Court: IP Addresses Are Not 'Personally Identifiable' Information

By neufuse
in Back Page News

 Share

Recommended Posts

Grand Master

neufuse Veteran

Posted
  • Veteran
Posted

In a ruling that could fuel debate about online privacy, a federal judge in Seattle has held that IP addresses are not personal information.

"In order for 'personally identifiable information' to be personally identifiable, it must identify a person. But an IP address identifies a computer," U.S. District Court Judge Richard Jones said in a written decision.

Jones issued the ruling in the context of a class-action lawsuit brought by consumers against Microsoft stemming from an update that automatically installed new anti-piracy software. In that case, which dates back to 2006, consumers alleged that Microsoft violated its user agreement by collecting IP addresses in the course of the updates. The consumers argued that Microsoft's user agreement only allowed the company to collect information that does not personally identify users. Microsoft argued that IP addresses do not identify users because the addresses don't include people's names or addresses. The company also said that it did not combine IP addresses with other information that could link them to individuals.

Last month, Jones sided with Microsoft and dismissed the case before trial.

But some say that Jones's decision about IP addresses is inconsistent with other recent opinions about the issue. Eric Goldman, director of the High Tech Law Institute at Santa Clara University, points out that the European Union considers IP addresses to be personal information. Last year, the EU said that search engines should expunge users' IP addresses as soon as possible.

Additionally, a court in New Jersey ruled last year that Internet service providers can't disclose users' IP addresses without a subpoena, on the theory that people expect their IP addresses will be kept private.

Marc Rotenberg, executive director of the Electronic Privacy Information Center, criticizes the Microsoft ruling as "a silly decision." "The judge didn't understand the significance of the IP address or the reason that it was collected," he says.

Rotenberg adds that the judge prematurely dismissed the case, arguing that more facts were needed to determine whether IP addresses were personally identifiable.

Today, industry observers say that IP addresses can be combined with other information to determine people's identity. In addition, even when IP addresses have been anonymized, it's possible to associate the account with a specific individual, given enough other information. The most famous example occurred in 2006, when AOL released search logs showing queries made by more than 650,000 members. The members' IP addresses had been changed, but the queries themselves contained enough clues to people's identities that The New York Times was able to find and profile one "anonymized" user, Thelma Arnold, within days. At the time of that incident, many companies took the position that IP addresses were not personally identifiable information.

Jules Polonetsky, co-chair and director of the think tank Future of Privacy Forum, adds that many sites with older privacy policies maintain that they don't collect personally identifiable information, but log IP addresses. "For many years, people just threw around the term 'personal information,'" he says. "They didn't pay attention to account IDs in the hands of third parties, IP addresses -- other types of information that, with some effort, could become identifiable."

Polonetsky says that companies today are rewriting privacy policies to more carefully define their terms, adding that many in the industry now view IP addresses as more sensitive than completely random data.

source: http://www.mediapost.com/publications/?fa=...;art_aid=109242

Grand Master

primexx

Posted
Posted
YAY! I think that's very good news. A step in the right direction.

only if "right direction" means "eradication of online privacy" to you.

IP addresses by themselves are fairly harmless, but it's easily turned into private information by getting the timestamp as well. In this case MS didn't do anything wrong, but the ruling sets a dangerous precedent.

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted
only if "right direction" means "eradication of online privacy" to you.

IP addresses by themselves are fairly harmless, but it's easily turned into private information by getting the timestamp as well. In this case MS didn't do anything wrong, but the ruling sets a dangerous precedent.

But this is great news for the morons at the RIAA. Now the little 7 year old girl they will be suing next might stand a chance.

Grand Master

primexx

Posted
Posted
But this is great news for the morons at the RIAA. Now the little 7 year old girl they will be suing next might stand a chance.

the RIAA already uses more than the IP address (i.e. timestamp) and coerces the ISP into giving them private customer information. If IP addresses do become protected as private information, it'll make the RIAA's phishing expedition much much harder since they won't be able to use the IP as evidence (since they didn't have a warrant for it).

Experienced

libertas83

Posted
Posted

My first reaction was that it was a good ruling because an IP Address cannot determine who was the user at the computer. So in criminal cases, more evidence should be needed to demonstrate that the defendant was the user at the specified time and place.

However, when I think about it more, an IP Address is like any regular street address or email address. These things are considered personally identiftable information that could with other information be used to track individuals.

Grand Master

I am Reid

Posted
Posted
a phone number doesnt identify a person, just a phone

an address identifies a house, not a person

but those are considered identifiable

another US judge fails..suprise suprise

an IP address in many cases identifies a wireless router

Ill wait for your reply.

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted
a phone number doesnt identify a person, just a phone

an address identifies a house, not a person

but those are considered identifiable

another US judge fails..suprise suprise

Yes Exactly, so in this case an IP address doesn't identify a person just a computer. So how is it that the Judge failed? Sure the others may be considered identifiable but using your list you can see why the judge would rule that an IP address are not personally identifiable.

Grand Master

I am Reid

Posted
Posted
Microsoft is obviously wrong... They say it doesn't identify a location. And yet, I can type my IP into a website and be told my town. That, is a location.

and I can type in my zip code or even area code and I can get the same thing.

Grand Master

hagjohn

Posted
Posted
Now your trying to twist it in your favor. An IP address identifies a much smaller group of people.

If you live in a large city, it could identify any number of "people" depending on how large a pool the ISP is using.

Veteran

toadeater

Posted
Posted
Microsoft argued that IP addresses do not identify users because the addresses don't include people's names or addresses.

I think the judge should look into whether Microsoft has been linking IP address to people's names or addresses FROM THEIR LIVE ACCOUNTS. Or from other MS services or registration. You register through your PC, with your IP address, MS is trying to tell us they don't link the two? At the very least, they DO link IPs to MS online accounts, that is a fact. Maybe people don't give out personal info on Live, but they do on MS services that require payment.

The US DoJ is clueless.

Grand Master

I am Reid

Posted
Posted
I think the judge should look into whether Microsoft has been linking IP address to people's names or addresses FROM THEIR LIVE ACCOUNTS. Or from other MS services or registration. You register through your PC, with your IP address, MS is trying to tell us they don't link the two? At the very least, they DO link IPs to MS online accounts, that is a fact. Maybe people don't give out personal info on Live, but they do on MS services that require payment.

The US DoJ is clueless.

Lots of people have a dynamic IP address, so that point isnt valid.

Veteran

toadeater

Posted
Posted
Lots of people have a dynamic IP address, so that point isnt valid.

People could also use someone else's PC or network. But if they didn't...

In any case, the IPs are logged. IPs are logged during Windows updates and downloads. Serial numbers are logged. Lots of identifiable info is floating around on MS servers that can be cross-referenced.

I'm not saying MS does this exclusively, Google does it too, and so do other major companies with the resources to spy on people.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.