes such information a lot less useful, because by itself it leaves a hole big enough to establish reasonable doubt. The IP address can establish what computer was used, but it does not prove that the defendant was the one operating the computer in that capacity. Especially in an age of botnets and malware, there's a lot of doubt here unless you can establish a stronger link, and the IP address won't help you on that score.

    That leaves open the question: does this really strengthen the **AA, or does it actually hamstring their tactics? This may remain to be seen.

    1. Re:Is this really a bad thing? by SeeSp0tRun · · Score: 2, Insightful

      Again, your IP address (or mine anyway) is to the network endpoint that the ISP is not responsible for afterward. In this case, it will identify your network.

      I believe it is said that "Ownership is 9/10 of the law." In this case, a computer with your billing information, or an IP address for that matter, ties it (indirectly) to you. If my neighbor is on my computer at home, viewing kiddie porn, someone is going to be held liable.
      If I fail to remember that my neighbor had used my computer that week/day/whatever, you bet your ass I am going to jail.

      While a warrant would (and should) not be needed to collect IP addresses, the warrant should be needed to connect them to billing information, and therefore individuals.

      --
      Something witty.
  13. The IP is a lot like a license plate by istartedi · · Score: 4, Insightful

    If all they have is a picture of your license plate, that doesn't prove you were driving. We should use this ruling as precedent to get out of automated tickets when there is no clear picture of your face.

    --
    For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
  14. And a STREET Address? by Philip+K+Dickhead · · Score: 5, Insightful

    Identifies a HOUSE!

    Not personally identifiable? Right! No reasonable analogy?

    The Judge needs a head check.

     

    --
    "Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
    1. Re:And a STREET Address? by Anonymous Coward · · Score: 2, Funny

      well i guess i can spoof downloading some kitty porn from your ip address

      Somebody call PETA!

  15. Couldn't this be a potentially good thing? by billlava · · Score: 3, Funny

    If the court ruled that IP addresses aren't personally identifiable, then couldn't some crafty lawyer argue that it can't be used to personally identify any defendant? I can hear the courtroom defenses now... "I didn't download and share 10 million hours of music, your honor. The computer located at 10.187.13.37 did."

  16. Re:How is this significant to RIAA cases? by _avs_007 · · Score: 2, Insightful

    IP address identifies "a" computer, but not "whose" computer... For all the RIAA/ISP/etc knows the IP address could've been spoofed. Similar to dropping a letter in the mail at the post office with a forged return address. RIAA can say the letter contains pirated copyrighted material and go after the person who owns the house address listed as the return address, but that doesn't meant they got the right person.

  17. Re:You want to bet? by Volante3192 · · Score: 2, Insightful

    Yes, we do get to get pissy.

    We just can't do anything about it other than choose not to shop there.

  18. Re:Oddly good news ... ? by jsalbre · · Score: 2, Informative

    If I were the prosecutor, I would go after WHO is responsible for the hardware. And if they claim to not be the perpetrator, then I would require them to identify who it is (since they are responsible for their connections/hardware/etc).

    Luckly that's not how it works. The burden of proof is on the prosecution, not the defense. If they don't have proof that it was you (which, from this ruling should no longer include an IP address) then you go free. You don't have to proove that it was someone else, just prevent them from proving it was you.

    --
    Jeremy http://alucinari.net
  19. It takes more than an IP address to make a case by rvel · · Score: 2, Interesting

    This will have no effect on RIAA cases. I believe the RIAA investigators use an IP address to identify an alleged lawbreaker, then grabs their hard drives and looks for evidence of file sharing, illegal downloads, etc. You cannot simply convict someone for illegal online activity simply because they have the same IP address as an alleged abuser. In this context, an IP address is like a license plate. Example: someone is involved in a hit-and-run. The cops track the license plate to your house and checks your car for damage.