| ||||||||||||
PRINT
COMMENT
SUBSCRIBE
RSS
In a ruling that could fuel debate about online privacy, a federal judge in Seattle has held that IP addresses are not personal information.
"In order for 'personally identifiable information' to be personally identifiable, it must identify a person. But an IP address identifies a computer," U.S. District Court Judge Richard Jones said in a written decision.
Jones issued the ruling in the context of a class-action lawsuit brought by consumers against Microsoft stemming from an update that automatically installed new anti-piracy software. In that case, which dates back to 2006, consumers alleged that Microsoft violated its user agreement by collecting IP addresses in the course of the updates. The consumers argued that Microsoft's user agreement only allowed the company to collect information that does not personally identify users. Microsoft argued that IP addresses do not identify users because the addresses don't include people's names or addresses. The company also said that it did not combine IP addresses with other information that could link them to individuals.
Last month, Jones sided with Microsoft and dismissed the case before trial.
But some say that Jones's decision about IP addresses is inconsistent with other recent opinions about the issue. Eric Goldman, director of the High Tech Law Institute at Santa Clara University, points out that the European Union considers IP addresses to be personal information. Last year, the EU said that search engines should expunge users' IP addresses as soon as possible.
Additionally, a court in New Jersey ruled last year that Internet service providers can't disclose users' IP addresses without a subpoena, on the theory that people expect their IP addresses will be kept private.
Marc Rotenberg, executive director of the Electronic Privacy Information Center, criticizes the Microsoft ruling as "a silly decision." "The judge didn't understand the significance of the IP address or the reason that it was collected," he says.
Rotenberg adds that the judge prematurely dismissed the case, arguing that more facts were needed to determine whether IP addresses were personally identifiable.
Today, industry observers say that IP addresses can be combined with other information to determine people's identity. In addition, even when IP addresses have been anonymized, it's possible to associate the account with a specific individual, given enough other information. The most famous example occurred in 2006, when AOL released search logs showing queries made by more than 650,000 members. The members' IP addresses had been changed, but the queries themselves contained enough clues to people's identities that The New York Times was able to find and profile one "anonymized" user, Thelma Arnold, within days. At the time of that incident, many companies took the position that IP addresses were not personally identifiable information.
Jules Polonetsky, co-chair and director of the think tank Future of Privacy Forum, adds that many sites with older privacy policies maintain that they don't collect personally identifiable information, but log IP addresses. "For many years, people just threw around the term 'personal information,'" he says. "They didn't pay attention to account IDs in the hands of third parties, IP addresses -- other types of information that, with some effort, could become identifiable."
Polonetsky says that companies today are rewriting privacy policies to more carefully define their terms, adding that many in the industry now view IP addresses as more sensitive than completely random data.
96 people recommend this article.
RSS FEEDS
Jerome
If you have an always-on PC at home then your IP address will be unlikely to change, and even if you turn the PC off, but not the modem, you will still have the same IP address.
Perhaps several sires you visit all use the same free webserver log/statistics or counter then the provider would be able to track you.
If the ISP is co-operating even without giving out your identity, it is really easy to establish who you are by where you visit and get your email.
Granted, you might live in a house with several other people and share an internet connection and if it isn't obvious who's clicking what, your cookies or other actions will give you away.
This is all moot anyway. If you have a fixed unshared address then you are toast.
Why should an individual be forced to share with other people in order to get some semblance of privacy on the internet?
The onus should be the other way, and anyone with any honesty and ethics would likely agree. If you want to track users, make sure you do it with their blessing, otherwise you might make a dollar or two but you'll ultimately be out of business.
Whilst many may not appear to care about privacy, enough do that eventually the result will be no consumer information, they'll start masking everything.
Perhaps it would be better to look at ways of giving more privacy in return for more usable, relevant and voluntary information.
I see a key opportunity in being able to make the purchasing process instantaneous, which should see more purchases completed. A convenient outcome of our approach is that we can make it more anonymous, safer and provide better data for marketers. The number of consumers prepared to have a personalized internet experience goes right up if you are prepared to proactively protect their identity and privacy and they still want their recognition and loyalty.
Back to the IP address issue, the judge erred. It is a pathetic argument to propose that the only protection is having a shared or dial-up internet connection.
There are no ethics anymore.
Until such time that IP addresses are assigned to an individual for life (look to the future when they're like a SSN) their use as an identifier is circumstantial at best.