P.I.I. In the Sky

Frequent Slashdot contributor Bennett Haselton writes "A judge rules that IP addresses are not 'personally identifiable information' (PII) because they identify computers, not people. That's absurd, but in truth there is no standard definition of PII in the industry anyway, because you don't need one in order to write secure software. Here's a definition of 'PII' that the judge could have adopted instead, to reach the same conclusion by less specious reasoning." Hit the link below to read the rest of his thoughts.

US District Court Judge Richard Jones's recent ruling in Johnson v. Microsoft has been much ridiculed for saying that IP addresses are not "personally identifiable information" (PII) because they identify computers, not individual users. Legions of critics have pointed out that this is like saying home addresses are not PII because they identify houses, not people. And it was pretty silly for Jones to say that "the only reasonable interpretation" of PII would be to exclude IP addresses from the definition — when, as the plaintiffs pointed out, Microsoft's own website defined PII to include IP addresses. (Microsoft has since removed from that definition from their online glossary and replaced with a link to their privacy statement.)

But the open secret in the privacy tech industry is that nobody knows exactly what "personally identifiable information" means anyway, and nobody cares, either. This is not because industry leaders don't care about privacy and security. They do. But being a good, privacy-conscious software architect has nothing to do with nit-picking the details of what counts as PII. If you're designing the new Hotmail, you should just know that passwords should be encrypted when users log in over the Web, that third parties should not be able to query the Hotmail database and harvest e-mail addresses, that users shouldn't be able to extract personal data such as birthdates that are associated with another user's e-mail address, etc. If you don't instinctively know those things already, then memorizing a definition for "PII" is not going to make you a good security-conscious programmer.

Conversely, the major security threats facing Windows users — malware infection through security holes in Windows and Internet Explorer — have nothing to do with the definition of PII or the finer points of Microsoft's privacy policy. There may even be public relations gurus at Microsoft who are glad to see the "IP addresses as PII" controversy in the headlines, if that relatively minor privacy issue distracts the public from the vastly more serious threats posed browser security holes.

There are indeed published definitions of "PII" — the US Office of Management and Budget Memo 07-16 defines PII as:

"information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc."

But that doesn't pass the test of what makes a good definition, which is: If two different people read that definition, and then you gave them an example of a piece of data (such as the school that someone graduated from), would they usually be able to agree on whether that data counts as "PII?" How about IP addresses? From the written definition alone, there's no way to tell for sure.

I actually worked as a contractor at Microsoft at the onset of the PII craze, and in order to commence working on what would eventually become Windows Live, we all had to watch a streaming video about PII, what it was, how to secure it, etc. Near the beginning, the narrator gave some examples of PII, including e-mail addresses, and mentioned that PII should be encrypted when transmitted over the Internet. (I'm not violating any confidentiality; these standards were all publicly released later.) Full of first-week-on-the-job idealism, I looked up the narrator in the company directory and earnestly typed out an e-mail raising some points, such as: Doesn't Hotmail display your e-mail address over an unencrypted connection when you're signed in to Hotmail? And anyway, because the standard e-mail protocols always transmit To: and From: addresses unencrypted over the Internet, how would it ever be possible to "encrypt e-mail addresses in transit" anyway? Wouldn't it make more sense to specify that individual e-mail addresses can be transmitted in the clear one at a time, but if we're ever transferring a large number of them in bulk, it would be wise to encrypt the list, to reduce the chance of it falling into the hands of a spammer?

Then the video kept rolling, and making more statements that seemed to contradict earlier ones, or that were too vague to give me any idea of what I was actually supposed to do in a given situation, and eventually I got the point: We do care about privacy and security. But, there is no algorithm that can determine unambiguously what counts as "PII" or what you're supposed to do in order to safeguard it. You just have to use your common sense and ask around if you're not sure. The main point of the video is to reinforce how important this is, not to impart any actual information.

So Judge Jones could have picked from many possible definitions of "PII," and nobody would be able to call him "wrong," as long as the industry doesn't know what it means, either. What he was really trying to decide was whether Microsoft violated its promise "not to collect PII" during the Windows Update process, because the IP addresses of users doing the downloads were visible to Microsoft's servers. The plaintiffs made some other claims in Johnson v. Microsoft that I think have more merit (basically, arguing that the "Windows Genuine Advantage" anti-piracy tool should not have been foisted on users without their consent as part of the Windows Update process), but on this particular point, I think they were bound to lose on the claim that collecting IP addresses during a download was a privacy violation. After all, if the judge had ruled in their favor on this point, Microsoft would have had to discontinue Windows Update in order to comply with the ruling, and I don't think anybody wants that.

So, maybe Judge Jones just decided that he didn't want to be known as the judge who outlawed Windows security updates, so he determined in advance that he was going to rule that Microsoft did not violate users' privacy by collecting IP addresses during Windows Update. Then he worked backwards from there to find reasoning that supported this conclusion. That's not really how it's supposed to work, but at least he could have had good intentions.

Unfortunately, the reasoning that he hit on was the absurd argument that IP addresses are not PII because they identify computers, not the people who own them. Here's something that he could have said instead:

"I'm not counting IP addresses as PII, because in order to find out who was using an IP address at a particular time, you have to subpoena the ISP. That's what makes them different from names and home addresses, which can be matched to individual people without a subpoena. As long as Microsoft isn't subpoenaing ISPs to find out who was using a particular IP address, for all practical purposes they are not 'personally identifiable.'"

Judge Jones actually started out in that direction by quoting from another case, Klimas v. Comcast Cable Communications, Inc., where the court wrote, "We further note that IP addresses do not in and of themselves reveal 'a subscriber's name, address, [or] social security number.' That information can only be gleaned if a list of subscribers is matched up with a list of their individual IP addresses." And that list matching up subscribers with the IP addresses they were using at a given time, can only be obtained with a subpoena. Jones could have quit while he was ahead and stuck with that reasoning, and he would have avoided all the ridicule that came from his statement about IP addresses.

Or maybe Judge Jones could have just said,

"Look, you don't have a standard definition for PII anyway. You adapt it to each individual situation, in order to determine what privacy protections should be built into each program, by using your common sense. So that's what I'm doing to do in this situation too. And my common sense tells me that having IP addresses visible to Microsoft's servers during the Windows Update process, is not a privacy violation, because that's how downloads work."

That's as good a definition of PII as any. Now let's get back to the real work of stopping Russian porno spammers from pwning our machines in the first place.

not absurd

It's not "absurd" to rule that IP addresses are not personally identifiable information from a legal standpoint for one very simple reason--though IP addresses can be PIIs, they are not always PIIs.

Re:not absurd

[A.+B3ttik]

How are VINs (Vehicle Identification Numbers) treated?

Though I guess that would still be more applicable to MAC Addresses than IP Numbers. How are License Plates treated?

Re:not absurd

[Smidge204]

The license plate analogy only makes sense if people are required to register their computers/internet enabled appliances as they are with vehicles.

Even then, the license plate only identifies the car and owner, not the operator. It is entirely possible that a vehicle may be used by someone other than the registered owner.
=Smidge=

Re:not absurd

[Mister+Whirly]

Having a VIN or a license plate number will not tell you who is in the car. It may give you a good idea, but it can't tell you exactly.

Re:not absurd

[Comboman]

Even then, the license plate only identifies the car and owner, not the operator. It is entirely possible that a vehicle may be used by someone other than the registered owner.

Which often doesn't matter. If you loan your car to someone and they get caught by a red light or speed camera, you will get the ticket in the mail and arguing that you weren't the one driving will not get you off (except maybe if you reported the car as stolen).

Re:not absurd

[HTH+NE1]

It's not "absurd" to rule that IP addresses are not personally identifiable information from a legal standpoint for one very simple reason--though IP addresses can be PIIs, they are not always PIIs.

When I had Internet access in college, the IP addresses assigned to students in the residence halls had DNS records that gave the student's name, the name of the residence hall, and room number. You could request an alternate record be added, but you could not have that information removed. made unavailable to anyone who could run nslookup. I'd expect more such institutions to do the same as a deterrent against sharing of files illegally (they don't have to deal with subpoenas, enough public information is in the DNS for the RIAA to serve the student directly).

I hear that, some years after graduating from that college, they finally realized that your social security number should not be used as your student ID number on a card you need to carry while on campus.

Re:not absurd

[_avs_007]

Which often doesn't matter. If you loan your car to someone and they get caught by a red light or speed camera, you will get the ticket in the mail and arguing that you weren't the one driving will not get you off (except maybe if you reported the car as stolen).

BS. California statutes define the violator as the operator of the motor vehicle, NOT the registered owner... and yes I have gone to court over a photo radar ticket, where I wasn't driving, and got the ticket dismissed.

Re:not absurd

[_avs_007]

When I had Internet access in college, the IP addresses assigned to students in the residence halls had DNS records that gave the student's name, the name of the residence hall, and room number. You could request an alternate record be added, but you could not have that information removed. made unavailable to anyone who could run nslookup. I'd expect more such institutions to do the same as a deterrent against sharing of files illegally (they don't have to deal with subpoenas, enough public information is in the DNS for the RIAA to serve the student directly).

You make it sound like IP addresses cannot be and are not spoofed.

Re:not absurd

[Joe+U]

That's very tough to do locally if the network is managed in a very strict manner.

Re:not absurd

[HTH+NE1]

Their system kept track of what MACs were using what IP addresses. If you were caught using an IP address not assigned to you, your MAC could be banned. When I worked for their Internet Services department, one of the tasks I was given was to check that database for consistency. And to get access, you have to give them your MAC so their DHCP server could match you to your assigned IP.

Of course, it's possible to falsify your MAC and I've seen evidence of people doing it in their database (e.g. 00:00:00:10:00:00 was one) but most users don't know how and would either resolve the problem with IS or buy themselves a new NIC (and likely get it banned too). If you didn't do anything like trample on someone else's IP address or use an IP in a reserved range you'd be fine.

A few years ago, they told the RIAA that that information was not tracked. Maybe they stopped tracking it after I left. IIRC their web interface for accessing the logs just used grep. I do know they had started monitoring traffic volume by protocol before I left and considering throttling protocols.

Or it could have been a wireless IP address. They'd just started setting up access points around campus, and I don't think they went through the same logging DHCP server that the wired network did.

Re:not absurd

[BatGnat]

Australian law:

when you receive a ticket by mail, it will actually tell you to send in a statutory declaration if you were not the driver at the time of the infringement, and to name who was driving. A judge got busted recently here for using a dead person as the alternate driver.

Re:not absurd

[_avs_007]

In California (and Oregon and Washington), they will also give you a form and tell you to name the person driving... However, technically, you are not required to do so... You can make your own affidavit and just say you weren't the person driving... The statutes I linked to above, ONLY say that the "driver" is guilty of the offenses... It does NOT obligate anybody to identify the person driving. That is the POLICE OFFICER's responsibility to determine that.

Re:not absurd

[4D6963]

Can a zombie drive my car?

Re:not absurd

[marka63]

Actually it will get you off provided you identify the actual driver. There are even standard forms to fill out to provide this information which are sent with the infringement notice.

Re:not absurd

[Jeruvy]

AGREED. If you EVER get forced (or think you're being forced) to fill one of these out, put "Bill Gates" name down and his address (if you have it). Done.

psot?

[Hognoxious]

Is this psot personally inedifitable?

Re:psot?

[Midnight+Thunder]

Is this psot personally inedifitable?

I know that was meant to be a joke, but in reality that depends on how many people use your account, and whether the information in your account is correct. I can make certain assumptions, but only an investigation would prove the correctness of my assumptions.

The problem with IP addresses is that if it is static then it could either identify a subnet if NATed or a single computer and then who is to say there isn't more than one person using the machine? If it is dynamic then, depending on the duration of lease, over a time period it could be referencing different subnet or computers, in addition to the scenarios pointed out for static addresses.

Re:psot?

[dyingtolive]

Not the content itself, but your name might be. Are you the Hognoxious of Arkansas?

Re:psot?

[Icegryphon]

Yes, but only because of the bad spelling and username.

Re:psot?

[Hognoxious]

Dang! Forgot to check "Post Anonymously!".

Where were we? Ah, yes - if you're referring to the Razorbacks fanatic I'm aware of him, but I came up with the name independently.

Re:psot?

[dyingtolive]

Yeah, I was going to say something about the unhealthy obsession with sports not going along too well with the frequent posting to Slashdot. I'm guessing the amazon profile is you though. Between the programming books on the wish list and the Ayn Rand book, it screams Slashdot subculture.

Absurd?

[ghrom]

Using IP to identify a person responsible for an internet crime is roughly the same as using a car insurance policy owner to identify the runaway killer.

Re:Absurd?

[mea37]

However, that has nothng to do with the case at hand. PII doesn't mean "evidence of who was responsible for some action".

Knowing that a particular IP address was used in a particular IP violation (har) does not, in and of itself, prove that the Bill Johnson, to whom that address is assigned, committed the crime. In civil court it's a pretty good start, though - and more to the point, something doesn't have to prove a direct connection to be PII.

What makes the judge's reasoning absurd is, it would apply equally well to things we know are PII. Example:

Knowing that John Smith was robbed at 123 Elm St. doesn't mean that Bob Jones, the resident at 123 Elm St., robbed John Smith. However, 123 Elm St. is considered PII - if a healthcare provider released the information that they shipped xanex to 12 ELm St., they would violate HIPAA because this would strongly imply that Bob Jones has certain medical conditions.

Re:Absurd?

[gfxguy]

Except that it would be less so if it were an apartment building, for example, unless it included a unit number, if it didn't have the actual name on it.

Likewise, while your neighbor can steal your mail, it's a lot harder for you neighbor to, for example, subscribe to a porno magazine and have it delivered to your address and successfully steal just that porno from your mailbox on the exact day that it shows up just to avoid embarrassment, than it is to steal someone's wifi.

In fact, neighbors don't often share mailboxes, but I'd bet a lot of people, in small groups, willingly share their internet access because it's very easily done, not illegal, and can be very cost effective.

Then you have the issues with drive-bys and so forth... it's just not quite the same as your street address.

Re:Absurd?

[mea37]

You know what, go read the background of the case. None of the points you're raising have anything to do with the actual material being discussed. It is not about proving that someone is responsible for a given action.

As for your belief that an address sans apartment number wouldn't be PII - not so in the medical industry (as one example). In fact, a ZIP code can often be considered PII.

Re:Absurd?

[kent_eh]

You know what, go read the background of the case. None of the points you're raising have anything to do with the actual material being discussed. It is not about proving that someone is responsible for a given action.

True, but a precedent like this in a privacy case can drastically affect future judgments in a seemingly un-related "who is responsible" type case.

I would disagree with the premise.

[tjstork]

"A judge rules that IP addresses are not 'personally identifiable information' (PII) because they identify computers, not people. That's absurd,

I think that is not absurd. IP's could be utterly random, changed by anything... there's no process or standard or central authority or anything that guarantees that its even your computer. In order for you to have a computer identifer that is legally bound to you, you have to go through a quasi government process that has

a) the applicant providing proof of identification
b) the register validating that identification and issuing the ip to the person...
c) payment or proof of payments to associate the identification with the applicant.
d) finally, the ip should remain the property of the applicant, but, the government should track transfers.

If you did all that, then, yes, you might say the ip belongs to a person, because that's the only process that can eliminate reasonable doubt.

Re:I would disagree with the premise.

[Em+Emalb]

what can they use? What's the one thing that never changes? Even Mac addresses can change, just replace the hardware.

It's tough. However, in most cases, unless the ISP does something, the average home user will get the same DHCP IP address for as long as they leave their computer on and it can auto-renew.

Re:I would disagree with the premise.

[FlyingBishop]

If you read the whole article (why would you do that, I know) he gets into that in the end.

What he's saying is that if it does identify a computer, it's patently absurd to say that that does not necessarily identify a person. An address does not necessarily identify a person either, just a house. But it remains PII.

If you did all that, then, yes, you might say the ip belongs to a person, because that's the only process that can eliminate reasonable doubt.

Actually, the courts have already ruled (in the Jammie Thomas case, as well as countless RIAA lawsuits) that IPs do in fact identify people.

But TFA goes on to give several more logical explanations of why it is not PII.

Re:I would disagree with the premise.

[Monkeedude1212]

"information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc"

Re:I would disagree with the premise.

[Grond]

Reasonable doubt may be the standard in American criminal cases, but it is not the standard in a civil case such as the one being discussed here. In an American civil case the usual standard is preponderance of the evidence, which is a 'more likely than not' or '50% + 1' standard.

Thus, for households in which the computer is used primarily by one adult, an IP address is personally identifiable in that knowing the IP address (in conjunction with information from the ISP) makes it more likely than not that the adult in question was using the computer at the time the transaction with that IP was logged. The problem is that many households have multiple computers and/or multiple users and information from the ISP is necessary to tie an IP to an individual or household. So Microsoft, which had only the IP addresses, did not have personally identifiable information.

Re:I would disagree with the premise.

Even with the process you outline it would be difficult to prove that the IP address belonged to an individual since spoofing an IP address can be a relatively simple proposition.

Additionally, I would argue that in most cases IP addresses do not even identify computers but rather access points for computers. In my home we have a minimum of 4 computers that are running on a regular basis all using a single IP (as far as the outside world is concerned at least). Add to that the number of insecure and/or improperly configured wireless access points that are available I don't know how you could even begin to assume that an IP address is PII.

Re:I would disagree with the premise.

[samurphy21]

Untrue. You identify an internet device. Just because an IP was used to perpetrate an act, you can never use that information to link to a person. Anyone can be sitting at a keyboard, or using a smart phone, or tapping an ipod, not just the "owner" of the device.

If my computer's IP was used to steal personal information in a phishing scam, not even mentioning that the computer could be doing this unbeknownst to me while I'm sitting here, anyone else who has physical access to my home, legally or otherwise, could be using this computer at any time.

Re:I would disagree with the premise.

[marsdominion]

D*&*%$*@# it. I hate when I forget to login in the morning

Re:I would disagree with the premise.

[Opportunist]

No, but in that case it's likely that simply ALL the computers in the household are to be confiscated and examined. This way or that, the IP address finally leads to the person who did it. It may not be personally identifyable, but it leads to a small enough subset that searching all of the individuals becomes feasible.

That's like saying there's a culprit in that bar, let's search everyone for the weapon.

Re:I would disagree with the premise.

[tjstork]

households...

So, could I not spoof somebody else's IP address so long as they are on my subnet?

What if somebody spoofs mine?

I don't think its so clear cut.

Re:I would disagree with the premise.

[mea37]

Aaaand the standards for what is PII are even looser. Even something that is insufficient as proof of identity in a civil case could still be PII. This is not a story about someone introducing an IP address as evidence of responsibility for wrongdoing in a trial. It is a case about whether MS violated its privacy policy by collecting IP address information.

This information is present in the summary, and quite evident in TFA. It's also spelled out in the previous article on the matter. It's been repeatedly pointed out in the comment threads of both articles. I can only assume that we've spent so many years arguing about the viability of IP's as evidence at civil trial that we've lost teh ability to understand that it isn't the only legal context in which an IP address could be discussed.

Re:I would disagree with the premise.

[Demonantis]

I also think Jones failed to touch on the usable life span of a IP address and nuances of a IP address. Critics compared an IP to a home address fails to consider these major points. A house address changes hands slowly(Weeks). IP addresses can change hands every minute(or less) if the user desired to have that ability. As well, proxies could be likened to PO boxes making them completely unidentifiable. Unfortunately its not clear when an IP address has been used as an proxy making everything much more chaotic.

Re:I would disagree with the premise.

[Bigjeff5]

In court, and especially in civil cases, far-fetched allegations - like "what if someone spoofed my ip? - are discarded without any evidence suggesting that. In a criminal case, knowing a guy who has told you about doing that sort of thing would lead to an investigation and maybe some evidence and further investigation. In a civil case, you don't just have to introduce doubt, you have to introduce enough doubt that it is more likely than not someone else who did it.

That's hard to do when it is your personal computer on your home network.

In other words, unless you have some kind of evidence to the contrary, it's pretty clear cut.

Re:I would disagree with the premise.

[Bigjeff5]

Routers often have an internal log, and at the very least there is the routing table, which matches subnet IP to MAC address, and often maintains routes for a period of time. Worst case you can find the router and say "This IP leads to one of these four computers" or whatever. From there the likely individual can be found, and further evidence can be gathered.

Furthermore, far-fetched allegations like "But what if someone spoofed my IP?" are ignored if there is no evidence to the fact. Just making the claim does not count as evidence, and the court will rightly ignore it if you cannot come up with any evidence. That crap won't even work in criminal cases, do you think it will work in civil court?

IP addresses are personally identifiable to about the same degree as a home address is, and it should be treated as the same in both in court as evidence and by privacy laws, though obviously the specific applications will be quite different.

Re:I would disagree with the premise.

[Bigjeff5]

While that is certainly possible, that is rarely the way it actually happens. It is a bit far fetched to think you will be able to convince a jury that what is possible, but not practical and may not even be feasable, is actually what happened in your case. It would take a good deal of real evidence suggesting such, evidence that probably doesn't exist because it never happened.

A great many people have a permanent or near permanent static IP address from their ISP. Also, when an IP address is dynamic, usually the lease time is in the day or week range (an IP lease policy in the sub-single day range could kill an ISPs network with DHCP requests), and when a new IP address is requested usually the leased address is simply renewed, unless the machine that was to have an IP address assigned to it was offline at the time the lease expired. It then receives a new IP address if the old address has already been given away. If it hasn't, though, it generally recieves the same address.

What this means is that in the days of "always on" connections and home routers, even a dynamic IP usually doesn't change for weeks or months. ISPs also keep records of what IP address was assigned to what account during what times.

If you think the fact that you have a dynamic IP address assigned to a router serving three computers accessable by 5 people is going to protect you, you are very sadly mistaken. If your computer is accessable to 50+ people, or a known IP spoofer lives in your area (they are very rare, it's a horrible defense), you may have a point, and you may be able to sneak by if those people spend as much or more time on the machine they identified as the culpret as you do. But more than likely, even then they have enough evidence to sieze your computers and network equipment and inspect it.

Also bear in mind that destruction of evidence can be used as circumstantial evidence against you. If you just happened to re-format your hard drive the same day you got that subpoena, you're gonna be screwed in court. Ask Jamie Thomas.

"Whatifs" don't count as evidence in court, and are generally completely ignored if there is no evidence. Sorry.

Re:I would disagree with the premise.

[marsdominion]

Sure, you could try and use the router to match up IP with MAC, but spoofing a MAC address is even easier than spoofing and IP address. Or have we so quickly forgotten the days when ISPs limited our high speed accounts to one machine and we had to change the MAC addresses on our cable routers to match what was on our computer so we could hook up more than one? The main (and significant) difference between an IP address and a home address is that you have legal responsibilities regarding a home address. When you enter into an agreement to purchase or rent a home, you go in knowing what address you will have and for how long. Somebody doesn't come along every few days/weeks/months and tell you to "get your stuff, we are moving you to a new address". When you sign an agreement with an Internet service provider, there is nothing in your agreement that says that you will be responsible for what happens with a specific address and they reserve the right to change your address whenever they want.

Re:I would disagree with the premise.

[HeronBlademaster]

You don't even need to change the hardware to change MAC addresses. IIRC Linux can spoof any MAC address you want, if you set it up; at least, the two Linux-based router firmwares I've used let you do that. I'm assuming this is a Linux thing and not a router-specific thing.

Re:I would disagree with the premise.

[HeronBlademaster]

Actually if the police know that a murderer is in a specific bar with the murder weapon, but they don't know who it is specifically, it's pretty likely that they're going to lock the place down and search everyone (perhaps after obtaining a quick warrant), or at the very least they're going to question everyone.

Re:I would disagree with the premise.

[samurphy21]

You're assuming that only those with physical access to a machine can perpetrate crimes from that machine. What about people who have rootkits and viruses on their computers, unknowingly spamming and phishing and reporting back to another person? From the victim's standpoint, it would appear that I was the guilty party, if IPs were IIP, but I am completely unaware of any wrongdoing other than, in this example, being a complete numpty about software security.

That point alone throws out the entire concept of IIP.

What about the fact that I also have a single IP for my household, connected to my wireless router. Anyone driving by my home could crack the encryption and use my IP to perpetrate all kinds of nasty stuff. No fault of mine. I took all reasonable precautions (and even if I didn't, I can't be to blame, legally. You can't sue someone for using WEP or going unencrypted on their WLAN).

Re:Postal addresses identify houses!I

[Joe+U]

Sure, as soon as his home address and car license plates randomly shuffle while requiring an ISP to give you the rest of the information about the location.

Then you can go and post the information.

NAT

[Joe+U]

I share a NAT connection with over 50 other desks at work, most of them are not in the same company. Is my IP address PII?

Re:NAT

Yes, now get back to work.

And hope Joe in the next cube isn't a pervert.

Re:NAT

[Joe+U]

It's a rent a desk office. Of course he's a pervert.

Re:NAT

[0racle]

You share a building with 50 other desks at work, most of them are not the same company. Is that buildings address PII?

Is your home address?

Re:NAT

[Talderas]

I work in Indiana, but I believe my IP address shows my place of work to be residing in Arizona. In fact, we don't own any property in Arizona.

Re:NAT

[Joe+U]

Work office building, no. Work office building, with office and desk number, yes.

Apartment building, no. Apartment building and apartment number, yes.

Re:NAT

[mea37]

Where privacy law is concerned, you are wrong. You're making assumptions about how closely information has to lead someone to you to be PII, and those assumptions don't conform to the meaning of the term.

In some contexts, even ZIP code alone can be PII.

Re:NAT

[Joe+U]

I'm basing my assumptions on that, while yes, a zip could could in theory personally identify me when combined with other information, there's no chance it would be able to on its own. I think the same applies to IP addresses.

Re:NAT

[mea37]

Maybe. Now go read the definition of PII as it pertains to privacy law, and you will see that you've just agreed that an IP address could be PII, regardless of NAT.

Re:NAT

[Joe+U]

Like I said, it could be, but only with other information.

On its own, it's not very useful, and honestly, I think IP addresses should be public record and easily available, I also think the ISP should have to jump through hoops to give out the rest of the info.

Re:NAT

[mea37]

No, you're not understanding what the term PII means.

If we agree that IP, with other information, could lead to identity, then IP alone is PII.

PII is a legal term; its meaning is not tied to the intuitive assumptions you appear to be making.

Re:NAT

[Joe+U]

You're trying to make me read some law that I don't want to spend time doing. :)

Lets skip over it, you win.

Can someone please fix the law now, because it's broken. IP addresses on their own don't identify people, they identify routers and computers, mostly routers with lots of computers behind them.

Re:NAT

[mea37]

I guess I don't see why you think a law is broken, just because it puts the label PII on something that does not by itself identify an individual.

In a privacy context, this is generally considered a feature and not a bug.

Re:NAT

[Joe+U]

I guess I don't see why you think a law is broken, just because it puts the label PII on something that does not by itself identify an individual.

It puts the label of Personally Identifiable Information on something that isn't, that's the definition of broken.

Re:NAT

[pwfffff]

If it depends on the context then it wouldn't really be the ZIP code ALONE, now then would it?

Re:NAT

[mea37]

It does no such thing. You are assuming the label means something it does not, and was never intended to, mean.

In fact, you're assuming that there is an external definition of the label PII by which the application of that label could be judged, when in fact it is a technical term with no meaning other than that given it by the law.

Re:NAT

[Joe+U]

Thank you for reminding me why I dislike legislators.

Re:NAT

[mea37]

Glad to help.

Re:NAT

[HeronBlademaster]

Something is PII if it can be used in conjunction with something else to identify a person. So, for example, by itself, a zip code is nearly useless. Similarly, a street address by itself is (usually) useless. However, when used together you can suddenly identify a household; thus, they're both PII.

There's actually a good reason for this. Company A releases a list of zip codes where it sells Something Embarrassing. Months or years later, Distributor B releases a list of street addresses (without zip codes) to which it has delivered products from Company A.

A crafty person could find suitable overlaps of zip code and street address in those two data sets, and find out that it's highly probably that Senator Palpatine of 123 Main Street in the 00032 postal area purchased Something Embarrassing.

Granted, my example is somewhat contrived, but it would not be difficult to come up with others.

For another example, even anonymized data can be PII. Remember when AOL released its "anonymized" search data, and specific individuals could be identified using that data?

Re:NAT

[Joe+U]

I agree, but you still have to get the second part of the information from the ISP. The ISP is the only group that really has the ability to tie the user to the IP address. (OK, the user can too, but that's obvious.)

Otherwise, an IP address is just some numbers that identify a system at an ISP, but do not personally identify the user.

Now, this might not be how the laws are written for PII, but it is common sense, IP addresses do not identify users, they identify routers and (sometimes multiple) computers.

Re:NAT

[HeronBlademaster]

That's true, but that's not the purpose of PII privacy rules. PII privacy rules do not only aim to protect only information that by itself identifies a person, they also aim to protect information that can identify a specific person when combined with other information.

In my earlier example, both zip codes and street addresses should be considered PII, even though by themselves they do not identify any particular person.

Privacy law and criminal law are unrelated; just because something is protected under PII law doesn't mean it can be used by itself to convict someone of a crime.

Absurd? Are you taking the piss?

[Assmasher]

Seriously, the IP address of a computer in your public library, or a school, or in a house with more than one person, how is that personally identifiable information? Talk about absurd...

How could this work ...

[Wrath0fb0b]

... if they don't collect the IP address of the computer requesting the update? Just send it to "the internet" and hope that the routers magically send it to the right computer? Multicast? TOR-WGA?

The real protection of privacy should (IMHO) come from the fact that your ISP ought to require a court order anytime someone wants to look through their DHCP records to match an IP address with a real person. If they don't, then you should take a very hard look at their policy for discretionary (aka, non-legally compelled) disclosure and see if it meets your needs.

This is, incidentally, why the "street address" analogy is somewhat inapt -- there is a public dictionary mapping street addresses to names or, if you are unlisted, they can physically locate you. OTOH, you can't drive to 141.30.219.76 (yes, that's currently my IP -- OMG I posted personal information on the internet.

[ For the wiseasses that are going to whois that, yes, you can figure out what university I'm at right now. That narrows it down to a few dozen city blocks filled with many thousands of students using the school network. I'm fairly confident you couldn't find out anything about me without the IT department's help. ]

Re:How could this work ...

[Joe+U]

141.30.219.76 You're in Dresden? How's school?

Re:How could this work ...

[Joe+U]

Sorry, I couldn't resist.

Seriously though, you're right on point. I might be able to narrow you down to a group of a few hundred, but that's it without help.

Re:Bad Analogy?

[Norsefire]

Is your home address shared by everyone else in your vicinity at random intervals? Does it sometimes change when you leave the house? If I send something to your home address is there a chance that are ~INF people with the same address?

While I don't think IPs should be public information, the house analogy doesn't quite work. We need a car analogy.

Re:Postal addresses identify houses!I

[LordLimecat]

Im lost, doesnt slashdot normally ridicule rulings that tie a person to a crime based only on IP address? Doesnt this ruling toss that right out the window? Or am I being silly in expecting people on slashdot to be logical and consistent in their beliefs? Im sorry if ive ruined your "bash judges" party.

Re:Postal addresses identify houses!I

[hedwards]

That's not in any way shape or form analogous. If I have your IP, I don't have the ability to go over there and kick the shit out of you. Even in the worst case all I'd be able to do is destroy your computer and take the information on it.

On top of that, IP addresses aren't personally identifying information, we've all been through that with the RIAA and MPAA suits, it at best identifies the computer and often times doesn't even do that successfully.

Obligatory car analogy

[Alpha830RulZ]

I think the judge is correct. If your car was leaving a crime scene, and the license plate were noted, your defense attorney would correctly note that someone else could have been driving the car. If your IP address is noted doing something nefarious, your lawyer would again correctly note that someone else could have been using the computer. That indicates that the information isn't uniquely identifying.

PII isusually the information that uniquely identifies a person. Name, SSN, and birthdate are the holy trinity of PII, with account numbers for a business close behind. The data security droids usually lump in address and phone, but I think that's an error in reasoning because of the above observation. I think they could correctly be described as sensitive, and certainly businesses and developers should treat them as such. But I don't think addresses and phone numbers are deserving of the protection that your name, birthdate and SSN get, because you can't go open a checking account in my name just by knowing my address.

Re:Obligatory car analogy

[plague3106]

Can they though? I believe I read that if you claim that someone else was using your car, YOU need to provide information on who... since its your property, its your responsiblity to know where it is. So if you get a knock at the door, and your car is still in your driveway and was never reported stolen, if you're going to claim it wasn't you, you'd better know who it was.

Re:Obligatory car analogy

[JustinOpinion]

I fully agree that name/birthday/SSN are "more important" PII than, say, a phone number. But the reason PII is defined more broadly is that the dangers are broad. The dangers are not only due to being accused of a crime or sued. Or identity theft.

For instance, if a medical record were leaked that said "John Smith, DOB: 01-05-1970 has lung cancer" that would be bad because it includes personally-identifying information, so everyone knows Mr.Smith's personal medical information. But a leaked medical record that said "person with phone number 260-555-1234 has lung cancer" isn't much better. Sure phone numbers don't match 1:1 to people, but the 2nd example I gave of leaked information would be just as damaging, to the person, as the first, since the phone number reveals the identity of the person. Not uniquely, perhaps, but close enough for it to be a problem (close enough for someone unscrupulous to do damage, unfairly discriminate, use for identity theft, damage reputation, etc.).

Again, this is why PII has to be defined fairly broadly: because a combination of even fairly innocuous data (even something quasi-public, like your phone number) with more sensitive data can be damaging. The extent to which these arguments apply also to IP addresses (which are, generally, not listed) is debatable.

Re:Obligatory car analogy

[2obvious4u]

I don't care who has my SSN, since I have to give it out all the time to pretty much anyone who asks.
The only PII that really matters is my bank account. It is all about following the money, who cares who you are as long as you can pay for whatever it is you want. SSN is almost like a public key.

Re:Obligatory car analogy

[pjt33]

But I don't think addresses and phone numbers are deserving of the protection that your name, birthdate and SSN get, because you can't go open a checking account in my name just by knowing my address.

Sure, but can you open one without giving your address?

Re:Obligatory car analogy

[Alpha830RulZ]

Yes, you can. You have to give -an- address. You can give any address. The address isn't validated. All that matters is that someone is there to get the card. This is in fact how most ID theft happens. Someone scarfs the name, birthdate, and phone number, and gives a different address where the card and statements are sent.

Re:Postal addresses identify houses!I

[Wildclaw]

My IP doesn't shuffle randomly. Does that mean that it gets protected under privacy laws unlike the dynamic ones?

It's still a better ruling than...

... what I've seen working for the USDA. We have a program that allows loan officers to run what-if scenarios on a farmer's finances to see if they qualify for loan servicing that would lower their payments on their government debt, minimize the loss to the government. In order to identify a borrower we use their tax-id. We were displaying the last four digits to help a loan officer identify the correct borrower when there are multiple people with the same name living in the same county. A recent policy decision however, ruled that the last four digits are PII and can no longer be displayed, so now our users will be confronted with lists of borrowers that look like the following:

Smith, John
Smith, John
Smith, John
Smith, John
Smith, John
Smith, John
Smith, John
Smith, John
Smith, John
Smith, John
Smith, John
Smith, John

with no way to determine which John Smith is the correct borrower.

Lovely

Not true.

[chipmeister]

My home address is not randomly assigned to me every time I come home from work. Plus, there is quite a bit of information around mortgages, tax documents, etc that tie me to my home address. Sorry, but the link between IP address and a person is pretty weak. Under certain circumstances it may be possible to prove a link between IP and PII. But as a general rule it is not as strong as home address.

Re:Not true.

[Tony+Hoyle]

Neither are most peoples IP addresses, unless they're on dialup. Dynamic IP made sense when IPs had 200 dialup ports and 2000 users, but not in these days of 24/7 connections... if you never disconnect your IP isn't changing so why make it dynamic in the first place?

If you whois'd my home IP you'd find my name, address and telephone number. It most definately does identify me. At the very least your IP is going to determine your ISP who can tell you exactly who was using that IP at the time.

Re:Not true.

[HeronBlademaster]

Under certain circumstances it may be possible to prove a link between IP and PII.

That's exactly why we should default to thinking of IP addresses as PII, because it can be used to identify people when used in conjunction with other information (depending on that other information).

The point of PII privacy rules aren't to protect information that by itself identifies a specific person, it's to protect information that can be used to find out something else that identifies a specific person.

Re:Postal addresses identify houses!I

[iamhassi]

"how would the judge feel if a bunch of internet activists decide to post his home address, since it only identifies a structure, not a person, and his car license plate numbers,"

wait... so we want the IP address to identify a person, not a computer? I'm confused, I thought this would be a good thing, since it meant RIAA couldn't prosecute people because an IP address was downloading and a person is not a IP address. Eventually this could lead to the end of stupid red light cameras that take pictures of license plates instead of people.

Legally tracking?

[Matt_Bennett]

Does this mean that illegal activity originating from an IP address tied to me cannot be used in court as evidence against me? (Like in the RIAA cases?)

Re:Legally tracking?

[Beerdood]

Does this mean that illegal activity originating from an IP address tied to me cannot be used in court as evidence against me? (Like in the RIAA cases?)

Before any of the software pirates / MAFIAA haters start cheering, there's plenty of other evidence to personally identify a user. In the Jammie Thomas case for example, she used the same username that she always had, had a password protected PC and was the only one that had access etc... So I doubt this ruling will make a difference in this case

However, if the IP address is the ONLY piece of evidence linking a file sharer (or some more serious criminal activity i.e. child porn, identify theft, scam artist, spammer) then I'm sure this ruling will be referenced in future cases

Re:Legally tracking?

[godrik]

that is why I use a weak password and install all trojan and spyware I can. It should give me reasonnable doubts. But strangely my computer stops working every 2 weeks...

Botnets?

[ramirez]

In the age where we're constantly discovering new botnets. Where most computer owners probably couldn't tell if their computer is being controlled by someone else (can most experts even be sure?) how can you say that an IP address is personally identifiable in a legal context? I guess if you can prove that 1) a computer had that IP address at the moment in time in question 2) Another computer didn't have the same IP address at the same time (always fun) 3) The computer was not compromised by an entity unknown to the user 4) The person you're trying to identify was using the computer at the time.

Re:Botnets?

[Opportunist]

1 and 2 are quite doable. 3 and 4 are near impossible, but also (unfortunately considered) irrelevant.

3 falls through the plausibility clause most of the time. Why should someone use your computer to download illegal porn or content? What's his gain? Unless you manage to show that someone has a keen interest to see you put behind bars and also has the ability to pull it off, you're on very weak ground here.

4 is usually a non-issue. You have no verdicts cast over IP addresses, you have warrants issued over them. I.e. some police guys come and carry away every computer or other storage equipment they can find at the place that IP address points to. If you're living alone and one of your computers contain the content, you're due. If you don't, they'll try to figure out whose computer had the info and try him for it.

Re:Botnets?

[Alistar]

For 3) there wouldn't need to be a direct relation to you, or even a keen interest in putting you behind bars. They only need a keen interest to not have themselves behind bars. If someone stabs somebody in your backyard, its not because they want to frame you, they just want to put as many layers between them and the crime.

You would use somebody's else internet connection or IP address, so it doesn't link to you, not so that it links to them specifically.

Re:Botnets?

[HeronBlademaster]

Yes, but if someone gets stabbed in your backyard (your IP address is used nefariously), and a trail of bloody footprints leads into your house (access logs don't show external access), and a warranted search turns up the murder weapon (they find your botnet control scripts in ~alistar/evilplottotakeovertheworld/), point three just doesn't matter anymore ;)

Re:Postal addresses identify houses!I

[Sobrique]

IP Addresses _can_ be dynamically allocated. Not all of them are.

The real rules on this issue

[dkleinsc]

If we're talking about what information a corporation is allowed to collect, sell, etc from its customers without authorization, then IP addresses are not personally identifiable.

If, on the other hand, we're talking about the ability of RIAA or MPAA plaintiffs to identify someone as engaging in copyright infringement, then IP addresses always identify a particular person who is responsible.

No aburd, thought this article might be.

[gubers33]

The more absurd thing would be comparing an ip address to a home address. Unlike a home address, an ip address can not be easily spoofed. Nor does can it change on the flip of a coin. Although service providers usually continuously reassign the ip address through DHCP, doesn't mean they always do. Ip addresses don't even identify computers, they identify devices on the network. Today, routers and hubs are used almost everywhere, meaning that the ip address isn't even identifying the computer it is identifying the router. MAC addresses would be more effective, but they can be spoofed just like an ip address. Plus if you use a proxy server, both this servers become even harder to find. Not to mention someone could be on another persons computer.

Re:No aburd, thought this article might be.

[gubers33]

I need coffee, I mistyped like eight things there.

Re:Bad Analogy?

[Em+Emalb]

We need a car analogy.
rich
Very well. If you're a homeless man, and you're breaking into cars to get out of the freezing cold of winter (and you really like the feel of rich, Corinthian leather) then if you were faced with either entering a beat-up Pinto or a nice extended-cab 4x4, you'd more than likely take the 4x4, correct? The only reason I can think of that you'd take the Pinto is either you're completely nuts or you got confused and thought you were going to be sleeping inside a giant bean. Which, you know, is pretty understandable.

For the record, you never said we needed an on-topic, on-point car analogy. ;-)

Re:Absurd? Are you taking the piss?

[ceoyoyo]

Sounds like a fantastic precedent to me. The only thing the RIAA has to identify the people they sue are IP addresses. The judge said IP addresses cannot be used to identify people. You can't sue a computer. This is a wookie. Case closed.

thank goodness

[goombah99]

Under federal law, all federally owned or federal contractor owned computers now have to protect PII. this means all sorts of niscances on your computer as well as big penalties for you personally if you lose a laptop and the PII as not adequately secured.

fortunately e-mail addreresses, phone numbers, and yes EVEN names of people are, interestingly not PII. can you image if they were? likewise IP addresses are not PII.

I think people just don't understand the concept of PII, they mis interepret the ill chosen term. PII is not something that would normally place you at risk if revealed. Sure a spammer could spam you e-mail or DOS your IPaddress but that's not what they mean. If someone knows things associated with your security like your SS ID, that is considered PII.

I think that the show is on the wrong foot with regard to SS. Basically the SS number has been overloaded with too many uses to the point where you basically have to tell people it, yet you actually are made vulnerable by this. Something needs to be done about SS numbers so they don't have to be PII.

Re:thank goodness

[TheRealMindChild]

Expand the numeric range, and allow proxy/filter ssn's, which you can pick up like extra phone lines.

Re:thank goodness

[goombah99]

how appropriate you are an anonymous coward.
but sorry, no, that's not how PII is defined. to exist we give our names in daily like. if you send and e-mail and expect a reply you give you e-mail address. I can't be made responsible for having either on my computer.

Not "absurd"

[wcrowe]

"A judge rules that IP addresses are not 'personally identifiable information' (PII) because they identify computers, not people. That's absurd..."

Absurd? Sorry, call me absurd too then. I have to agree with the judge, sort of. An IP address identifies a node on a network, not necessarily a computer, but I believe the judge is correct in pointing out that they do not identify people.

Re:Not "absurd"

[recoiledsnake]

An IP address identifies a node on a network, not necessarily a computer, but I believe the judge is correct in pointing out that they do not identify people.

The 'node'(eg. a cisco router) is technically a computer as well(for layman, court purposes).

Re:Postal addresses identify houses!I

[Beerdood]

Im lost, doesnt slashdot normally ridicule rulings that tie a person to a crime based only on IP address? Doesnt this ruling toss that right out the window? Or am I being silly in expecting people on slashdot to be logical and consistent in their beliefs? Im sorry if ive ruined your "bash judges" party.

When it comes to personal privacy, an IP address is definitely identifiable information and this is an outrage. When it comes to file sharing though, there's no way you can prove that the IP address actually belonged to a particular person.. it could be anyone using that computer, or unsafe wireless network!

Misunderstanding the issue

[Draque]

I believe the author of this article misunderstands the motivations of the judge. This case seems to me to have very little to do with Microsoft and their security updates and everything about the judge wanting to set a legal precedent for future, unrelated cases. If he had ruled that an IP address was P.I.I., it would mean that a person could be found guilty of crimes, held civilly responsible for transactions and a whole slew of other things based entirely on the IP address of the computer that had acted online. Although an IP is a very good clue as to who might have been acting online, it is *only* a clue.

Re:Misunderstanding the issue

[pjt33]

My date of birth and mother's maiden name don't uniquely identify me either. In fact I'd give good odds that the tuple (name, father's name, mother's name, date of birth, city of birth) doesn't form a unique identifier. That doesn't make them not PII (or "personal data" for those of us in the EU).

Re:Misunderstanding the issue

[Tweenk]

The problem is that personal data is not personally identifiable information! The converse is true but this is not.

"Personal data" is anything that gives a clue about your identity. Personally identifiable information is a piece or set of data that identifies you uniquely, with negligible possibility of error or ambiguity. The difference is vast. Your name is personal data but it is not personally identifiable information, because there might be hundreds of people called John Smith. Personal bank account number is usually PII, because there is only one such account belonging to only one person.

Re:Misunderstanding the issue

[nine-times]

Even your name and home address doesn't necessarily uniquely identify you. It's possible to have two people with the same name living at the same address (Jr./Sr. for example).

Re:Misunderstanding the issue

[pjt33]

Your name is personal data but it is not personally identifiable information

You seem to be contradicting the quotation from US Office of Management and Budget Memo 07-16 that was in the summary:

"information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc."

That definition is all I had to work from, and I hope you'd agree with me that it looks a lot more like a definition of personal data than what you're defining as PII.

Re:Misunderstanding the issue

[maxume]

Actually, the judge ruled quite narrowly -- that the definition given in the EULA is appropriate for determining whether Microsoft violated the terms of EULA, mostly because "Personally identifiable information" is not well defined elsewhere.

A new law could be passed making it clear that IP addresses are personal information, but all that would do is require Microsoft to stop collecting the data, it would not be retroactive.

Really?

[argStyopa]

How is that "absurd"?

PII requires a 1:1 matchup with a PERSON.
In the course of a single day or week, how many people use a single external IP address at an Internet Cafe?

I think the ruling is correct - PII is no more personally-identifying than the street address of (possibly) an apartment building.

Re:Really?

[canajin56]

It doesn't require a 1:1 matchup. You can have two bank accounts, that doesn't mean that since it's a 2:1 matching, that it doesn't identify you anymore! And you can have a joint account, so that's a 1:2 matching, and it still identifies you pretty damn well. Plus, it most certainly does have a 1:1 matchup if the ISP logs DHCP assignments for a reasonable length of time. The ISP knows the account # it was assigned to, and therefore knows the customer it was assigned to. Who cares if they are the one using that computer, it was assigned to one individual. Just like a license plate is assigned to one individual. It doesn't identify who was driving the car, but it identifies SOMEBODY.

Re:Really?

[_avs_007]

Who cares if they are the one using that computer, it was assigned to one individual. Just like a license plate is assigned to one individual. It doesn't identify who was driving the car, but it identifies SOMEBODY.

Too bad the statutes in most states identify the DRIVER as being the entity that is in violation of a moving violation. That means the license plate number identifies the owner, but the owner IS NOT and CANNOT be found guilty of running a red light or speeding, unless you can prove they were the DRIVER.

Here are some citations.... Click here for California's statute on running a red light, where it explicitly says DRIVER. And Click here for California's definition of "Driver", as being the OPERATOR of said vehicle.

So like I was saying, your own argument should prove the judge correct. The license plate can identify the owner of the car, as it is "somebody", but that is pointless if that "somebody" is not the CORRECT "somebody", which is EXTREMELY important if you are bringing about criminal charges against somebody...

Re:Really?

[HeronBlademaster]

Put in another light, how many people use your external IP address at home in a day?

By itself, and IP address cannot usually be used to identify a particular person. But when combined with other data, it can be used to that end - and it should therefore be treated as PII.

Just as companies should not publish lists of street addresses (even without zip codes) to which they have sold their line of sexually transmitted disease medication, those same companies should not publish lists of IP addresses which have been used to visit their STD FAQ website.

Re:Postal addresses identify houses!I

[eln]

Dynamic allocation of IPs is only a valid argument against them being personally identifiable if ISPs don't keep records of who had what IP at what time. However, we know very well that ISPs do indeed keep these records, and are generally more than willing to hand them over to pretty much anyone who asks for them.

So, even with dynamic IPs, if you know the time and date when an activity took place, you can effectively tell who was responsible given the IP and the cooperation of the ISP, neither of which is particularly difficult to get.

Re:Postal addresses identify houses!I

[Talderas]

I like how when someone points out a hypocrisy or contradiction in slashthink they get modded troll.

Re:Postal addresses identify houses!I

[plague3106]

Not that I would recommend anyone doing it, but how would the judge feel if a bunch of internet activists decide to post his home address, since it only identifies a structure

I'm not sure that would be illegal. Is there anything legally preventing someone from stating that John Doe lives at 123 Fake Street?

his car license plate numbers, since they too identify an inanimate object

Um, isn't that exactly what judges have said in the past, hence why its legal for you to write down the plate number? That it's ok for plate numbers to be photographed and stored?

Re:Postal addresses identify houses!I

[Opportunist]

That's why "car lending cycles" a favorite sport here to dodge traffic fines. Because the police has to fine drivers, not cars (or their owners), all you need is a few friends and claim that I didn't drive, I let him have the car that night. Police goes to the person you gave your car to, he repeats the game. After about four or five iterations, they just drop the case because they know it'll go on for a few dozen more.

There's a reason why they want to have cams take pics from the front instead of the back of your car, so far the lobbying groups managed to avoid that, citing "safety reasons" (like, you'd be blinded by the flash at night and similar excuses).

Re:Postal addresses identify houses!I

[commodore64_love]

>>>If I have your IP, I don't have the ability to go over there and kick the shit out of you.

Sure you do. When a certain forum sysop kicked me off his website after I announced I was Democrat but still liked watching Fox News, at first I tried reasoning with him but he refused to listen and called me various names. So I used the emails to trace the IP address back to his hometown and address. Then I set his car on fire.

Ooops.

I probably shouldna told ya that.

Re:Postal addresses identify houses!I

[dyingtolive]

I thought it was for the lack of apostrophes.

Technical Reasoning vs Legal Reasoning

[Grond]

The author suggests this:

"Look, you don't have a standard definition for PII anyway. You adapt it to each individual situation, in order to determine what privacy protections should be built into each program, by using your common sense. So that's what I'm doing to do in this situation too. And my common sense tells me that having IP addresses visible to Microsoft's servers during the Windows Update process, is not a privacy violation, because that's how downloads work."

There are several problems with this. First, reliance on common sense and deference to the individual situation creates uncertainty, which in turn invites litigation. Such non-rules create problem spaces that can only be mapped through large amounts of expensive trial and error. Well defined rules eliminate uncertainty and discourage litigation by making the result obvious from the outset.

Second, this is a district court case. The district judge is concerned with the specific problem in front of him or her: are IP addresses personally identifiable information or not. The district court has neither the time nor the need (nor the authority, really) to create rules with broad scope.

Third, this case isn't about the meaning of 'personally identifiable information' generally. It's about the meaning of the phrase within the Windows XP End User License Agreement. The ruling is about construing the language of a contract, not privacy law as such.

Fourth, this is a federal court case dealing with a state contract law issue, in this case the law of the state of Washington (note the judge's citations to Washington contract cases like Seabed Harvesting v. Dep't of Natural Resources and Elliott Bay Seafoods v. Port of Seattle). When dealing with a state law claim, the federal courts are supposed to apply the law of the state as it would be applied by a state court; they are not empowered to make new state law. Erie Railroad v. Tompkins. Thus, it would be wrong for a federal court to make broad statements about the meaning of the term 'personally identifiable information' in contracts under Washington state law. Instead, the judge did the right thing and addressed only the specific problem at hand.

Re:Postal addresses identify houses!I

[mcgrew]

I thoroughly disagree with your post, but I also disagree with its moderation.

My license plate doesn't identify me, it identifies my vehicle. I'm not always the one who drives it. My address doesn't identify me, either, it identifies my residence, and again, even though I'm the only one who lives there, I'm not always the only one there. If someone I know commits a crime and they apprehend them on a warrant, should I be held as an accessory just because they once visited my house?

IP Addresses aren't personal

[Xipher]

The difference between an IP Address and identifiable numbers (Street Address, License Plate Number, Telephone Number, SSN, Student ID, Credit Card #) is that IP addresses aren't exclusive to people. IP addresses are allocated to organizations, not end users. AS Numbers are allocated to organizations, not end users. A single IP address doesn't distinctly identify a user in any way and could be used by thousands of different people in the course of a day or less. And you can not tie an IP to a specific person in order to give it this purpose, just not technically feasible. The only thing an IP address can identify is the organization it's been allocated to and possibly what hosts have used that address.

Re:IP Addresses aren't personal

[joeyblades]

In your list of "identifiable numbers" you include street address, license plate number, and credit card number. I share all of these with my wife and kids. Occasionally I have house guests who share my address and I may even loan them my car. So technically, none of these are examples of personally identifiable information.

Re:IP Addresses aren't personal

[HeronBlademaster]

Well they are, even though they don't by themselves identify an individual:

"information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc."

Re:Absurd? Are you taking the piss?

[Beerdood]

You could still link other information to a person however. In the Thomas / RIAA case, there was enough evidence to link her user name "tereastarr" to other accounts of hers, such as email. In this case, the IP address wasn't even necessary. You can't sue a computer, but with enough other evidence you can link a computer to a person, or an online account to a person. These filesharing cases aren't over just yet, but it certainly makes it a lot harder for them to have a case (i.e. unsecured wireless network)

oh please

[nomadic]

If the judge was presiding over a DMCA case, and ruled that IP addresses didn't constitute personally identifiable information and therefore wouldn't support an RIAA subpoena, the same exact people ridiculing the judge here would completely reverse their decision and praise the decision.

Re:Postal addresses identify houses!I

[Uber+Banker]

I think you identified they key point well: It's not what PII is, or what something judged 'not-PII' is, it is what is done with any piece of information collected. That should be well defined, and if usage of PII or non-PII data is in breach of an agreement (for example whether and IP address is PII or isn't PII, if a service decide to sniff me on an IP address, as an example, as a result of my using their service, that should be changeable, rather than whether or not an IP address is PII).

Re:Postal addresses identify houses!I

[Talderas]

IP addresses only identify a machine, not a person. They -can- identify who was responsible for that IP address at any given time (the billing party), but that does not identify the person who committed an action with an IP address. The simple of existence of NAT and shared connection would be evidence enough that an IP address is not personally identifiable.

Re:Postal addresses identify houses!I

[larry+bagina]

With many red light cameras, the fact that you weren't driving doesn't matter.

Re:Postal addresses identify houses!I

[iplayfast]

I agree with LordLimecat. An ip address identifies a computer which may or may not belong to the person using it. I don't see how you can say that an IP address is identifiable infomation. It's information that has a higher likelyhood of being true, but not absolutely. (Which for legal matters would be important).

I disagree

[mea37]

I reject the author's premise that programmers don't need to care about the definition of PII. It's true that PII is a different issue from technical application security, but that's like saying that because fuel efficiency isn't crash safety auto engineers don't have to worry about fuel efficiency.

(You know you wanted a car analogy.)

It would be correct to say that PII is a business concern rather than a technical one, but I for one don't trust software developers who don't understand their business.

The correct reasoning to resolve this case, IMO, is to consider it implied (or, failing that, give MS a slap on the wrist and require them to make explicit) that the ban on collecting PII doesn't apply to situations where such collection/use is necessary to provide the requested service. That's the basic model HIPAA uses, and for all its flaws I can't imagine anyone arguing that HIPAA were too permissive. Then it no longer matters if an IP address is PII.

Question for NewYourkCountyLawyer

[Trails]

Doesn't this provide a handy precedent against the RIAA?

If IP's aren'[t personally identifiable, as a matter of legal precedence, then isn't trying to tie a person to an ip de facto not possible?

Seems to me the courts can't have it both ways.

Re:Question for NewYourkCountyLawyer

[Trails]

Um, that should be NewYorkCountyLawyer, us crazy Canadians put u's in everything!!!

Re:Question for NewYourkCountyLawyer

[maxume]

I see at least 2 things: The RIAA is not beholden to statements and definitions made in Microsoft's EULA and privacy policy (read the legal claim, the complaint is that Microsoft violated their own EULA by transmitting the IP, the judge ruled that "PII", as defined in the EULA, does not include IP addresses), and also, courts are not monolithic, different courts don't always look to each other for precedent.

So other courts might not even care about the ruling, but even if they did, the ruling is specific to the meaning of "Personally Identifiable Information" in the Microsoft EULA, not the meaning of the term in general.

Re:Question for NewYourkCountyLawyer

[maxume]

NewYorkCountryLawyer even (the r).

Re:Question for NewYourkCountyLawyer

[Trails]

Wow, I really hosed that...

Re:Postal addresses identify houses!I

[ezelkow1]

But they do take them from the front, I got a cam truck picture ticket that took it from the front, scared the crap out of me too, but there are places where they take them from the front.

try this for absurd

[ag3ntugly]

there are no less than 8 people who have the key to my network, and at any given time there are half a dozen computers connected to it between me and my roommates and the upstairs neighbors so to say that my internet facing IP positively identifies any of us is "absurd". I will however be positively delighted if my IP is ever used as evidence agaisnt me in court, because It carries with it more than enough reasonable doubt.

Re:try this for absurd

[HeronBlademaster]

Would you be equally happy with a pharmaceutical company who publishes a list of Viagra purchases by IP address, if yours was on the list?

This isn't really about criminal law, this is about privacy.

Re:try this for absurd

[ag3ntugly]

i see where youre coming from, but attaching an ip to an individual for any reason is foolish what with dynamic ip adressing used by many isps. Something like a name or social security number identifies you and only you, and isn't at all easyto change, but and ip address is fleeting, and the only entity that can tie an ip to a person is the isp that assigned it to them, and that only tells you who pays for it, not who was using it at a given date and time, and even with a court order the isp may not cooperate, and without that an ip is as useless a means of identifying you as is the serial number on your tv... and in response to you, i dont care if my ip is in a list of people who purchased viagra because noone who reads that list will see my ip and know I was a customer, so that does little other than support my argument. The point im making is that an ip at best narrows the possibilities of who it could be down to a small group and even then only to those who have access to your isps billing information, and therefore shouldnt be considered the same as drivers license number or ssn or whatever

Re:try this for absurd

[HeronBlademaster]

But that's exactly my point - it can identify you personally, when combined with other information.

Your home address doesn't identify you personally, unless you live alone (and even then it might not). How about you publish that?

I'm not saying it should be treated the same as a Social Security number, but IP addresses should at the very least be treated with care, because when combined with other data, IP addresses can help identify specific people.

DHCP is largely a red herring. Yes, my cable modem gets its IP address via DHCP. I've only ever had one address, though, in the two months I've had internet service here. I use DHCP within my own network, but three machines get static IPs for routing rule purposes. The laptops get dynamic addresses, but they're almost always the *same* addresses.

Re:try this for absurd

[ag3ntugly]

yes, an ip can id someone, when combined with other data, but this other data you talk about is nearly impossible for anyone to get. Not I nor you nor anyone we know can get to that data. hell when combined with other data you can ID some by whats in thier refrigerator or by what kind of shoes they wear. we have to draw the line someplace. let me ask you something, given than your fingerprint is as solid a means of id as you can get, do you wear gloves 24/7? i bet you dont, unless youre doing something you dont want anyone to know youre doing, same rules apply with ips, there are many ways to obscure your actual ip from those you deal with online, so if youre doing something you want to keep a secret but cant be bothered to use a proxy, why then should legislation be enacted to protect you?

Re:try this for absurd

[HeronBlademaster]

The medical industry gets in huge trouble when data gets leaked that has just a name and what medicine they're taking. Names are treated as PII, even when the name is "John Smith" and nobody could ever possibly identify an individual based on "John Smith", because there are zillions of them.

Similarly, no company should publish information that includes IP addresses. That's all I'm saying.

if youre doing something you want to keep a secret but cant be bothered to use a proxy, why then should legislation be enacted to protect you?

If you're doing something in real life you want to keep a secret (e.g. you don't want everyone to know you have a nasty disease) but can't be bothered to figure out a way to get the medicine legally without revealing your identity, why then should legislation be enacted to protect you? (It already does, by the way.)

Not everyone has the technical expertise to use a proxy. Don't act like it's the most trivial thing in the world to do - the idea is to protect the people who use technology but don't know everything about it.

Re:Postal addresses identify houses!I

[Joe+U]

Did they email you at user@ipaddress or did they contact your ISP for that information?

How is it absurd?

[Eggplant62]

Answer the following: I have a total of 8 computers turned on and active in my home. Two of those computers are virtualized on one server. Including me, I have 3 adults living here at home. Please tell me specifically which one of us 3 adults is at which computer, whether or not they are using a virtual machine, a laptop or one of my servers, and at what time of day we're using the PC based only on the IP address leased by my router.

Intent and Good Intentions

[gpronger]

After pondering the article, and a few of the links, what seems to be the point is intent. If ancillary information is gathered, necessary in supplying a service, with sufficient safe-guards in place, then its OK. The problem I see with this approach is that, as the old saying states, "The road to hell is paved with good intentions", though any particular service provider may have both insufficient PII for identification purposes, and has put in place what they consider sufficient safe guards, the "Russian Porno Spammers" are intent on hacking sites and are more than likely compiling partial PII information across web sites. This would allow them to write the life history for anyone who's sufficiently active on the internet (though they'd more likely simply steal everything the individual owns).

This is where a uniform standard would be beneficial, so that what is available anywhere is controlled. This ideally would come out of the industry than government, simply because they are more likely to be more on top of the situation.

Why ridiculous?

[SpinyNorman]

An IP address does only identify a computer (for dynamic IP addresses it's not even enough - you also need the time+date), not a person.

Tying an IP address to a person rather than computer requires that you have separate evidence tying the person to the computer at that time. Of course if it's a static IP address in a private home (as opposed to library, or other public place), it does rather narrow down who may have been using it (once you've proved it wasn't being spoofed).

Of course given that IP addresses, and even MAC addresses, are spoofable/changeable, I'd hope they're not taken at face value in court. Who's to say that the criminal act using "your" IP address was not done by a script kiddie spoofing your IP address?

On it's own an IP address is really more of a circumstantial link to a computer (and indirectly to a person) than a direct one. It's kinda like saying that a glove found at a crime scene matches one bought by a defendant, without proving that it's actually his glove, or that he was the one wearing it when the crime was committed.

Re:Postal addresses identify houses!I

I see complaints like this fairly often: "Slashdot is inconsistent!" ZOMGNOOOES! Of course Slashdot is inconsistent, and no this is not a problem. Slashdot is not a person. Slashdot is a website, and holds no opinions of its own. The people who post on Slashdot hold opinions. Is it any surprise to you that different people hold different, often conflicting, opinions?

Re:Postal addresses identify houses!I

[Bigjeff5]

Come on, we just want to have our cake and eat it too!

FWIW, I think the slashdot argument was initially against using IP addresses as a fingerprint like the RIAA was doing, instead of as a home address. It has since been carried away and muddied.

It takes something like this idiotic ruling to point that out and to clear things up a bit.

For an equivalent, outlandish example to make my point, tracing an IP address back to a computer is about like tracing a letter bomb back to the mail box. It does not prove which of the family of four that lives there sent it, and in fact it does not prove that it was not placed in their mailbox by a neighbor. However, it very much narrows down the search and you can be confident that the package was sent by someone from that address, with a small possibility that someone outside that address sent the package from that mail box.

Same thing with IP addresses, they can trace it back to the computer, or more likely these days the router, but beyond that it takes good old fashioned detective work to figure out exactly whodunnit.

Therefore, IP addresses ARE personally identifiable information, and as such they CAN be used as evidence in court. However, they are NOT proof that an individual committed the act in question because they are not directly tied to one individual and one individual only. They are like home addresses, not fingerprints, and should be treated the same way.

This ruling goes way out there and says they are neither, witch protects us from some crap like the RIAA, but opens us up to a whole other can of worms. I suspect this ruling will be clarified at some point, because it is rediculous.

Re:Postal addresses identify houses!I

[Bigjeff5]

Nah, don't worry, they can't trace you by IP, didn't you read the story? ;)

Programmers should care about PII

[cjonslashdot]

I believe that if programmers are told that PII is important to think about, then they will care. And they should be told that it is important.

The problem with a definition of "PII" is that the term kind of implies that it is information that can identify a person. That is not the real issue. The problem is that it is usually the correlations across information that are used to identify people. Thus, PII is really about the whether the data (the "information") can be correlated with other available information, and thereby identify someone.

Thus, you can't really create a list of "PII data elements" and leave it at that. If the data can be correlated with other public data and used to identify people with the data, thereby uncovering facts about people that are not expressly published, then the data should be considered to contain PII. This is not well understood in the industry.

- Cliff (author of High-Assurance Design)

Re:Postal addresses identify houses!I

[bertoelcon]

You also _can_ go get a certain licence plate(at least some states), not many do.

Re:Absurd? Are you taking the piss?

[mea37]

Context, people.

The flip side of what I've posted a dozen times elsewhere: Just because something isn't PII, wouldn't mean that it necessarily can't be used as evidence in a trial (especially at the standard for evidence in a civil case).

This is a case about privacy law, not standards of evidence. The two are essentially unrelated.

Re:Postal addresses identify houses!I

[_avs_007]

With many red light cameras, the fact that you weren't driving doesn't matter.

Whoever made this statement, is ignorant... Here are some links to California Statutes...
On this page it says that the driver shall not cross a red light...
On this page it defines driver as being the person that is operating the vehicle... Therefore if you are not the operator, you CANNOT be found guilty of this violation.

Re:Postal addresses identify houses!I

[perlchild]

No, it means we didn't want the Judge to say "there's no restriction on your use of this information, since it doesn't identify a person". Saying "This doesn't identify a person, by itself, so it's ok" would have worked. Saying "It identifies a computer, which could identify a person, so you can't have it" was the result the Judge didn't want to get.

As for the cameras, don't hold your breath, it's an attempt to use technology to stop a social problem, so it can only fail, but it will never be removed willingly by the state(because technology is either good, or bad, and if could be bad, you likely wouldn't be allowed in here).

What are you gibbering about

[strangeattraction]

Just because a home address can be assigned to you (the home does not move BTW) does not mean you are guilty of a crime that originates from your home. Trying to identify an individual by IP address is absurd. Finally a judge that understands the internet is a series of pipes. WTF.

Re:Postal addresses identify houses!I

[pete_norm]

You're right. And everyone should know that there is nothing (or nowhere) outside of California...

Re:Postal addresses identify houses!I

[pete_norm]

It depends where you live... Where i live, the owner is fined for it, except if he can get someone else to testify that he was driving. In which case, the driver is fined. And they do take pictures from the front and back. It's all to save lives, i'm telling ya!

Re:Postal addresses identify houses!I

[Anarchduke]

Or the IP address identifies the NAT enabled router that is actually exposed to the Internet.

Re:Absurd? Are you taking the piss?

[aztektum]

I'm all for using the IP address of my neighbors open wifi as PII for my illicit activities :D

Impersonation and Harassment

[ehud42]

TO add to the confusion, IMO, PII rules were introduced for 2 main reasons.

1) Identity theft
2) Harassment

The previously mentioned holy trinity of ID - name, DOB, gov id (SIN, SS, etc) are valuable tools to impersonate someone - typically for illegal financial gain. Into this bucket was added information like credit card numbers (I believe in Canada it is now illegal for merchants to throw out credit card slips that contain the full number - they must be shredded), bank account numbers, etc.

Addresses and phone numbers fall into the second category. While helpful in ID theft, they are not vital as often the thieves make up new addresses to prolong their discovery. However, they are valuable to marketers - and keeping them unsecured, or worse openly sharing (selling) them without the customer's permission is what generates a lot of the crap mail and phone calls we receive.

I would put email address in the second category, and IP addresses in neither.

An IP address cannot be used to open a fraudulent bank account or steal goods by charging someone else. Nor can it be used to send you unwanted solicitations. Therefore I agree with the judge that IP addresses are not PII (the reasoning is as mentioned vague).

Re:Postal addresses identify houses!I

[Duradin]

Eat our cake and have it too.

If you have it, you can eat it.
If you eat it, you don't have it anymore.

Re:Postal addresses identify houses!I

[commodore64_love]

>>>Get off my internets, you clearly don't understand the police system's conflict of interest.

Sure I do. Just yesterday a Philadelphia cop aimed a gun at an innocent woman, and then when she tried to escape the cop charged her with assault. THEN he tried to get the store's videotape to erase it. After all was said and done, the woman was freed since the tape showed she was innocent, but the cop is not being suspended due to the "thin blue line" gathering to protect him - good ol' boys protect each other.

So yes there's corruption.

That still doesn't mean I think laws should go unenforced. Last year I was caught by an "electronic cop" doing 61 in a 45 zone. Oh well. I'm not going to throw a hissy fit like a 5-yr-old and beg & plead to remove the automated cameras. That would be silly. I just need to learn to obey the signs and the law. (Or else change the speed limit if I think it's unreasonable.)

Oh my G0d!

[VincenzoRomano]

Go in the mentioned Genuine Microsoft Glossaty and look for Plugins (just fuew lines after the mentioned "Personally identifiable information").

Plugins

Plugins for Mozilla® Firefox® help your browser perform specific functions like viewing special graphic formats or playing multimedia files.
They can enhance your browsing experience by allowing animation or they can help with tasks such as validating your genuine Microsoft® software.

That's kind and nice of MS!

There is good news to this

[MrShaggy]

That anyone being setup for anyone being sued by the entertainment industry. I think once the judges start reading this as part of any deference then it will lknock away 90% f these fallous lawsuits.

Re:Postal addresses identify houses!I

[commodore64_love]

Non-relevant.

I recently stumbled across a street address online and immediately recognized it as my old college friend's home (call him John Smith). The street address was personally identifiable information (PID). My later decision to look at Mapquest to verify the location doesn't change the fact I already knew John Smith lived there.

Not PII

[smackmywhammy]

Tor - privoxy or any many-to-one NAT setup shoots the IP / PII argument full of holes.

Re:Postal addresses identify houses!I

[tftp]

So if the limit's 65mph and millions of people get ticketed, change the law to 70mph.

I take roads where the limit is 65 mph and I don't see it as too slow; in fact I am often very comfortable at 55 or 60 mph if that's the traffic speed. It only makes my trip longer by a couple of minutes while I enjoy the scenery. The problem starts when everyone drives 70 or 75. What do you do then? If you drive 65, as I attempt now and then in hope of doing the right thing, then everyone starts dangerously passing you on both sides and changing lanes 1/2" in front of you or behind you. In some places it is simply illegal to drive much slower than the traffic, and I agree. However if I accelerate to the traffic speed then I become a lawbreaker, and police can randomly pick me (or someone else) and write a ticket. I do see police now and then, parked and aiming radars at the traffic.

So the problem here is that you have no safe and legal way to drive. The best solution would be to seriously enforce the speed limit, except when higher speed is warranted (like when you go by some eighteen-wheeler - you don't want to linger alongside.) If you can't do that, drop the speed limit completely. As it is now, everyone who chooses safety is a criminal, and selective enforcement of the law feels (and is) unjust. The law must be either universally applied, or not applied at all. Imagine what would be if only 1% of murders would be even recorded, and even fewer investigated? Today every murderer knows that his crime *will* be noticed and there is a good chance that he will be found. Similarly, if you want to stop speeding make sure all speeders are ticketed. Then drivers who want to drive the legal speed will be able to do so. You need to create a culture where speeding is seen as an antisocial activity, something that most people voluntarily reject. Right now we are far from that Utopia, though - people seem to believe that saving of 30 seconds over a 1-hour trip is worth near killing a few innocents or risking a ticket. I don't want to play that game.

If you choose the universal enforcement you also need to change the system of punishments. Right now a speeding ticket is a serious offense, but they are issued to 0.001% of speeders. So many believe that the risk is minimal. If you, for example, install cameras that watch every car on the road, calculate their speed and determine who speeds and who doesn't then you need to apply some liberal algorithm. You should allow temporary speed increases, for example, and if a speeding threshold is reached then the ticket will be a fine and not a life-changing event. Habitual speeders will be hit with huge repeated fines, and maybe points on the license for major speeding (100 mph in 65 zone) whereas an occasional speeder who did 70 for a couple of minutes will get a $10 bill and will be able to learn from that experience without any points on his driver's license. This of course requires total surveillance, but if you want to enforce the law you need to watch every car. The alternatives are worse (except abandoning the speed limit.)

Re:Postal addresses identify houses!I

[L0rdJedi]

I don't know where you're at, but around here (SoCal) the cams do take the pics from the front of your car. And yes, the flash is pretty damn bright at night.

Re:Absurd? Are you taking the piss?

[celtic_hackr]

I was thinking the same thing.

I further wonder when /. started allowing Trolls to post articles?

Not only is the article poster wrong that it identifies a person, it doesn't even identify a device. Only a mac address will identify a device. For example. I have at my home:
1) one temporary IP address, which remains the same most of the time, but does change a few times a years at least,
2) a wired router,
3) a wireless router,
4) a headless gateway/ firewall computer,
5) a wired netwrok, with several devices hooked up,
6) a wireless network with several devices hooked up.


All of these devices share one, count it, one real IP address. So which of these dozen or so devices is uniquely identified by the IP address? Furthermore, at least three of the devices allow multiple accounts (Linux/Windows PCs) and users. So please tell me who, among the many users, including the limited weak password protected anonymous user account access on the wireless router, is the person uniquely identified by that changing IP address?

This is without a doubt the dumbest article I have EVER seen on /..

Re:I agree...

[HeronBlademaster]

PII is not "any information that by itself identifies a specific person". PII is any information that, in conjunction with other information, can be used to identify a specific person. An IP address does not, by itself, identify a specific person, but when combined with logs or other information, an IP address can be quite specific. I'll give examples below, using your questions as starting points. (It's not relevant that some of the solutions require the cooperation of another entity.)

If someone launched an attack from that one box, which of the 200 students is responsible?

The one whose account logs have "./myevilattack -target whitehouse.gov" in them.

If I leave my windows PC on, and someone breaks into it (they break into my house etc..) am I all of a sudden responsible?

Unless you can show that you weren't the one doing it, then the only thing to go off of is your word; in that case, yes, you would most likely be held responsible (at least in a civil case).

If my car runs over an old lady in the street, this does not imply I was at the wheel.

It does if the circumstances are right. For example, I never lend my car to anyone, ever; if my car runs over someone, chances are quite high that I was at the wheel. The only evidence to the contrary would be my word, so unless I have an alibi that can verify my whereabouts at the time, then the police would have no reason to believe anyone else was driving.

By itself, a license plate number or an IP address aren't necessarily personally identifiable information, but when combined with other information, they can lead one to identify specific individuals. Therefore, they are both PII (or at least, they can be, and thus should be treated as if they always are, from a privacy standpoint).

Analogy needs work..

[I'm+not+really+here]

Here's the problem with that analogy:

Someone can be using my computer at the same time as me without my knowledge if my machine has been infected with malware.

It'd be rather obvious if some random stranger was trying to use my car at the same time as me. Even if you want to stretch the analogy and try to make it work, it would be more like you noticing that for the last 6 weeks, you have had to get gas more frequently, and though you haven't actually taken note of the odometer, you think someone is borrowing your car every night to go joyriding or something. You can't prove it easily, but you think something is up.... then there is a knock on your door. It's the police.

You see, in this second, slightly more accurate, analogy, your defense that someone else may have been using your car would be more valid. You would include testimony about the odd increase in gas usage, the fact that you are certain you haven't driven as many miles in the last month that your car indicates you did, and that you think someone has been stealing your car every night because it's not always quite where you left it when you come out in the morning.

A bit absurd for a car analogy, but not at all insane for a computer to be doing things you are unaware of.

Re:Analogy needs work..

[Alpha830RulZ]

Well, let me give you a true story on this. Many years ago, I went to a movie. It was, in fact Alien, long ago. I came out of the theatre, walked up to my car, and observed that the license plates were different. During the movie, someone had swapped my plates. I called the cops, and they told me that it was pretty common. Someone had stolen another Acura, looked for a similar car, and swapped plates. They figure that car owners are generally oblivious, and this way, I would get pulled over for the stolen car.

So I think the analogy is actually rather good. There are multiple explanations why your car, or you IP address, might be reasonable for something while you are not, and therefore, the IP address and car license should not be viewed as conclusive proof of guilt, or as uniquely identifying information.

Time of use obscurity.

[Jaazaniah]

Ok, let's put this in context, I've seen car registrations pointed to here, so I'll start there.

An automated radar gun catches your car speeding at 70 mph in a 45 zone, and the camera only gets the license plate for whatever reason - does that give the state the right to issue a warrant in a similarly automated manner for the owner's arrest? No. Because the car, the license plate, and the VIN might be registered to one person, but the infraction may have been executed by a car theif, a run-away teen, or a spiteful soon-to-be-ex-spouse. This is why a pair of cameras are part of speed cameras, because a face is personally identifiable (putting the questions about adopted procedures aside).

The same thing could be applied to IPs or hell even if each machine had its own ID, only on a larger scale. The time to download some movie is not insignificant, but could be hidden out of sight of roomates, siblings, what have you if need be. Shared machines using the same IP might have seperate logon info to subpeona, but what if the final steps of a damaging hack job were executed from a library public machine? It becomes more complex than the IP alone, and the same mentality should be the default approach when dealing with private IPs. IPs are not personally identifiable, because no one beside those physically present can identify who was operating the device at the time. Even logon information may have been compromised (surely /.'ers know many people who don't use secure passwords at home), leading to a potentially stream of framing/fraud crimes when the system is exploited for its naïve scope.

In short, the operator is at fault, not the machine being commanded. If we want to move to biometric logons as the norm, that will be quite expensive for such a small issue.

Re:Postal addresses identify houses!I

[treeves]

What if I don't want privacy in some legal sense? I want (actual) privacy.

Re:Postal addresses identify houses!I

[commodore64_love]

>>>The problem starts when everyone drives 70 or 75. What do you do then? If you drive 65, as I attempt now and then in hope of doing the right thing, then everyone starts dangerously passing you on both sides
>>>

Several thoughts: (1) You say when you drive 65, people pass you on "both sides". That indicates to me you're in the center lane, where you don't belong. You're only supposed to drive on the right lane unless passing. I don't know about your state, but in my state this is enforced, and the cops will ticket cars that occupy lanes where they don't belong.

(2) They pass you. So what? People pass me in my Honda Insight when I'm doing 60, but I just ignore them.

(3) When I lived in Salt Lake City we had a 75mph speed limit, and I didn't see any great danger from that. In fact traffic moved better because everyone was moving at approximately the same rate (70-75) with virtually no speeders, due to strict enforcement of the 75 limit.

(4) Interstates are designed for safe 120 mile per hour travel. Why? Because it's Congressional mandate, in case the army needs to move quickly during wartime. Going 75, which is only 63% of maximum safe travel, is not dangerous. See point 3 about SLC Utah.

>>>people seem to believe that saving of 30 seconds over a 1-hour trip is worth

Uh, no. It's more than that. If the limit is 65 and I do 75, that's about 8 minutes knocked off the trip. And on long-haul travel, like I often do, then that's ~20 hours times 8 mins == 160 minutes == approximately three hours saved. I would love to see the ridiculous 65mph limit in empty regions of Indiana or Ohio raised to 75, due to the time saved.

>>>The best solution would be to seriously enforce the speed limit

I believe I already said that. We should have cameras everywhere, enforcing the posted signs. In fact they could probably be built into the signs.

Re:Postal addresses identify houses!I

[commodore64_love]

P.S.

"Get off my internets"???

I've been on the net since 1988. Although there may be some who predate me, I suspect you're not one of them, so I'm claiming squatter's rights. I was online first; you came later.

Re:Postal addresses identify houses!I

[commodore64_love]

>>>The US totally dropped the ball on digital TV. Although mobile ATSC is rolling out so there's finally a version of ATSC that can degrade gracefully.
>>>

Yeah but that does me no good, unless I spend another 180 dollars equipping my three sets with new boxes that can interpret the ATSC-mobile signal. Plus adding that Mobile signal requires bandwidth, so that means one less channel per station. :-(

Re:Bad Analogy?

[zippoiii]

If I send something to your home address is there a chance that are ~INF people with the same address?

Never used UPS for shipping anything have you?

Re:Postal addresses identify houses!I

[tftp]

(1) You say when you drive 65, people pass you on "both sides". That indicates to me you're in the center lane, where you don't belong. You're only supposed to drive on the right lane unless passing.

Not exactly. Cars to the right of me are exiting the freeway. For example, this road is wide, from 4 to 6 lanes in each direction, and the rightmost lane is constantly merging and branching off. It is not a good place to be unless you are exiting; it is often wiser to leave it free for other people to merge. Also from defensive driving POV you are more constrained at the edges. Large trucks are also required to stay in that lane and drive 55 mph. There are plenty of lanes to the left of me, at least two or three. For example, here the right westbound lane simply ends and there is no good reason to be there unless you were exiting onto 880.

As you can see in that picture, only the leftmost lane is seen as reserved for passing (and the HOV lane when there is one.) Other lanes, from center and all the way to the right, are fair game - especially considering that on this particular stretch of 280 you need to choose the lane strategically, depending on where you want to go, or else you may be forced to change lane in the last moment (and those who are unfamiliar with the road have to do that.) In the photo you can see that the lane pointed by the arrow (there is some kind of a truck) is the only one that goes straight and requires no lane change. So there is a good reason to be in it if you intend to go forward for a couple of miles and then exit. As matter of fact, I will stay in this lane for half a mile, skip a merge point from 880 North (pan to the West a bit, the merge area is short, the city is planning to redo it - merging cars will thank you for not taking the rightmost lane there) and then move into the rightmost lane that is not exiting immediately. As I said, patterns of efficiency emerge after you travel on the same road a few thousand times. Police will not bother you for choosing one of center-right lanes for a long distance trip. Just don't stay in the leftmost non-HOV lane for long. In rush hour all lanes are equally full, BTW, and equally not moving.

I would love to see the ridiculous 65mph limit in empty regions of Indiana or Ohio raised to 75, due to the time saved.

I won't argue against higher speed limits outside of cities. But where I live cars exit and enter the road every half a mile. Many weaker cars (or trucks) can't gain enough speed on short ramps, and many ramps are curved so you can't start accelerating in advance. Merging with a large speed difference is unpleasant.

Re:Postal addresses identify houses!I

[Qybix]

No.

Just that: No.

IP addresses do NOT identify people or even computers. MAC addresses can be hacked and even windows license numbers aren't worth shit.

This judge is actually being intelligent and Beerdood hits the nail on the head. We should all be congratulating this judge not condemning him....

But then, your so fickle you can't even be consistent in your answer! Personal privacy or file sharing doesn't matter. It's the mark of an idiot to think that IP address makes anything other than an end point for a tcp or udp stream.

Qybix

Re:Postal addresses identify houses!I

[Joe+U]

Of course it's relevant. Did they have to contact a trusted third party to obtain the information or were they able to do it via anonymous or public sources?

You can not trace an IP address to a specific person without the ISP or the person giving the information away.

So, did they contact your IP address directly to email you or did they call your ISP?

Re:Postal addresses identify houses!I

[larry+bagina]

Those two statements are correct, and that's the problem because many red light cameras target the vehicle, not the operator. (California seems to require a picture of the driver and the license plate)

The Minnesota Supreme Court ruled that red light cameras violate state law for that very reason.

It's a bad assumption

[tkrotchko]

"Thus, for households in which the computer is used primarily by one adult, an IP address is personally identifiable in that knowing the IP address (in conjunction with information from the ISP) makes it more likely than not that the adult in question was using the computer at the time the transaction with that IP was logged."

That's loaded with a whole bunch of assumptions.

First, the IP address that is public is the NAT'd address, thus, at best it identifies a pool of 1 to as many as 255 computers. While that may be ridiculous, let's be more realistic. If 2 adults and 2 teenage kids live in a house, it's fairly common for each of them to own their own laptop computer.

So if you say "IP address a.b.c.d was used to copy our music illegally", in the absence of any additional information, you narrowed it down to 4 people. But wait: it gets more complex if you have roommates who are not related to each other; there is no consideration that as a minor the parent may be responsible.

However, it's more complex than that. An IP address is changed regularly by an ISP, in absence of definitive logs from the issuer, it can't be considered reliable. Who owned address a.b.c.d at a particular time?

In the end, at best an IP narrows down the list of possible people from 5 Billion people down to perhaps several dozen. Useful for an investigator, but if I was on a jury, I wouldn't convict someone purely on the basis of an IP address, regardless of a judge's instructions.

cool

[smash]

Anyone told the RIAA and MPAA (and their attorneys) yet?

RTFA

[bill_mcgonigle]

"I actually worked as a contractor at Microsoft "