Slashdot Mirror
P.I.I. In the Sky
US District Court Judge Richard Jones's recent ruling in Johnson v. Microsoft has been much ridiculed for saying that IP addresses are not "personally identifiable information" (PII) because they identify computers, not individual users. Legions of critics have pointed out that this is like saying home addresses are not PII because they identify houses, not people. And it was pretty silly for Jones to say that "the only reasonable interpretation" of PII would be to exclude IP addresses from the definition — when, as the plaintiffs pointed out, Microsoft's own website defined PII to include IP addresses. (Microsoft has since removed from that definition from their online glossary and replaced with a link to their privacy statement.)
But the open secret in the privacy tech industry is that nobody knows exactly what "personally identifiable information" means anyway, and nobody cares, either. This is not because industry leaders don't care about privacy and security. They do. But being a good, privacy-conscious software architect has nothing to do with nit-picking the details of what counts as PII. If you're designing the new Hotmail, you should just know that passwords should be encrypted when users log in over the Web, that third parties should not be able to query the Hotmail database and harvest e-mail addresses, that users shouldn't be able to extract personal data such as birthdates that are associated with another user's e-mail address, etc. If you don't instinctively know those things already, then memorizing a definition for "PII" is not going to make you a good security-conscious programmer.
Conversely, the major security threats facing Windows users — malware infection through security holes in Windows and Internet Explorer — have nothing to do with the definition of PII or the finer points of Microsoft's privacy policy. There may even be public relations gurus at Microsoft who are glad to see the "IP addresses as PII" controversy in the headlines, if that relatively minor privacy issue distracts the public from the vastly more serious threats posed browser security holes.
There are indeed published definitions of "PII" — the US Office of Management and Budget Memo 07-16 defines PII as:
"information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc."
But that doesn't pass the test of what makes a good definition, which is: If two different people read that definition, and then you gave them an example of a piece of data (such as the school that someone graduated from), would they usually be able to agree on whether that data counts as "PII?" How about IP addresses? From the written definition alone, there's no way to tell for sure.
I actually worked as a contractor at Microsoft at the onset of the PII craze, and in order to commence working on what would eventually become Windows Live, we all had to watch a streaming video about PII, what it was, how to secure it, etc. Near the beginning, the narrator gave some examples of PII, including e-mail addresses, and mentioned that PII should be encrypted when transmitted over the Internet. (I'm not violating any confidentiality; these standards were all publicly released later.) Full of first-week-on-the-job idealism, I looked up the narrator in the company directory and earnestly typed out an e-mail raising some points, such as: Doesn't Hotmail display your e-mail address over an unencrypted connection when you're signed in to Hotmail? And anyway, because the standard e-mail protocols always transmit To: and From: addresses unencrypted over the Internet, how would it ever be possible to "encrypt e-mail addresses in transit" anyway? Wouldn't it make more sense to specify that individual e-mail addresses can be transmitted in the clear one at a time, but if we're ever transferring a large number of them in bulk, it would be wise to encrypt the list, to reduce the chance of it falling into the hands of a spammer?
Then the video kept rolling, and making more statements that seemed to contradict earlier ones, or that were too vague to give me any idea of what I was actually supposed to do in a given situation, and eventually I got the point: We do care about privacy and security. But, there is no algorithm that can determine unambiguously what counts as "PII" or what you're supposed to do in order to safeguard it. You just have to use your common sense and ask around if you're not sure. The main point of the video is to reinforce how important this is, not to impart any actual information.
So Judge Jones could have picked from many possible definitions of "PII," and nobody would be able to call him "wrong," as long as the industry doesn't know what it means, either. What he was really trying to decide was whether Microsoft violated its promise "not to collect PII" during the Windows Update process, because the IP addresses of users doing the downloads were visible to Microsoft's servers. The plaintiffs made some other claims in Johnson v. Microsoft that I think have more merit (basically, arguing that the "Windows Genuine Advantage" anti-piracy tool should not have been foisted on users without their consent as part of the Windows Update process), but on this particular point, I think they were bound to lose on the claim that collecting IP addresses during a download was a privacy violation. After all, if the judge had ruled in their favor on this point, Microsoft would have had to discontinue Windows Update in order to comply with the ruling, and I don't think anybody wants that.
So, maybe Judge Jones just decided that he didn't want to be known as the judge who outlawed Windows security updates, so he determined in advance that he was going to rule that Microsoft did not violate users' privacy by collecting IP addresses during Windows Update. Then he worked backwards from there to find reasoning that supported this conclusion. That's not really how it's supposed to work, but at least he could have had good intentions.
Unfortunately, the reasoning that he hit on was the absurd argument that IP addresses are not PII because they identify computers, not the people who own them. Here's something that he could have said instead:
"I'm not counting IP addresses as PII, because in order to find out who was using an IP address at a particular time, you have to subpoena the ISP. That's what makes them different from names and home addresses, which can be matched to individual people without a subpoena. As long as Microsoft isn't subpoenaing ISPs to find out who was using a particular IP address, for all practical purposes they are not 'personally identifiable.'"
Judge Jones actually started out in that direction by quoting from another case, Klimas v. Comcast Cable Communications, Inc., where the court wrote, "We further note that IP addresses do not in and of themselves reveal 'a subscriber's name, address, [or] social security number.' That information can only be gleaned if a list of subscribers is matched up with a list of their individual IP addresses." And that list matching up subscribers with the IP addresses they were using at a given time, can only be obtained with a subpoena. Jones could have quit while he was ahead and stuck with that reasoning, and he would have avoided all the ridicule that came from his statement about IP addresses.
Or maybe Judge Jones could have just said,
"Look, you don't have a standard definition for PII anyway. You adapt it to each individual situation, in order to determine what privacy protections should be built into each program, by using your common sense. So that's what I'm doing to do in this situation too. And my common sense tells me that having IP addresses visible to Microsoft's servers during the Windows Update process, is not a privacy violation, because that's how downloads work."
That's as good a definition of PII as any. Now let's get back to the real work of stopping Russian porno spammers from pwning our machines in the first place.
It's not "absurd" to rule that IP addresses are not personally identifiable information from a legal standpoint for one very simple reason--though IP addresses can be PIIs, they are not always PIIs.
Not that I would recommend anyone doing it, but how would the judge feel if a bunch of internet activists decide to post his home address, since it only identifies a structure, not a person, and his car license plate numbers, since they too identify an inanimate object and so on? With judges like this, I expect judges jokes to overtake lawyer jokes in popularity.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Is this psot personally inedifitable?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
My home address only identifies my house, not me.
I suppose that should just be given out freely as well.
Using IP to identify a person responsible for an internet crime is roughly the same as using a car insurance policy owner to identify the runaway killer.
"A judge rules that IP addresses are not 'personally identifiable information' (PII) because they identify computers, not people. That's absurd,
I think that is not absurd. IP's could be utterly random, changed by anything... there's no process or standard or central authority or anything that guarantees that its even your computer. In order for you to have a computer identifer that is legally bound to you, you have to go through a quasi government process that has
a) the applicant providing proof of identification
b) the register validating that identification and issuing the ip to the person...
c) payment or proof of payments to associate the identification with the applicant.
d) finally, the ip should remain the property of the applicant, but, the government should track transfers.
If you did all that, then, yes, you might say the ip belongs to a person, because that's the only process that can eliminate reasonable doubt.
This is my sig.
People purchase things and register for services on the Internet. Isn't there the potential for Microsoft to match at least some of these IP addresses/timeframes with real names without a subpoena by comparing notes across their various online services and partnerships?
I share a NAT connection with over 50 other desks at work, most of them are not in the same company. Is my IP address PII?
Seriously, the IP address of a computer in your public library, or a school, or in a house with more than one person, how is that personally identifiable information? Talk about absurd...
Loading...
... if they don't collect the IP address of the computer requesting the update? Just send it to "the internet" and hope that the routers magically send it to the right computer? Multicast? TOR-WGA?
The real protection of privacy should (IMHO) come from the fact that your ISP ought to require a court order anytime someone wants to look through their DHCP records to match an IP address with a real person. If they don't, then you should take a very hard look at their policy for discretionary (aka, non-legally compelled) disclosure and see if it meets your needs.
This is, incidentally, why the "street address" analogy is somewhat inapt -- there is a public dictionary mapping street addresses to names or, if you are unlisted, they can physically locate you. OTOH, you can't drive to 141.30.219.76 (yes, that's currently my IP -- OMG I posted personal information on the internet.
[ For the wiseasses that are going to whois that, yes, you can figure out what university I'm at right now. That narrows it down to a few dozen city blocks filled with many thousands of students using the school network. I'm fairly confident you couldn't find out anything about me without the IT department's help. ]
If a IP address was determined to be PII, then who's responsible for a multiuser system? Back in college when we accessed email on a single large sun box with pine, there could be 200 students logged in simultaneously. If someone launched an attack from that one box, which of the 200 students is responsible? If I leave my windows PC on, and someone breaks into it (they break into my house etc..) am I all of a sudden responsible? One could extend this to almost anything. If my car runs over an old lady in the street, this does not imply I was at the wheel.
I think the judge is correct. If your car was leaving a crime scene, and the license plate were noted, your defense attorney would correctly note that someone else could have been driving the car. If your IP address is noted doing something nefarious, your lawyer would again correctly note that someone else could have been using the computer. That indicates that the information isn't uniquely identifying.
PII isusually the information that uniquely identifies a person. Name, SSN, and birthdate are the holy trinity of PII, with account numbers for a business close behind. The data security droids usually lump in address and phone, but I think that's an error in reasoning because of the above observation. I think they could correctly be described as sensitive, and certainly businesses and developers should treat them as such. But I don't think addresses and phone numbers are deserving of the protection that your name, birthdate and SSN get, because you can't go open a checking account in my name just by knowing my address.
I was taught to respect my elders. The trouble is, it's getting harder and harder to find some.
... what I've seen working for the USDA. We have a program that allows loan officers to run what-if scenarios on a farmer's finances to see if they qualify for loan servicing that would lower their payments on their government debt, minimize the loss to the government. In order to identify a borrower we use their tax-id. We were displaying the last four digits to help a loan officer identify the correct borrower when there are multiple people with the same name living in the same county. A recent policy decision however, ruled that the last four digits are PII and can no longer be displayed, so now our users will be confronted with lists of borrowers that look like the following:
Smith, John
Smith, John
Smith, John
Smith, John
Smith, John
Smith, John
Smith, John
Smith, John
Smith, John
Smith, John
Smith, John
Smith, John
with no way to determine which John Smith is the correct borrower.
Lovely
My home address is not randomly assigned to me every time I come home from work. Plus, there is quite a bit of information around mortgages, tax documents, etc that tie me to my home address. Sorry, but the link between IP address and a person is pretty weak. Under certain circumstances it may be possible to prove a link between IP and PII. But as a general rule it is not as strong as home address.
Does this mean that illegal activity originating from an IP address tied to me cannot be used in court as evidence against me? (Like in the RIAA cases?)
In the age where we're constantly discovering new botnets. Where most computer owners probably couldn't tell if their computer is being controlled by someone else (can most experts even be sure?) how can you say that an IP address is personally identifiable in a legal context? I guess if you can prove that 1) a computer had that IP address at the moment in time in question 2) Another computer didn't have the same IP address at the same time (always fun) 3) The computer was not compromised by an entity unknown to the user 4) The person you're trying to identify was using the computer at the time.
If we're talking about what information a corporation is allowed to collect, sell, etc from its customers without authorization, then IP addresses are not personally identifiable.
If, on the other hand, we're talking about the ability of RIAA or MPAA plaintiffs to identify someone as engaging in copyright infringement, then IP addresses always identify a particular person who is responsible.
I am officially gone from
The more absurd thing would be comparing an ip address to a home address. Unlike a home address, an ip address can not be easily spoofed. Nor does can it change on the flip of a coin. Although service providers usually continuously reassign the ip address through DHCP, doesn't mean they always do. Ip addresses don't even identify computers, they identify devices on the network. Today, routers and hubs are used almost everywhere, meaning that the ip address isn't even identifying the computer it is identifying the router. MAC addresses would be more effective, but they can be spoofed just like an ip address. Plus if you use a proxy server, both this servers become even harder to find. Not to mention someone could be on another persons computer.
Just because you are wrong and I called you out on it doesn't mean I am a Troll.
Sounds like a fantastic precedent to me. The only thing the RIAA has to identify the people they sue are IP addresses. The judge said IP addresses cannot be used to identify people. You can't sue a computer. This is a wookie. Case closed.
Under federal law, all federally owned or federal contractor owned computers now have to protect PII. this means all sorts of niscances on your computer as well as big penalties for you personally if you lose a laptop and the PII as not adequately secured.
fortunately e-mail addreresses, phone numbers, and yes EVEN names of people are, interestingly not PII. can you image if they were? likewise IP addresses are not PII.
I think people just don't understand the concept of PII, they mis interepret the ill chosen term. PII is not something that would normally place you at risk if revealed. Sure a spammer could spam you e-mail or DOS your IPaddress but that's not what they mean. If someone knows things associated with your security like your SS ID, that is considered PII.
I think that the show is on the wrong foot with regard to SS. Basically the SS number has been overloaded with too many uses to the point where you basically have to tell people it, yet you actually are made vulnerable by this. Something needs to be done about SS numbers so they don't have to be PII.
Some drink at the fountain of knowledge. Others just gargle.
"A judge rules that IP addresses are not 'personally identifiable information' (PII) because they identify computers, not people. That's absurd..."
Absurd? Sorry, call me absurd too then. I have to agree with the judge, sort of. An IP address identifies a node on a network, not necessarily a computer, but I believe the judge is correct in pointing out that they do not identify people.
Proverbs 21:19
I believe the author of this article misunderstands the motivations of the judge. This case seems to me to have very little to do with Microsoft and their security updates and everything about the judge wanting to set a legal precedent for future, unrelated cases. If he had ruled that an IP address was P.I.I., it would mean that a person could be found guilty of crimes, held civilly responsible for transactions and a whole slew of other things based entirely on the IP address of the computer that had acted online. Although an IP is a very good clue as to who might have been acting online, it is *only* a clue.
How is that "absurd"?
PII requires a 1:1 matchup with a PERSON.
In the course of a single day or week, how many people use a single external IP address at an Internet Cafe?
I think the ruling is correct - PII is no more personally-identifying than the street address of (possibly) an apartment building.
-Styopa
The author suggests this:
There are several problems with this. First, reliance on common sense and deference to the individual situation creates uncertainty, which in turn invites litigation. Such non-rules create problem spaces that can only be mapped through large amounts of expensive trial and error. Well defined rules eliminate uncertainty and discourage litigation by making the result obvious from the outset.
Second, this is a district court case. The district judge is concerned with the specific problem in front of him or her: are IP addresses personally identifiable information or not. The district court has neither the time nor the need (nor the authority, really) to create rules with broad scope.
Third, this case isn't about the meaning of 'personally identifiable information' generally. It's about the meaning of the phrase within the Windows XP End User License Agreement. The ruling is about construing the language of a contract, not privacy law as such.
Fourth, this is a federal court case dealing with a state contract law issue, in this case the law of the state of Washington (note the judge's citations to Washington contract cases like Seabed Harvesting v. Dep't of Natural Resources and Elliott Bay Seafoods v. Port of Seattle). When dealing with a state law claim, the federal courts are supposed to apply the law of the state as it would be applied by a state court; they are not empowered to make new state law. Erie Railroad v. Tompkins. Thus, it would be wrong for a federal court to make broad statements about the meaning of the term 'personally identifiable information' in contracts under Washington state law. Instead, the judge did the right thing and addressed only the specific problem at hand.
The difference between an IP Address and identifiable numbers (Street Address, License Plate Number, Telephone Number, SSN, Student ID, Credit Card #) is that IP addresses aren't exclusive to people. IP addresses are allocated to organizations, not end users. AS Numbers are allocated to organizations, not end users. A single IP address doesn't distinctly identify a user in any way and could be used by thousands of different people in the course of a day or less. And you can not tie an IP to a specific person in order to give it this purpose, just not technically feasible. The only thing an IP address can identify is the organization it's been allocated to and possibly what hosts have used that address.
I don't know everything.
You could still link other information to a person however. In the Thomas / RIAA case, there was enough evidence to link her user name "tereastarr" to other accounts of hers, such as email. In this case, the IP address wasn't even necessary. You can't sue a computer, but with enough other evidence you can link a computer to a person, or an online account to a person. These filesharing cases aren't over just yet, but it certainly makes it a lot harder for them to have a case (i.e. unsecured wireless network)
Global warming and other natural disasters are a direct effect of the shrinking number of pirates - Gospel of the FSM
Seems to me that an IP address is not PII. A specific IP address, even coupled with say MAC address, user name of a currently logged-in user, and handfuls of other information that could be subpoenaed from an ISP are in no way some kind beyond-doubt identification of who is using the computer. At best, you can only guarantee which computer is being used, but there is no way to prove who was actually using it, especially if the connection is in some public domain, like a wi-fi hot spot, a library, etc.. This may not be particularly relevant to the case, but couldn't ruling that IP address is PII possibly set a precedent for future jurors to make uncertain convictions and unfair rulings based on IP addresses or other uncertain bits of information?
Again, I don't know much details of the case, what microsoft was using the data for, what their privacy policy states, etc, but gathering IP addresses of users that connect to your server seems fair and discrete, in my opinion.
If the judge was presiding over a DMCA case, and ruled that IP addresses didn't constitute personally identifiable information and therefore wouldn't support an RIAA subpoena, the same exact people ridiculing the judge here would completely reverse their decision and praise the decision.
I reject the author's premise that programmers don't need to care about the definition of PII. It's true that PII is a different issue from technical application security, but that's like saying that because fuel efficiency isn't crash safety auto engineers don't have to worry about fuel efficiency.
(You know you wanted a car analogy.)
It would be correct to say that PII is a business concern rather than a technical one, but I for one don't trust software developers who don't understand their business.
The correct reasoning to resolve this case, IMO, is to consider it implied (or, failing that, give MS a slap on the wrist and require them to make explicit) that the ban on collecting PII doesn't apply to situations where such collection/use is necessary to provide the requested service. That's the basic model HIPAA uses, and for all its flaws I can't imagine anyone arguing that HIPAA were too permissive. Then it no longer matters if an IP address is PII.
Doesn't this provide a handy precedent against the RIAA?
If IP's aren'[t personally identifiable, as a matter of legal precedence, then isn't trying to tie a person to an ip de facto not possible?
Seems to me the courts can't have it both ways.
Soulskill's comment is absurd. Suppose that you go through all of the above and establish your IP as your identity.
Now anyone who is able to crack into your system is you, in the eyes of the Court.
Even Soulskill would have to be uncomfortable with that.
there are no less than 8 people who have the key to my network, and at any given time there are half a dozen computers connected to it between me and my roommates and the upstairs neighbors so to say that my internet facing IP positively identifies any of us is "absurd". I will however be positively delighted if my IP is ever used as evidence agaisnt me in court, because It carries with it more than enough reasonable doubt.
i have a roll of electrical tape.
Answer the following: I have a total of 8 computers turned on and active in my home. Two of those computers are virtualized on one server. Including me, I have 3 adults living here at home. Please tell me specifically which one of us 3 adults is at which computer, whether or not they are using a virtual machine, a laptop or one of my servers, and at what time of day we're using the PC based only on the IP address leased by my router.
After pondering the article, and a few of the links, what seems to be the point is intent. If ancillary information is gathered, necessary in supplying a service, with sufficient safe-guards in place, then its OK. The problem I see with this approach is that, as the old saying states, "The road to hell is paved with good intentions", though any particular service provider may have both insufficient PII for identification purposes, and has put in place what they consider sufficient safe guards, the "Russian Porno Spammers" are intent on hacking sites and are more than likely compiling partial PII information across web sites. This would allow them to write the life history for anyone who's sufficiently active on the internet (though they'd more likely simply steal everything the individual owns).
This is where a uniform standard would be beneficial, so that what is available anywhere is controlled. This ideally would come out of the industry than government, simply because they are more likely to be more on top of the situation.
It just established precedent that IP addresses are not PROOF that someone is online. This could be a powerful weapon in the MPAA/RIAA lawsuits.
An IP address does only identify a computer (for dynamic IP addresses it's not even enough - you also need the time+date), not a person.
Tying an IP address to a person rather than computer requires that you have separate evidence tying the person to the computer at that time. Of course if it's a static IP address in a private home (as opposed to library, or other public place), it does rather narrow down who may have been using it (once you've proved it wasn't being spoofed).
Of course given that IP addresses, and even MAC addresses, are spoofable/changeable, I'd hope they're not taken at face value in court. Who's to say that the criminal act using "your" IP address was not done by a script kiddie spoofing your IP address?
On it's own an IP address is really more of a circumstantial link to a computer (and indirectly to a person) than a direct one. It's kinda like saying that a glove found at a crime scene matches one bought by a defendant, without proving that it's actually his glove, or that he was the one wearing it when the crime was committed.
I believe that if programmers are told that PII is important to think about, then they will care. And they should be told that it is important.
The problem with a definition of "PII" is that the term kind of implies that it is information that can identify a person. That is not the real issue. The problem is that it is usually the correlations across information that are used to identify people. Thus, PII is really about the whether the data (the "information") can be correlated with other available information, and thereby identify someone.
Thus, you can't really create a list of "PII data elements" and leave it at that. If the data can be correlated with other public data and used to identify people with the data, thereby uncovering facts about people that are not expressly published, then the data should be considered to contain PII. This is not well understood in the industry.
- Cliff (author of High-Assurance Design)
If IP isn't identifying a person, how can an IP address be used in court cases by the RIAA to identify the defendant?
If it CAN be used to identify the defendant, then it's PII.
Context, people.
The flip side of what I've posted a dozen times elsewhere: Just because something isn't PII, wouldn't mean that it necessarily can't be used as evidence in a trial (especially at the standard for evidence in a civil case).
This is a case about privacy law, not standards of evidence. The two are essentially unrelated.
Just because a home address can be assigned to you (the home does not move BTW) does not mean you are guilty of a crime that originates from your home. Trying to identify an individual by IP address is absurd. Finally a judge that understands the internet is a series of pipes. WTF.
Thank god the case has precedential value for any court anywhere. Oh wait.
I'm all for using the IP address of my neighbors open wifi as PII for my illicit activities :D
No sig for you!!
TO add to the confusion, IMO, PII rules were introduced for 2 main reasons.
1) Identity theft
2) Harassment
The previously mentioned holy trinity of ID - name, DOB, gov id (SIN, SS, etc) are valuable tools to impersonate someone - typically for illegal financial gain. Into this bucket was added information like credit card numbers (I believe in Canada it is now illegal for merchants to throw out credit card slips that contain the full number - they must be shredded), bank account numbers, etc.
Addresses and phone numbers fall into the second category. While helpful in ID theft, they are not vital as often the thieves make up new addresses to prolong their discovery. However, they are valuable to marketers - and keeping them unsecured, or worse openly sharing (selling) them without the customer's permission is what generates a lot of the crap mail and phone calls we receive.
I would put email address in the second category, and IP addresses in neither.
An IP address cannot be used to open a fraudulent bank account or steal goods by charging someone else. Nor can it be used to send you unwanted solicitations. Therefore I agree with the judge that IP addresses are not PII (the reasoning is as mentioned vague).
I'm in my right mind and I have the answer to everything!
Plugins
Plugins for Mozilla® Firefox® help your browser perform specific functions like viewing special graphic formats or playing multimedia files.
They can enhance your browsing experience by allowing animation or they can help with tasks such as validating your genuine Microsoft® software.
That's kind and nice of MS!
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
That anyone being setup for anyone being sued by the entertainment industry. I think once the judges start reading this as part of any deference then it will lknock away 90% f these fallous lawsuits.
I have mod points and I am not afraid to use them.
Tor - privoxy or any many-to-one NAT setup shoots the IP / PII argument full of holes.
I was thinking the same thing.
/. started allowing Trolls to post articles?
/..
I further wonder when
Not only is the article poster wrong that it identifies a person, it doesn't even identify a device. Only a mac address will identify a device. For example. I have at my home:
1) one temporary IP address, which remains the same most of the time, but does change a few times a years at least,
2) a wired router,
3) a wireless router,
4) a headless gateway/ firewall computer,
5) a wired netwrok, with several devices hooked up,
6) a wireless network with several devices hooked up.
All of these devices share one, count it, one real IP address. So which of these dozen or so devices is uniquely identified by the IP address? Furthermore, at least three of the devices allow multiple accounts (Linux/Windows PCs) and users. So please tell me who, among the many users, including the limited weak password protected anonymous user account access on the wireless router, is the person uniquely identified by that changing IP address?
This is without a doubt the dumbest article I have EVER seen on
Here's the problem with that analogy:
Someone can be using my computer at the same time as me without my knowledge if my machine has been infected with malware.
It'd be rather obvious if some random stranger was trying to use my car at the same time as me. Even if you want to stretch the analogy and try to make it work, it would be more like you noticing that for the last 6 weeks, you have had to get gas more frequently, and though you haven't actually taken note of the odometer, you think someone is borrowing your car every night to go joyriding or something. You can't prove it easily, but you think something is up.... then there is a knock on your door. It's the police.
You see, in this second, slightly more accurate, analogy, your defense that someone else may have been using your car would be more valid. You would include testimony about the odd increase in gas usage, the fact that you are certain you haven't driven as many miles in the last month that your car indicates you did, and that you think someone has been stealing your car every night because it's not always quite where you left it when you come out in the morning.
A bit absurd for a car analogy, but not at all insane for a computer to be doing things you are unaware of.
Before commenting on the Bible, please read it first
Ok, let's put this in context, I've seen car registrations pointed to here, so I'll start there.
An automated radar gun catches your car speeding at 70 mph in a 45 zone, and the camera only gets the license plate for whatever reason - does that give the state the right to issue a warrant in a similarly automated manner for the owner's arrest? No. Because the car, the license plate, and the VIN might be registered to one person, but the infraction may have been executed by a car theif, a run-away teen, or a spiteful soon-to-be-ex-spouse. This is why a pair of cameras are part of speed cameras, because a face is personally identifiable (putting the questions about adopted procedures aside).
The same thing could be applied to IPs or hell even if each machine had its own ID, only on a larger scale. The time to download some movie is not insignificant, but could be hidden out of sight of roomates, siblings, what have you if need be. Shared machines using the same IP might have seperate logon info to subpeona, but what if the final steps of a damaging hack job were executed from a library public machine? It becomes more complex than the IP alone, and the same mentality should be the default approach when dealing with private IPs. IPs are not personally identifiable, because no one beside those physically present can identify who was operating the device at the time. Even logon information may have been compromised (surely /.'ers know many people who don't use secure passwords at home), leading to a potentially stream of framing/fraud crimes when the system is exploited for its naïve scope.
In short, the operator is at fault, not the machine being commanded. If we want to move to biometric logons as the norm, that will be quite expensive for such a small issue.
"Thus, for households in which the computer is used primarily by one adult, an IP address is personally identifiable in that knowing the IP address (in conjunction with information from the ISP) makes it more likely than not that the adult in question was using the computer at the time the transaction with that IP was logged."
That's loaded with a whole bunch of assumptions.
First, the IP address that is public is the NAT'd address, thus, at best it identifies a pool of 1 to as many as 255 computers. While that may be ridiculous, let's be more realistic. If 2 adults and 2 teenage kids live in a house, it's fairly common for each of them to own their own laptop computer.
So if you say "IP address a.b.c.d was used to copy our music illegally", in the absence of any additional information, you narrowed it down to 4 people. But wait: it gets more complex if you have roommates who are not related to each other; there is no consideration that as a minor the parent may be responsible.
However, it's more complex than that. An IP address is changed regularly by an ISP, in absence of definitive logs from the issuer, it can't be considered reliable. Who owned address a.b.c.d at a particular time?
In the end, at best an IP narrows down the list of possible people from 5 Billion people down to perhaps several dozen. Useful for an investigator, but if I was on a jury, I wouldn't convict someone purely on the basis of an IP address, regardless of a judge's instructions.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
Repeat after me: Privacy is not binary. The IP address assigned to my computer is not assigned to anyone else. It is personally-identifiable because there is a good chance an investigator could come up with my name. That doesn't prove that someone's record of this IP address corresponds to my own actions, but the very fact that I could be identified solely with that address means that it's personally identifiable information. It is a breach of privacy--a small breach, but a breach nonetheless.
Anyone told the RIAA and MPAA (and their attorneys) yet?
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
"I actually worked as a contractor at Microsoft "
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)