Court: IP Addresses Are Not 'Personally Identifiable' Information
- by Wendy Davis @wendyndavis, July 6, 2009
In a ruling that could fuel debate about online privacy, a federal judge in Seattle has held that IP addresses are not personal information.
"In order for 'personally identifiable information' to be personally identifiable, it must identify a person. But an IP address identifies a computer," U.S. District Court Judge Richard Jones said in a written decision.
Jones issued the ruling in the context of a class-action lawsuit brought by consumers against Microsoft stemming from an update that automatically installed new anti-piracy software. In that case, which dates back to 2006, consumers alleged that Microsoft violated its user agreement by collecting IP addresses in the course of the updates. The consumers argued that Microsoft's user agreement only allowed the company to collect information that does not personally identify users. Microsoft argued that IP addresses do not identify users because the addresses don't include people's names or addresses. The company also said that it did not combine IP addresses with other information that could link them to individuals.
Last month, Jones sided with Microsoft and dismissed the case before trial.
But some say that Jones's decision about IP addresses is inconsistent with other recent opinions about the issue. Eric Goldman, director of the High Tech Law Institute at Santa Clara University, points out that the European Union considers IP addresses to be personal information. Last year, the EU said that search engines should expunge users' IP addresses as soon as possible.
Additionally, a court in New Jersey ruled last year that Internet service providers can't disclose users' IP addresses without a subpoena, on the theory that people expect their IP addresses will be kept private.
Marc Rotenberg, executive director of the Electronic Privacy Information Center, criticizes the Microsoft ruling as "a silly decision." "The judge didn't understand the significance of the IP address or the reason that it was collected," he says.
Rotenberg adds that the judge prematurely dismissed the case, arguing that more facts were needed to determine whether IP addresses were personally identifiable.
Today, industry observers say that IP addresses can be combined with other information to determine people's identity. In addition, even when IP addresses have been anonymized, it's possible to associate the account with a specific individual, given enough other information. The most famous example occurred in 2006, when AOL released search logs showing queries made by more than 650,000 members. The members' IP addresses had been changed, but the queries themselves contained enough clues to people's identities that The New York Times was able to find and profile one "anonymized" user, Thelma Arnold, within days. At the time of that incident, many companies took the position that IP addresses were not personally identifiable information.
Jules Polonetsky, co-chair and director of the think tank Future of Privacy Forum, adds that many sites with older privacy policies maintain that they don't collect personally identifiable information, but log IP addresses. "For many years, people just threw around the term 'personal information,'" he says. "They didn't pay attention to account IDs in the hands of third parties, IP addresses -- other types of information that, with some effort, could become identifiable."
Polonetsky says that companies today are rewriting privacy policies to more carefully define their terms, adding that many in the industry now view IP addresses as more sensitive than completely random data.
This is interesting because both sides have solid points. Where IP addresses can identify an individual they are by no means without failure. Not only are IP addresses routinely rotated between individual account holders with ISP's they are also shared between many computers. And throw in WiFi to the mix and they become about as personally identifying as a ringtone. Computers are machines and can be accessed and used by any number of individuals. They are not unique to a person and should never be assumed to constitute an person.
Until such time that IP addresses are assigned to an individual for life (look to the future when they're like a SSN) their use as an identifier is circumstantial at best.
While some ISP's rotate IP addresses, usually it is only likely with dial-up accounts. If you are connected and stay connected then your IP address will seldom change.
When you visit a site where you have purchased something, have an account, or a profile, if any of those sites share information with 'associates' , and if other sites with perhaps embedded media or widgets which catch your IP address share their info... or the media server, etc etc.
If you have an always-on PC at home then your IP address will be unlikely to change, and even if you turn the PC off, but not the modem, you will still have the same IP address.
Perhaps several sires you visit all use the same free webserver log/statistics or counter then the provider would be able to track you.
If the ISP is co-operating even without giving out your identity, it is really easy to establish who you are by where you visit and get your email.
Granted, you might live in a house with several other people and share an internet connection and if it isn't obvious who's clicking what, your cookies or other actions will give you away.
This is all moot anyway. If you have a fixed unshared address then you are toast.
Why should an individual be forced to share with other people in order to get some semblance of privacy on the internet?
The onus should be the other way, and anyone with any honesty and ethics would likely agree.
If you want to track users, make sure you do it with their blessing, otherwise you might make a dollar or two but you'll ultimately be out of business.
Whilst many may not appear to care about privacy, enough do that eventually the result will be no consumer information, they'll start masking everything.
Perhaps it would be better to look at ways of giving more privacy in return for more usable, relevant and voluntary information.
I see a key opportunity in being able to make the purchasing process instantaneous, which should see more purchases completed. A convenient outcome of our approach is that we can make it more anonymous, safer and provide better data for marketers. The number of consumers prepared to have a personalized internet experience goes right up if you are prepared to proactively protect their identity and privacy and they still want their recognition and loyalty.
Back to the IP address issue, the judge erred.
It is a pathetic argument to propose that the only protection is having a shared or dial-up internet connection.
There are no ethics anymore.
Judge Jones needs to be reviewed by a board of his peers regarding this ruling. This smells of imprudence or incompetence I"m not sure which. The courts have long held that an IP address and the time it was harvested are personally identifiable. With this ruling, all RIAA suits in Washington can be thrown out under insufficient evidence. For that matter, all pending computer crimes where IP information was used to identify the perpetrator are at risk. If however, Judge Jones insists that the address only identifies the machine then perhaps he'd be willing to post his credit card number online. After all, it only identifies the card in his wallet.
Jerome