Your Dynamic IP Address Is Now Protected Personal Data Under EU Law (arstechnica.co.uk)

← Back to Stories (view on slashdot.org)

Your Dynamic IP Address Is Now Protected Personal Data Under EU Law (arstechnica.co.uk)

Posted by msmash on Wednesday October 19, 2016 @06:40AM from the complex-tech dept.

Europe's top court has ruled that dynamic IP addresses can constitute "personal data," just like static IP addresses, affording them some protection under EU law against being collected and stored by websites. ArsTechnica UK adds: But the Court of Justice of the European Union (CJEU) also said in its judgment on Wednesday that one legitimate reason for a site operator to store them is "to protect itself against cyberattacks." The case was referred to the CJEU by the German Federal Court of Justice, after an action brought by German Pirate Party politician Patrick Breyer. He asked the courts to grant an injunction to prevent websites that he consults, run by federal German bodies, from collecting and storing his dynamic IP addresses. Breyer's fear is that doing so would allow the German authorities to build up a picture of his interests. Site operators argue that they need to store the data in order to prevent "cybernetic attacks and make it possible to bring criminal proceedings" against those responsible, the CJEU said.

38 comments

Min score:

Reason:

Sort:

first post! by Anonymous Coward · 2016-10-19 06:42 · Score: 0

I've waited 10 years for this!!!!!
1. Re:first post! by aliquis · 2016-10-19 06:44 · Score: 0
  
  And you actually made it!
  But you posted as AC so no-one will actually know you made it! Great work! Your first ever first post on /. and no-one will know your name or be ever to find out :D
2. Re:first post! by Impy+the+Impiuos+Imp · 2016-10-19 07:22 · Score: 1
  
  He might have made a first post years ago if he had tried instead of waiting 10 years first.
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
3. Re:first post! by bluelip · 2016-10-19 07:31 · Score: 1
  
  I've been waiting at least that long for Natalie Portman, hold the hot grits.
  
  --
  
  Yep, I never spell check.
  More incorrect spellings can be found he
4. Re:first post! by Oswald+McWeany · 2016-10-19 08:04 · Score: 1
  
  I could only wait for about 2 minutes... ... Sorry Natalie!
  
  --
  "That's the way to do it" - Punch
5. Re: first post! by Anonymous Coward · 2016-10-19 08:29 · Score: 0
  
  no, that was when being "slashdotted" still mattered. post or no post, slashdot is a drop in the ocean now.
6. Re:first post! by alisande · 2016-10-19 10:25 · Score: 1
  
  and yet gone so fast.
  ps - probably my first post in over 10 years; actually had to re-create my old yahoo account to get the password... HA!
7. Re:first post! by aliquis · 2016-10-19 15:45 · Score: 1
  
  I've been waiting at least that long for Natalie Portman, hold the hot grits.
  I guess this isn't the time to say "fuck her" but I would had taken and waited for Alizee instead. However I had missed she had become single and I thought she had more children (but that was Jolie) and now she's found someone new again.
  It's such BS. Alizee, you know I deserved you when you were young and hot, it should had been us, but chances by now I can't do better so you may still have a chance! ;D
8. Re:first post! by KingBenny · 2016-10-20 15:08 · Score: 1
  
  I didnt quite see the legal text. Does this mean its officially forbidden for anyone and any server anywhere getting EU traffic to keep logs ?
  thats probably a good thing then but how do i turn it off ? this /var/log/ thing ? it just keeps coming faster than i can delete it ?
  
  --
  Free speech was meant to be free for all... how can anyone grow up in a nanny state ?
Open source software == NSA by CajunArson · 2016-10-19 06:43 · Score: 0

Well, it looks like practically every default logger for Apache/Nginx/etc. can be considered NSA spyware according to this edict.
That means you too, Slashdot.

--
AntiFA: An abbreviation for Anti First Amendment.
Sorry, What? by Anonymous Coward · 2016-10-19 06:50 · Score: 0

"Site operators argue that they need to store the data in order to prevent "cybernetic attacks and make it possible to bring criminal proceedings" against those responsible, the CJEU said."
Excuse me, but did you just say you want to prevent *cybernetic* attacks?
1. Re:Sorry, What? by Calydor · 2016-10-19 06:52 · Score: 1
  
  Oh, so it isn't just because English is not my native language that I think of cybernetics purely in the context of cyborgs, androids and the like?
  
  --
  -=This sig has nothing to do with my comment. Move along now=-
2. Re:Sorry, What? by Anonymous Coward · 2016-10-19 07:07 · Score: 1
  
  Attacks by the Cybermen, but the Doctor will protect us.
3. Re:Sorry, What? by EtCeteralodz · 2016-10-19 07:11 · Score: 1
  
  I do not know
  
  --
  Projektowanie stron internetowych, pozycjonowanie - hosting WWW
Reasonable by ADRA · 2016-10-19 07:02 · Score: 5, Interesting

It is 'reasonable' that your IP address is considered personal information 'offered' to the web sites in question.
What this law 'should' mean (I can't speak for the wording specifically) is that a site's owner should treat a user's data as privileged, meaning it isn't handed out to others without reasonable justification. Law enforcement should still be able to subpoena these records as they probably have been able to in the past. My hope is that the law makes it harder for 'non-subpoena' requests for a given user's IP address harder to obtain since it would now be a privacy violation to disclose it.
That's all fine, but as the blow-back illustrates, just because an IP address makes a physical connection with a service you're hosting, it doesn't mean that said service is in any way being transmitted by the person in question. DOS attacks happen all over the place, and unless you have services which share information about these attack vectors, its significantly harder to track and get take-downs of the offenders (maybe I'm being too optimistic..).
Maybe the best trade-off is when an IP address is logically tied to further information from the site (site profile, name, email, etc..). If so, the information is considered 'personal information' while a random drive-by DOS is just considered infrastructure data.

--
Bye!
1. Re:Reasonable by Anonymous Coward · 2016-10-19 07:45 · Score: 1
  
  Seeing as how we're headed towards worldwide adoption of SSL as a standard it's reasonable to assume that everything will be considered private soon. IP addresses are not "an offering", they are required in the handshake process for communication. In my opinion the protocol determines whether a connection can be assumed private or not. HTTP no, HTTPS yes. That's why there's such a huge push for everything to be HTTPS now. It's a good thing for everyone. NSA can't scoop up tons of public traffic anymore, they have to target individuals like they were always required to; with a search warrant by a judge. Rubber stamping every single request for ad hoc mass surveillance is obviously illegal and far too close to big brother 1984 East Germany whatever. HTTPS is a good way to get things back on the right track. It will keep intelligence agencies honest to a degree. It's what the people want and deserve... or at least the illusion of it.
2. Re:Reasonable by Anonymous Coward · 2016-10-19 12:05 · Score: 0
  
  In my opinion the protocol determines whether a connection can be assumed private or not. HTTP no, HTTPS yes
  Completely unrelated to German privacy laws, you don't have to encrypt your letters to make it illegal for other people to copy and redistribute their contents or your mailing history. There is a fundamental understanding that data is shared for a specific purpose, in the case of an IP address it is for exchange of data with an endpoint and not as unique identifier for use by 3rd party advertisers. This is not a new concept, many professions, most notably lawyers, doctors or even priests after a confession are expected not to share their customer data with the world ( unless it requires law enforcement action ). If find it tiring how "on a computer" is seen as an excuse to throw away centuries of existing expectations and requirements.
  Also unimportant from a technical perspective, HTTP/HTTPS are used on top of IP packages, the IP layer does not care wether its contents are encrypted - the address is perfectly stalkable either way.
Re:Ridiculous by Anonymous Coward · 2016-10-19 07:31 · Score: 0

You are looking at it wrong: an ip is protected personal data that can be used to sue a Jane/John Doe, the ISP has the missing data for the plaintiff.
Re:Ridiculous by MooseTick · 2016-10-19 07:45 · Score: 1

"an IP Address is like a physical address on a house: it does not identify a person"
Would you be ok with any business giving away your home address however they saw fit?

--
Ninjas don't carry tic tacs
Re:Ridiculous by Ash-Fox · 2016-10-19 07:54 · Score: 1

Would you be ok with any business giving away your home address however they saw fit?
Already happens with the junk mail I get addressed to me and the fact my name and address are public record for company filings and whois records.
I don't see why anyone else should be exempt if I'm not.

--
Change is certain; progress is not obligatory.
I can see your IP! by Anonymous Coward · 2016-10-19 08:00 · Score: 0

I can see your IP! So can the entire Internet. That's how it works. Packets are like post cards. You can write secret code on a post card, but the return address and the sender have to be out there because.. that's how it works.
If a bunch of people send me post cards, I can put their addresses in a file. They sent me post cards. If they didn't want their address in my file, they shouldn't have done that.
I don't think this is the most clueless thing the government ever said. They can, and perhaps should, regulate some retention rules on this information for corporations; but by default the IP is out there for everybody to see. That's how it works.
1. Re:I can see your IP! by Oswald+McWeany · 2016-10-19 08:05 · Score: 1
  
  Yeah, well I can see UP!
  
  --
  "That's the way to do it" - Punch
2. Re:I can see your IP! by Luthair · 2016-10-19 13:00 · Score: 1
  
  The issue is that the IP address is trackable.
NAT by Karrham · 2016-10-19 08:02 · Score: 1

What about ISP that use NAT? In this case many users have the same ip address. Public WiFi hotspots usually have one ip address in Internet for its clients. I don't think that site owner can easy get information about persons that used some IPs from ISP, when users didn't some bad things.
Public or private? by unixisc · 2016-10-19 08:07 · Score: 1

The ruling is somewhat laughable depending on what sort of dynamic address we are talking about here. If it is an address from RFC1918 - something like 192.168.7.11, then it's really silly, given that it's the address of any number of people in that number of separate networks. If it's a public /128 IPv6 address, I see the point - although given that a subscriber would usually get at least a /64, question that would arise - why not protect that entire /64 subnet?
Re:Ridiculous by truedfx · 2016-10-19 08:31 · Score: 2

I'm the only one living in my house and I have a static IP address. Both my physical address and my IP address do identify me. You cannot know just by looking at them whether they identify a person, and that by itself should already be reason enough to treat them as potential personal data. That said, you're being inconsistent. Date of birth does not identify a person. Date of birth in combination with other facts may. Party affiliation does not identify a person. Party affiliation in combination with other facts may. A physical address does not necessarily identify a person. That same address in combination with other facts may. An IP address does not necessarily identify a person. That same address in combination with other facts may.
192.168.0.3 by jfdavis668 · 2016-10-19 08:45 · Score: 4, Funny

Sorry, you can't store it, it's personal protected data!
1. Re:192.168.0.3 by Obfuscant · 2016-10-19 08:53 · Score: 1
  
  If that's the address you connect to someone's website with, they don't need to store it because you aren't getting any connections to start with.
  Are you confusing dynamic IP addresses with private netblocks?
2. Re: 192.168.0.3 by Anonymous Coward · 2016-10-19 12:50 · Score: 0
  
  My private IPs are dynamically assigned!
3. Re:192.168.0.3 by Anonymous Coward · 2016-10-20 12:12 · Score: 0
  
  Woosh!
4. Re:192.168.0.3 by Coren22 · 2016-10-26 08:08 · Score: 1
  
  Well, mine is 127.0.0.1, hack that all you horrible internet hackers!
  
  --
  APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Now can sue for piracy by Anonymous Coward · 2016-10-19 09:13 · Score: 0

So if Dynamic IPs are now in that category, does it remove the "you can't prove it was me using my internet connection" defense?
I thought my IP address.... by mark-t · 2016-10-19 09:16 · Score: 0

... was the property of my ISP.
Sort of like how my physical street address is property of the municipality, my phone number is property of the phone company... etc.
I do not own any of the information that could potentially be used to track me down unless I can live entirely independently of using property that belongs to other people.

--
File under 'M' for 'Manic ranting'
No to IP address, phone number by raymorris · 2016-10-19 09:57 · Score: 1

> I thought my IP address was the property of my ISP.
It is explicitly NOT. The agreement an ISP signs to get numbers includes these terms:
--
Legacy Holder acknowledges and agrees that: (a) the number resources are not property (real, personal, or intellectual) of Legacy Holder; (b) Legacy Holder does not and will not have or acquire any property rights in or to any number resources for any reason
---
See also:
https://www.arin.net/policy/nr...
The most important practical implication of that fact is that ARIN can, under the contract, revoke IP assignments from ISPs that aren't actively using them.
> my phone number is property of the phone company
Two words: Number Portability.
1. Re:No to IP address, phone number by mark-t · 2016-10-19 10:56 · Score: 1
  
  Phone numbers are only as portable as the phone companies that govern them allow them to be. If you have a land line, try moving to another city in the same area code and see if they let you keep the same phone number.
  
  --
  File under 'M' for 'Manic ranting'
2. Re:No to IP address, phone number by Luthair · 2016-10-19 12:57 · Score: 1
  
  I believe that was part of the regulation, and in general it makes sense for routing reasons.
Re:Ridiculous by Anonymous Coward · 2016-10-19 10:11 · Score: 0

"an IP Address is like a physical address on a house: it does not identify a person"
Would you be ok with any business giving away your home address however they saw fit?
Like... a phone book?