Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

E.U. Regulator Says IP Addresses Are Personal Data

samzenpus posted more than 6 years ago | from the do-not-share dept.

Privacy 164

NewsCloud writes "Germany's data-protection commissioner, Peter Scharr told a European Parliament hearing on online data protection that when someone is identified by an IP, or Internet protocol, address, 'then it has to be regarded as personal data.' Scharr acknowledged that IP addresses for a computer may not always be personal or linked to an individual. If the E.U. rules that IP addresses are personal, then it could regulate the way search engines record this data. According to the article, Google does an incomplete job of anonymizing this data while Microsoft does not record IP addresses for anonymous search."

cancel ×

164 comments

That's as may be... (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22162944)

...but niggers still stink.

Yep, they do!

Is a license plate personal data? (5, Insightful)

Anonymous Coward | more than 6 years ago | (#22162962)

Because that's today's car analogy for an IP address.

Re:Is a license plate personal data? (4, Insightful)

Respawner (607254) | more than 6 years ago | (#22163364)

actually, if you're using it to identify somebody, or if you keep it as general information about somebody(access log), then yes, yes it is
just like a social security number is personal data, or the number on your id-card or your home-address and so on
ooh yeah, don't confuse US-law with EU-law ;)
and offcourse, IANAL

Re:Is a license plate personal data? (1)

Nullav (1053766) | more than 6 years ago | (#22163400)

Yes, a license plate won't end up on a car six miles away in a matter of months/years. (Hours in the case of dial-up.)

Re:Is a license plate personal data? (2, Interesting)

barocco (1168573) | more than 6 years ago | (#22163416)

Don't quite agree... I don't think when you pull into the pharmacy to 'GET' a small-size condom you need to utter your license plate number to initiate a conversation & transaction with the cashier (well, in which case you'd probably avoid any conversation but just have the transaction done).

Re:Is a license plate personal data? (0)

Anonymous Coward | more than 6 years ago | (#22164652)

I don't think when you pull into the pharmacy to 'GET' a small-size condom you need to utter your license plate number

No, that's only if you want Sudafed.

Re:Is a license plate personal data? (1)

jgeeky (974074) | more than 6 years ago | (#22163654)

also, i can't shell into your car from my car and drive it around. or can i? muahahahaha

Re:Is a license plate personal data? (2, Informative)

LordSnooty (853791) | more than 6 years ago | (#22164596)

Yup, in my country whenever a car is shown on a news report for example they blur out the registration number. This is in line with data protection legislation of the late 90s.

Re:Is a license plate personal data? (1)

flashdot1234 (925924) | more than 6 years ago | (#22164782)

Some of my work is to develop basic services for ISP's. This includes systems that manage the sale and delivery of, say, an ADSL subscription. The system can generate your PPPoE username, and provide it preprogrammed into your modem. Our services include the authentication services that are later used to decide wether you can have access to your service or not. The ISP can access your account, and know what IP address you've had at any point in time. The search can also be reversed, to find out who had a specific IP address at a given point in time.

I have to say, these data are not available to the general public, so in that sense your IP address doesn't say much about your person. The problem arises if the police are given access these data more and more without the need for court orders and such, it becomes easier and easier for them to "interpret" what they find in any direction they'd like.

Let's say my computer got hijacked, and was used in a computer break-in. I get prosecuted for this, and my logs show I've read a lot about computer vulnerabilities. Doesn't look good, does it? Even though the reason for the reading up on vulnerabilities is tied to my work, it becomes pretty easy to paint a completely different picture.

I haven't read TFA, but I at least partially agree that IP addresses are personal data. If you could combine all the logs that exist from your movements online, they have the potential to say quite a lot more about your personal behavior than most people would be comfortable with.

Heath Ledger can no longer have an IP address :( (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22162964)

And he can't butt-fuck :( :( :(

RIP HEATH

He's totally right (4, Funny)

smitty_one_each (243267) | more than 6 years ago | (#22162966)

Re:He's totally right (5, Funny)

unlametheweak (1102159) | more than 6 years ago | (#22163600)

Don't believe everything you read. The Onion has about as much credibility with me as Fox News.

Re:He's totally right (4, Funny)

packeteer (566398) | more than 6 years ago | (#22164260)

Lies! Not only is fox fair and balanced but the Onion is "America's finest news source."

Citation needed (0, Flamebait)

Divx (716186) | more than 6 years ago | (#22162968)

First of all, where is your proof that microsoft does not keep logs of IP addresses. And which microsoft site? msn.com? live.com?

Re:Citation needed (1, Funny)

Anonymous Coward | more than 6 years ago | (#22163006)

No problem [google.com]

Re:Citation needed (2, Insightful)

Your.Master (1088569) | more than 6 years ago | (#22163402)

The report isn't released yet. It's from an EU regulator. These guys aren't noted for being particularly sympathetic toward Microsoft. This sort of question is kind of tinfoil-hattish.

Look at the privacy policies of Microsoft and Google. Search them out yourself. Google them, or live search them if you don't want your IP logged. MS's official position on privacy is generally fairly strict, and they consider it a selling point. Google's is less so, and they consider it a non-issue.

If you disbelieve these stated corporate policies, then you really should get in contact with a lawyer and take some action.

Re:Citation needed (2, Funny)

Kamokazi (1080091) | more than 6 years ago | (#22163634)

With a statement like that I really doubt you'd even believe it coming from your own mother holding a document signed by Bill Gates and notorized by a Supreme Court judge. Because, you know, Microsoft doing something better than Google completely contradicts the Slashdot Theory of Logic.

If it's personal property... (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#22162980)

...niggers'll steal it.

Ron Paul 08

Re:If it's personal property... (0)

Anonymous Coward | more than 6 years ago | (#22163262)

You know, the keen insight and argumentation on display in this [hotair.com] audio clip of a Paulestinian really tempts me.
To vote for him, or disembowel myself with an ice pick, I'm unsure which...

BUTTSECKS? (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22162998)

R.I.P Heath.

Re:BUTTSECKS? (0)

Anonymous Coward | more than 6 years ago | (#22163186)

Yep. Just wouldn't be a news cycle without some death porn.
Kind of a shortage of nubile women dying macabre deaths at the moment, but the posthumous role as The Joker puts an off-beat spin on things.
So much schadenfreude, so little time.

Re:BUTTSECKS? (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22163560)

Well there once were two cowboys alone out on the trail.
And they discovered they could sleep with another male!

Now they're having Butt Sex! Cowboy Butt Sex!

Sodomyyyyyyyyyy!
Come on everybody!
Sodomyyyyyyyyyy!
Sodomyyyyyyyyyy!

Sodomy.

doubtful (1)

no-body (127863) | more than 6 years ago | (#22163020)

if the flood of greed to tracking ($$'s) everyone's move can still be held back:

In email source:

HTML comment tag open [WEBTRENDS-Tracking] HTML comment tag close

img alt="DCSIMG" id="DCSIMG" width="1" height="1" src="http://statse.webtrendslive.com/dcskvlalu100004rfxyw......

Strange idea (3, Interesting)

geek (5680) | more than 6 years ago | (#22163026)

Never really looked at it this way. I think it's become ingrained in us that IP's are a way of tracking instead of a way of communicating. Being able to track them is just a side issue. If we look at an IP as a means of communication then does that not make it private in some way? I don't know exactly how I feel about this but I'd certainly like to have more rights rather than less of them.

Re:Strange idea (4, Insightful)

Amorymeltzer (1213818) | more than 6 years ago | (#22163552)

I always visualized it akin to your telephone number - yeah, it's your number, but anyone can look it up in the pages. You work a bit to get on the no-call list and taken out of the directory, and of course, you can change your number or hide it from caller ID.

Re:Strange idea (1)

tjohns (657821) | more than 6 years ago | (#22164228)

But even if you hide it from Caller ID, telephone numbers still get transmitted via ANI [wikipedia.org] .

Doesn't quite work as an analogy (2, Insightful)

CaptainZapp (182233) | more than 6 years ago | (#22164338)

yeah, it's your number, but anyone can look it up in the pages

While everybody can check a directory such directories don't exist for IP numbers. Respectively the information needs to be obtained from the ISP.

I never heard of the requirement of a court order before checking a phone directory.

Re:Doesn't quite work as an analogy (0)

Anonymous Coward | more than 6 years ago | (#22164938)

Being in the phonebook is, and should be, optional.

Re:Strange idea (0)

Anonymous Coward | more than 6 years ago | (#22164846)

> yeah, it's your number, but anyone can look it up in the pages
Which is why most domestic landlines are ex-directory and any attempt to create a mobile directory has failed.

So... (3, Interesting)

deepershade (994429) | more than 6 years ago | (#22163046)

Does that mean that if passed, then the RIAA can't use my personal data 'IP' to sue me? TFA was a little short on details of the reprecushions of this.

Re:So... (1)

barry_the_bogan (976779) | more than 6 years ago | (#22163222)

Well TFS said it was in the European Parliament, since the RIAA is an organisation in the USA, I would assume it has little relevance to what the RIAA can do. However, the European equivalent of the RIAA might have more trouble pinning stuff on you.

Re:So... (5, Informative)

alx5000 (896642) | more than 6 years ago | (#22163316)

There's no European equivalent to RIAA... maybe there's such an organization on a country level, but I can assure you that sharing is completely legal in Spain, since fair use covers any kind of private copy, no matter whether you own the original or not (and yes, P2P falls into that category).

Re:So... (1)

smitty_one_each (243267) | more than 6 years ago | (#22163428)

Seeing as how the VP is such a VIP, shouldn't we keep the PC on the QT? 'Cause if it leaks to the VC he could end up MIA, and then we'd all be put out in KP

Re:So... (1)

mr_matticus (928346) | more than 6 years ago | (#22163486)

No. They'll still use your IP to sue you, just like they'd use your license plate to find you if you ran someone over with your car, or the registered customer of your cell phone if you made threatening calls.

This has potential implications for how easy it will be for them to get your IP and may legitimize some obfuscation methods.

Just like Target doesn't keep a list of all the phone numbers of customers that come in or out, websites you visit will now have to use a higher standard of care with your IP. They'll have to treat it like the other personal information they use--your name, address, phone number, and now your machine address.

What the before-the-chair-agains are, I don't know, though (you're looking for repercussions).

And they plan to implement this how?! (5, Informative)

CaptainPatent (1087643) | more than 6 years ago | (#22163062)

The only way to check and see if your IP is being kept is by changing the protocol entirely or by checking the company's servers. I'm guessing that not too many companies would appreciate people routinely rooting around, and if something to check if an IP is stored were to be implemented, the protocol would have to be vastly overhauled and it could slow down the internet 80% or more because of the extra time needed to "check."

The bottom line is this is much like the ruling in the US that companies had to keep a record of working memory (which is entirely impossible,) This seems to be more legislators talking about something they know very little about.

Don't get me wrong, I do appreciate the fact that it would make it harder for the ad industry to hunt you down which is always appreciated, I just don't think any reasonable implementation will work.

Re:And they plan to implement this how?! (1)

lordofwhee (1187719) | more than 6 years ago | (#22163324)

Easy way to tell if an IP is being used: ping them, or send a TCP SYN packet.

Re:And they plan to implement this how?! (2, Informative)

alx5000 (896642) | more than 6 years ago | (#22163370)

And, yes, while we're at it, let's not prosecute fiscal fraud (since it's so hard to check the company's books, and not too many companies want theirs scrutinized).

The same can be applied to websites collecting info on users to sell it to spammers. It's really, really (really!) hard to prove they've sold it, but that wouldn't stop legislators from sanctioning that law, would it?

If the EU passes a law that adds IP addresses to the list of protected private data, that only means it is illegal to collect them and store them. And if you get caught, face the consequencies, just like with any other law.

Re:And they plan to implement this how?! (1, Informative)

Anonymous Coward | more than 6 years ago | (#22163580)

Except for the glaring difference that companies are required to report their books for tax purposes which is what leads to them being caught.
I agree that when found, companies keeping IP information should be prosecuted, but finding them (and even finding evidence if they're smart about it) is going to be much harder than you suggest if not impossible. The GP post is correct though that in order to even detect if the IP was being stored the entire internet protocol system would need to be highly revamped.

Re:And they plan to implement this how?! (2, Insightful)

unlametheweak (1102159) | more than 6 years ago | (#22163986)

The real issue would be how any privacy protections like storing IPs would be enforced. It is doubtful that a company would willfully admit to storing IPs if it is against the law to do so. I know if I were running a server (Web, FTP, IRC, etc), then I would store IPs despite the law, just because it makes sense from a security perspective (I would want to know who is online, who to ban, etc).

IP's contain less value over time (most consumers have dynamic IP's, can switch ISPs, use proxies, etc), so storing them for years wouldn't make a lot of practical sense anyways in most cases. Calling something as ephemeral and virtual as an IP personal property may be fine for politicians, but the utility of this is yet to be seen.

The more practical solution would be to legislate what a company or individual actually does with an IP. Do they sell it to spammers or crackers? or do they store it so that they can ban known spammers or crackers from entering their servers?

Re:And they plan to implement this how?! (3, Informative)

dleigh (994882) | more than 6 years ago | (#22163422)

TFA (and some slashdot readers) seem to be assuming that he is calling for a ban on logging IPs. TFA is pretty thin on what was actually said at the meeting, just taking the assumption and asking a few search company spokespeople for their opinion on that assumption. The comissioner doesn't seem to be claiming anywhere that IP addresses should not be stored, or that regulators should check to see if they are not stored, or that any "implementation" of anything is or should be required. The only statement from him seems to boil down to "something which identifies a person should be considered personal data".

Re:And they plan to implement this how?! (2, Informative)

thannine (576719) | more than 6 years ago | (#22164096)

The comissioner doesn't seem to be claiming anywhere that IP addresses should not be stored, or that regulators should check to see if they are not stored, or that any "implementation" of anything is or should be required. The only statement from him seems to boil down to "something which identifies a person should be considered personal data".
And this would be the logical thing to say. Many posters have been wondering "how are they going to implement this?". Well, the thing is that laws like that are already in place (at least in Finland, but I'm assuming the rest of EU also), it's just the question of whether they apply to IP addresses as well as phone numbers, addresses, social security numbers etc. It's not illegal as such to store those, it's just regulated.

Re:And they plan to implement this how?! (5, Insightful)

mxs (42717) | more than 6 years ago | (#22163910)

You misunderstand the issue. If IP addresses are considered personal data, they can still be used during the connection and for tasks immediately related to servicing that connection -- akin to buying something with your credit card (which does not allow the store to store your personal information for purposes other than payment processing).

In Germany's current privacy and data protection laws, everybody has the right to decide what happens to their own personal information if it is being processed by computers. For instance, you can tell Amazon to delete all personally identifiable data they have about you, and they have to comply -- and you can ask any company that has personal data about you (such as your phone number, your address, etc. in telemarketing and plain old snailmail spam) to tell you where they got it from, what basis they have for keeping it, and to delete it from their databases. If they do not comply, you have a strong legal standing to compel them to give out this information (Mr. Sharr, who is quoted here, is the national representative for data protection, though there are more local ones as well -- if they suspect foul play, they /can/ raid businesses, and do so if warranted.

The legislators know very well what they are talking about. The scope of "personal data" is narrowly confined (anything that can be used to identify you or is saved in relation to data that can personally identify you or anything that could automatically be tied to you by a third party; IP addresses fall into the latter category; while a webhost will not be able to do the IP -> Name&Address resolution, the user's ISP could -- therefore the IP address is personally identifiable to a specific party through a third party and thus personal data protected under stringent data protection laws. This has been tested in court (the German DoJ, for instance, is no longer allowed to log IP addresses on their web servers by court order).

These laws don't "just" exist to combat the ad industry, but rather are an extension of one of our constitutions human rights, that is, the right to free self expression; this includes, under German law, the right to decide what happens to your data. There are, of course, certain restrictions (for instance, the DMV can process this data, as can other governmental bodies -- IF SPECIFICALLY AFFORDED THAT RIGHT BY LAW -- for their (narrow) purposes. You can waive this right (i.e. you can give your address to Reader's Digest for them to spam you with as they see fit -- if you give the permission (which is always revocable), they can do with your data whatever you allowed them to; Sweepstakes, for instance, are often designed to gather this data and get permission).

As for implementation thereof : I don't see a problem. The ip address can still be used to commmunicate same as before; it just can't be logged indefinitely nor used for purposes other than the intended one (i.e. connection establishment, communication, teardown vs. ad tracking) UNLESS the person in question has given permission. What this boils down to in Apache is adding mod_removeip. If no other information personally identifies your visitors (even through a third party), you can now log this data and do with it as you wish. Another possibility would be pseudonymizing the IP addresses with one-way hashes (though some care will have to be taken that this is not reversible easily, which may become a problem since there are only 32 bits in an IP address and thus bruteforcing is a viable tactic).

Nothing needs to be implemented to "check" whether the IP is stored. If you have a reasonable assumption that your contract partner is screwing you over, you can lodge a complaint with the Landesdatenschutzbeauftragter or Bundesdatenschutzbeauftragter (Mr. Scharr in this case), who will investigate -- same as when you suspect they are selling your address information illegally or engage in other illegal activites.

I for one am glad that there are some privacy advocates who thing about this stuff and its implications. It's sensible to consider IPs personal data; You may think that "if only a third party could identify the user, it doesn't make it personal" -- but just think about ISPs who are also providing web hosting services, or are otherwise content providers (just about all of them are and do, and consolidation in the market only makes this more prevalent) -- they don't even need a third party. And that is where it becomes dangerous, privacy-wise.

Re:And they plan to implement this how?! (0)

Anonymous Coward | more than 6 years ago | (#22164118)

So, in your plan, how do websites fulfill their legal obligation to keep records on what they charge advertisers? Without some form of [at least somewhat] verifiable logs, there is no record proving that real users were ever shown the ads. In the US at least, that won't fly anymore in the post-Enron world of SOx [wikipedia.org] . As a result, with your model the modern advertising-supported web would disappear.

Luckily, the EU has mostly been talking about an 18 month limit for storing personally identifiable information, which does allow businesses to balance their obligations. Of course, anything less would be complete hypocracy considering the EU's mandatory data retention [wikipedia.org] policy for ISPs. Maybe that's what you meant when you said "The legislators know very well what they are talking about." They sure do.

Re:And they plan to implement this how?! (1)

pipatron (966506) | more than 6 years ago | (#22164268)

Without some form of [at least somewhat] verifiable logs, there is no record proving that real users were ever shown the ads.

Great! This would mean that there's no ads on television, because such a model could never work. I guess I stopped watching TV because I'm crazy and see things that doesn't exist then.

Re:And they plan to implement this how?! (1)

Fastolfe (1470) | more than 6 years ago | (#22164344)

Web ads are not billed based on placement, with the "hope" that some number of eyeballs will see it. Web ads are billed based on the number of impressions or clicks. SOX is a HUGE deal for these types of arrangements. If you're suggesting that web ads move to the TV ads model, that's a fairly significant change and I'm not really sure that would work out very well. You'd need some sort of awkward payment schedule for the millions of tiny sites out there that generate just enough traffic for a few bucks a month in revenues. These add up to a lot for advertisers but would be incredibly difficult to bill.

worry about the German government first (1, Informative)

nguy (1207026) | more than 6 years ago | (#22164486)

In Germany's current privacy and data protection laws, everybody has the right to decide what happens to their own personal information if it is being processed by computers.

Well, that is, except for all the ways in which the German government uses that information to track you and spy on you. German privacy attitudes are schizophrenic: they live in a country with a history of governments perpetrating genocidal mass murder based, in large part, on personal information and connections between citizens. You were a Jew? You died. You had contact with communists? You died. The East Germans even continued that proud tradition of neighbors spying on neighbors and kids spying on parents throughout the 20th century.

Yet, all Germans seem concerned about is whether big, evil US corporations can get their data, while everything they do and say can be traced back to them: phones need to be registered, web sites need to provide full information, there is effectively no anonymous free speech, televisions need to be registered, the German government can get all your connection information, and you even register your religion with the German government.

German politicians talking about "privacy" is ridiculous. The "Bundesdatenschutzbeauftragter" is a smokescreen for one of the most intrusive surveillance societies in the world. Germans should worry about their own government before trying to tell other nations about data protection.

Re:worry about the German government first (2, Insightful)

Yvanhoe (564877) | more than 6 years ago | (#22164774)

Germans learned from nazism and sovietism that privacy was a damn serious issue. That any entity with personal information about several million people can turn into something nasty. They completely understand how IP logs could be used in a bad way, Americans tend to be optimistic about this but Germans already have undergone two periods of oppression that relied on an extensive invasion of privacy.

Re:And they plan to implement this how?! (1)

jez9999 (618189) | more than 6 years ago | (#22164852)

Don't get me wrong, I do appreciate the fact that it would make it harder for the ad industry to hunt you down which is always appreciated,

That's an idiotic opinion. If you find a way to block ads, then it doesn't matter either way; if not, at least personalized ads will be personalized. Your fear of them 'tracking you down' is irrational, as if you think they're kidnappers or something.

Just Addresses (4, Insightful)

excelblue (739986) | more than 6 years ago | (#22163068)

I am truly disappointed in this. If IP addresses are a means of communications, wouldn't that be similar to phone numbers?

It shouldn't be any more personal than a phone number is. Whenever someone calls me, I like to log them on my caller ID. I don't see a difference here.

Re:Just Addresses (2, Insightful)

davetpa (1109467) | more than 6 years ago | (#22163188)

It shouldn't be any more personal than a phone number is. Whenever someone calls me, I like to log them on my caller ID. I don't see a difference here.
But what about if the phone company sells your phone number (no other information attached) along with a record of all the numbers you called and all the numbers that called you? Now your phone number is no longer just a means of communication.

The scary part is that they've been doing that for years WITH your other personal information!

Re:Just Addresses (1)

SnowZero (92219) | more than 6 years ago | (#22164136)

But what about if the phone company sells your phone number (no other information attached) along with a record of all the numbers you called and all the numbers that called you? Now your phone number is no longer just a means of communication.
I would say that we need laws that differentiate between storing and selling?

I don't care if Joe the barber keeps a record of all the appointments I've ever made with him, and the phone number I used to make each appointment. What I do care about is that he does not give away or sell this information, and that he uses due diligence to protect the information from being stolen.

Anything else is getting far too close to a world like 1984, where keeping a diary can become illegal.

Re:Just Addresses (1)

Harmonious Botch (921977) | more than 6 years ago | (#22163190)

Or is my street address personal data? Or how about "the girl next door"? That is a unique identifier too.

There's a girl next door to me (0)

Anonymous Coward | more than 6 years ago | (#22164626)

Do you mean her?

Re:Just Addresses (4, Insightful)

mr_matticus (928346) | more than 6 years ago | (#22163434)

Yeah.

That's exactly what's going on. Your phone number is personal data, too.

I don't understand the source of your disappointment, unless you think that personal data is private information. It's not.

Re:Just Addresses (1)

Chancer (246051) | more than 6 years ago | (#22163470)

1. this is old news. WU has classified IP as PII for a long time now.

2. Yes - it is exactly like your phone number. Given your phone number, I stand a very good chance of figuring out who you are - thus it is personally identifying.

The reason that this is a bad thing to store is that I can get a court order to request all the search records from Yahoo that were made from your IP address - thus showing that you did indeed search for 'male escorts NYC'.

Having it noted as PII means that nobody can store it (in search logs for example) without your express permission, and thus if it ain't logged, the search query can't be associated with your good name.

Re:Just Addresses (1)

dnahelix1 (1060308) | more than 6 years ago | (#22163478)

Yes, but I can block my phone number from showing up on your caller id, though.

Re:Just Addresses (5, Informative)

Beriaru (954082) | more than 6 years ago | (#22163512)

Your name is personal data, but not private.
Your phone number is personal data, but not private.
Your Address is personal data, but not private.
And of course, your IP is not private... but is part of your personal data.

Maybe in USA there is no difference between private and personal data, but in EU there's a big difference: nobody can NOT store your personal data without warning you and giving methods to correct AND ERASE your data.

Re:Just Addresses (4, Funny)

QuantumG (50515) | more than 6 years ago | (#22163644)

nobody can NOT store your personal data without warning you
Well shit, I better warn you right now that I'm not storing your personal data.. that goes for everyone else reading this: I AM NOT STORING YOUR PERSONAL DATA!

Whew, lucky I got that out of the way.

Re:Just Addresses (1)

Tavor (845700) | more than 6 years ago | (#22163678)

Indeed. Should us Americans use a similar setup, I believe the RIAA would not be able to do it's I.P. address drift-net tactics. Though, as always, IANAL. Though I would love to hear NYCL's take on it.

Re:Just Addresses (1, Informative)

Anonymous Coward | more than 6 years ago | (#22164728)

[...] but in EU there's a big difference: nobody can NOT store your personal data without warning you and giving methods to correct AND ERASE your data.

I suppose you wanted to say: "nobody is allowed to store your personal data without warning you and giving methods to correct and erase your data."
This is a principle of German "Recht auf Informationelle Selbstbestimmung".

Anyway, I agree with Germany's 'commissioner for data protection and freedom of information' Peter Schaar (wrong name in TFA) that an IP is public, but nevertheless personal data (better term in German: "personenbezogene Daten") because as the 'Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data' (see Directive 95/46/EC [europa.eu] ) states:

Article 2
Definitions

For the purposes of this Directive:
(a) 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

Some prior commentators already agreed that a telephone number is personal data (though many don't seem to know the difference between private and personal data). Why not treat IPs the same way?

Please note that not all is well in Europe since telephone numbers (already regarded as personal data) and IPs have to be stored by the associated carriers (ISPs for example) for later processing by law enforcement agencies (allegedly solely) in the course of investigating terroristic activities and other crimes (see 'Directive 2006/24/EC [europa.eu] of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks').
This is heavily disputed (see e.g. http://www.dataretentionisnosolution.com/ [dataretent...lution.com] and Digital Rights Ireland challenge to Data Retention [digitalrights.ie] ).
By the way, there [riseup.net] are some proposed methods to disable logging of IPs regarding Apache webserver - et al..

For more information about 'EU Data Retention' see EU Data Retention - doqumentation [quintessenz.at] and Electronic Privacy Information Center [epic.org] .

Re:Just Addresses (1)

neoform (551705) | more than 6 years ago | (#22163648)

I'd say it's more like a home address. Would you get in trouble for writing down someone's address? Why should an IP address be any more 'personal'? I'd say both are quite impersonal.

Re:Just Addresses (1)

Zironic (1112127) | more than 6 years ago | (#22164842)

You're not allowed to store my address either without my permission.

Whoa (2)

MattPat (852615) | more than 6 years ago | (#22163088)

I can't believe what I'm seeing. Is this actually a semi-responsible technology-related decision made by a legislative body?

I'm not saying I necessarily agree with the complete "scrubbing" of Google et al.'s records, as it were, but the classification of an IP address as personally-identifiable information is definitely a positive step towards Internet freedom, and a reasonable expectation of some degree of privacy. At the very least, it gives you a leg to stand on when you find out that some company has been selling your browsing habits to an advertiser.

Re:Whoa (1)

gotzero (1177159) | more than 6 years ago | (#22163178)

It is hard to comprehend... Keep in mind it is the EU, not the US. ;) I sure enjoy checking out the server logs to my site, if only to see that we do reach worldwide, even to bots... I can clearly identify with both sides of this issue. Honestly, you have no privacy online if you do not take certain steps, and the general public should not be shocked by this!

Well, (0)

Anonymous Coward | more than 6 years ago | (#22163094)

"...while Microsoft does not record IP addresses for anonymous search."

Well, they will now.

Good news for cookies. (1)

gandhi_2 (1108023) | more than 6 years ago | (#22163138)

AFAIK, server-side IP-logging one of the few ways to maintain stateful web sessions without cookies.

This idea would kind of guarantee that cookies have no competition.

Sucks if you are an ISP. You buy a block of IP's but you can't use them...they are someone elses personal info? /. assigned me a user ID number....I believe that number properly belongs to slashdot. gandhi_2 though...I stole that from Wierd Al.

Trust Microsoft (3, Interesting)

Doc Ruby (173196) | more than 6 years ago | (#22163180)

According to the article, Google does an incomplete job of anonymizing this data while Microsoft does not record IP addresses for anonymous search.


Unless Microsoft is just lying. How can they be trusted, with their track record?

Re:Trust Microsoft (0)

Anonymous Coward | more than 6 years ago | (#22163476)

Unless Microsoft is just lying. How can they be trusted, with their track record?

Here, smoke this... it will help.

Re:Trust Microsoft (1)

the bluebrain (443451) | more than 6 years ago | (#22164038)

>> >> According to the article, Google does an incomplete job of anonymizing this data while Microsoft does not record IP addresses for anonymous search.

>> Unless Microsoft is just lying. How can they be trusted, with their track record?

Basically: "Never attribute to malice what can be adequately explained by stupidity". ... you know ... unless it's Microsoft ;)

Re:Trust Microsoft (0)

Anonymous Coward | more than 6 years ago | (#22164740)

Unless Microsoft is just lying.

That's like saying "Unless the ocean is wet".

Ok, more craziness (2, Interesting)

Psychotria (953670) | more than 6 years ago | (#22163182)

How is an IP address more "personal" than my GPS location at any given point in time? Sure an IP address can be "mine" if I have my own domain etc. This is not usually the case though. Most IP addresses are "owned" by the ISP and assigned to people via DHCP (except for static ones). This is not too much unlike a restaurant reserving tables for a customer, and sometimes reserving a table for a customer for a long time. It doesn't make the table being reserved the customers the customers personal property; the restaurant still owns it--it is no more personal than, well, any other table in an anonymous bar (for example). I can't see how IP addresses can be "personal".

Re:Ok, more craziness (0)

Anonymous Coward | more than 6 years ago | (#22163334)

Your GPS location is also subject to privacy laws in Europe, if it's personally identifiable, i.e. it can be attributed to you. Either would allow someone to track your whereabouts (virtual or real.) What's relevant isn't that you own the address or location. It is the fact that it is information about you which makes it private data.

Re:Ok, more craziness (0)

Anonymous Coward | more than 6 years ago | (#22163630)

I have a static IP address. Everybody ought to have a static IP address -- a bunch of them to be exact. The distinction of "server machines" and "client machines" is unnatural. It was the result of the IPv4 address shortage and has provided companies a nice way to keep the consumers under their thumbs (Skype).

The European privacy rules don't apply to secret information only (as though you social security number, DOB or mother's maiden name were secret). The rules regulate how you are allowed to compile and index databases on people. You are not allowed to use the SSN as a customer ID because that would make it too easy to join databases. Similar restrictions should apply to other globally unique IDs.

Re:Ok, more craziness (0)

Anonymous Coward | more than 6 years ago | (#22163960)

IP addresses are personally identifying traits. To use your analogy, it's like "the guy that always sits at in the booth in the corner." All you have to do is ask the server (no pun intended), and she'll tell you the guy's name, favorite entree, and how well he tips.

However IMHO, the elsethread discussion of requiring notifications for storing and allowing you to request the deletion of your personal data shouldn't apply to IP addresses because it's part of the communication protocol, and because effective access control requires extensive logging. You can't tell someone not to keep the envelopes of the letters you mailed them; you shouldn't be able to demand that they remove your IP address from the logs/databases either.

If people don't want someone to know their IP address, they can use a proxy. But they also shouldn't complain when the proxy gets banned for abuse because other users are doing not-so-nice things on the site they're trying to access.

Re:Ok, more craziness (1)

mxs (42717) | more than 6 years ago | (#22163966)

How about IP address + timestamp ?

Your address ISP Webhost IP + Timestamp GET /hot/brunette/doing/funky/stuff/naked/001.jpg --> Your address --> GET /hot/brunette/doing/funky/stuff/naked/001.jpg (and that is personal data since it identifies you as a person doing something.

Re:Ok, more craziness (1)

Psychotria (953670) | more than 6 years ago | (#22164078)

Yeah; your IP address still isn't private though, so I stand by my original argument. There are ways to get around that of course.

Re:Ok, more craziness (1)

mxs (42717) | more than 6 years ago | (#22164190)

Your original argument was "personal data" not "private data". There is a difference. It's not about hiding your personal data, it's your right to decide what happens to your personal data -- in particular whether it can be used for stuff other than the purpose you intended, legally.

Your Computer Is Broadcasting an IP Address! (0)

Anonymous Coward | more than 6 years ago | (#22163204)

Unfortunately (because he's a smart person with the right ideas) the guy has no power beyond telling everyone what he thinks data privacy should be and how sorry the actual state of affairs is. This may eventually lead to more stringent regulations, but note that in Germany, it is already a violation of privacy laws to record personal information, including IP addresses, in logfiles without telling the visitor about it. Apparently the justice department hasn't heard of the law, because their web server does precisely that. And so does everybody else's server and nobody cares.

Silly? (1)

Damocles the Elder (1133333) | more than 6 years ago | (#22163272)

I realize it sounds silly at first glance, but I'd agree with the general idea. While an IP isn't private per se, you don't run around IRC and chat channels shouting your IP at random people. Your IP is between you and whatever sites you choose to visit. In addition to that, you generally don't want your named linked to an IP. Even if an untrustworthy website, they have your IP but not your name with it. Once you have a name and an IP, someone with an axe to grind can start trying in earnest to break the door down, or DDoSing your personal website, if you have one.

Begs the question... (2, Interesting)

creimer (824291) | more than 6 years ago | (#22163276)

If IP addresses are personal data, who owns 127.0.0.1?

Re:Begs the question... (1)

scoot80 (1017822) | more than 6 years ago | (#22163310)

Your computer does.

Re:Begs the question... (3, Funny)

lexarius (560925) | more than 6 years ago | (#22163452)

Well, that's my computer's IP address, so it's obviously mine, and I'll have to ask you to stop waving it around like that.

Re:Begs the question... (0)

Anonymous Coward | more than 6 years ago | (#22165134)

Ha, you revealed your identity. Your getting nuked now Mr. 127.0.0.1!

Re:Begs the question... (1)

jroysdon (201893) | more than 6 years ago | (#22163460)

Same guy that owns ::1 [hp.com]

Re:Begs the question... (0)

Anonymous Coward | more than 6 years ago | (#22163626)

Obviously since 127.0.0.1/8 is in my routing prefixes, *I* own that IP block. Get off my damned lawn.

IP (0)

Eddi3 (1046882) | more than 6 years ago | (#22163360)

Based on this conclusion, an IP == IP (Intellectual Property), then?

wtf is wrong with this faghole? (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22163372)

this place looks like dogshit in firefox. ie does a much better job. fucking fags.

So... (0)

Anonymous Coward | more than 6 years ago | (#22163480)

Those annoying ads, about "Your computer is broadcasting your IP address"... were right all the time?

Major legal issues arising? (2, Interesting)

DigitAl56K (805623) | more than 6 years ago | (#22163672)

If IP addresses are personal data, and you visit my web page, and my access logs show I served an IP that you used at a certain time (or even just that I served an IP you used), am I now subject to laws regarding the holding of personal information? If you were to contact me and request that information how would I authenticate you? If I was to disclose certain parts of the "personal data" that you claimed belonged to you, how could I know that I was not disclosing someone else's personal information, given that I can't necessarily authenticate you or anyone else and IP's can be re-allocated? If I ban an IP address for abusing my server and it is later re-allocated to someone else, is that slander? If I forward an e-mail whose headers contain IP addresses of relay servers, is that unlawful disclosure of personal information?

This is totally ridiculous.

Re:Major legal issues arising? (2, Informative)

arkhan_jg (618674) | more than 6 years ago | (#22164586)

You're assuming the restrictions on personal data are greater than they are. If IP's are judged personal data, that makes them like a telephone number or an address (The Act covers any data which can be used to identify a living person). Still, you do have some responsibilities, *if you're in the EU* with regards handling personal data. Basically, there are restrictions on publishing it or sharing it around without permission, and you can only use it for the original purpose for which it was collected. (Sensitive personal data, i.e. really private stuff, is more strictly controlled)

For example, say you were to publish your webserver access logs; you'd be better off anonymising the IP's somewhat first. Just as if I call you on the phone, you're allowed to store the caller ID, call me back or even put me on your internal call-list - but publishing my phone number, along with transcripts of our conversations without permission would be a no-no. Nor can you flog it off on the open market to cold callers. When you sign up for a phone line here, you're asked if you want the number to appear in the phone book, or go ex-directory.

Again, this only applies if you live in an EU country with data protection laws.

If IP addresses are personal data, and you visit my web page, and my access logs show I served an IP that you used at a certain time (or even just that I served an IP you used), am I now subject to laws regarding the holding of personal information?
If you're an individual holding the data for your own personal use, you are exempt from much of the data protection act, including having to tell people when they ask what data you hold on them. If you're a company, when given a proper request and the fee to handle the request, would have to look in the logs when given the IP, and would have to report that yes, you hold 7 instances of that IP in your log. If your log expires before you have to answer the request (40 days I think) , you don't have to give anything.

If you were to contact me and request that information how would I authenticate you? If I was to disclose certain parts of the "personal data" that you claimed belonged to you,how could I know that I was not disclosing someone else's personal information, given that I can't necessarily authenticate you or anyone else and IP's can be re-allocated?
You don't have to disclose the other data that goes with the IP, just the IP itself that they supply to you. You then say whether you hold that or not.

If I ban an IP address for abusing my server and it is later re-allocated to someone else, is that slander?
It'd be libel as it's written, not slander as that's spoken. Libel only applies if you *publish* lies about someone, such as 'this IP searches for goat porn' (when they don't). Storing it for your own blacklist is fine. If you're a company, the new holder of the IP could ask that you correct your record under data protection law though.

If I forward an e-mail whose headers contain IP addresses of relay servers, is that unlawful disclosure of personal information?
No, because relay servers do not identify a living human. Also, it's the processing and storage of personal identifying data for later use that's covered, not mere transmission. The owners of servers that store those emails would likely have responsibilities under the data protection act, but then they do anyway because of the contents of the email itself!

Re:Major legal issues arising? (1)

GryMor (88799) | more than 6 years ago | (#22165182)

How does this work exactly? Due to dynamic ips, NAP, non routable addresses and other network idiosyncrasies, an ip doesn't identify a specific person without further context any more than the name John Smith identifies a specific person without further context. Can I really make a request of a company to identify how they got every occurrence of John Smith in their database? As this provides context, how does it fail to infringe on the privacy of the other John Smiths? Similarly, if an well formed inquiry is made about a particular ip, how can I respond without potentially violating the privacy of the other, ephemeral, users of that ip address?

Return Address is private then Dynamic Nature (1)

FromTheAir (938543) | more than 6 years ago | (#22163984)

I suppose that the return address on an envelope is private now then. An IP address is the communications address. It does not mormally reflect the same use because they are often dynamic rather than static. Hundreds of people can come through the same IP address. So an IP address seldom represents a single entity for more than a short period of time.

On the other hand I think who the IP address is assigned to below the provider is private information. In other words ISPs whould not be divulgin who they assigned an IP address to becuase this could allow individual specific information to be collected.

IP addresses are used for HTTP (1)

Not Invented Here (30411) | more than 6 years ago | (#22164234)

But what about all the other ways that IP addresses are used and stored?

  • Will I need to register under the Data Protection Act in the UK because a default Debian install logs the IP address of failed ssh attempts?
  • Will this shut down Spamhaus [spamhaus.org] and other DNS block lists?
  • Will IP based Geolocation services have to shut down?

Re:IP addresses are used for HTTP (1)

Zironic (1112127) | more than 6 years ago | (#22164850)

They're fine as long as they don't give away the IP to anyone else.

IP addresses are personal data... (1)

nguy (1207026) | more than 6 years ago | (#22164412)

... and that's why the German government collects them, just like all other personal data.

Germany's positions on issues of privacy are rather two-faced, having one of the most intrusive surveillance states in the world, while at the same time proclaiming itself to defend personal freedoms.

It's Peter SCHAAR (3, Informative)

Doctor O (549663) | more than 6 years ago | (#22164518)

His name is Peter Schaar, not Scharr. One would think the editors would at least *skim* TFA.

Oh, and he's a great guy BTW, responding to email in a timely and thoughtful manner, and investigating the questions he's being asked.

Steal and abuse... (0)

Anonymous Coward | more than 6 years ago | (#22164648)

Somebody may have a compromised system which will be use to perform toxic actions without its consent.
You cannot link "for sure" an IP with somebody actions.
Beware! Here is an analogy to hint people on my way of thinking (never argue on analogies since contexts are always different) : A lent its car to B with generosity, B smashes C with A's car, B is responsible for hurting C, not A.

Or A opens its wifi network to anybody by generosity, B uses A wifi network to hack C's system. Well... C should have have GNU/Linux. :)

How will this affect Wikipedia? (2, Insightful)

ta bu shi da yu (687699) | more than 6 years ago | (#22164788)

Wikipedia records IP addresses for all anonymous editors. I wonder how this will affect the project?

You 1nsensitive clod! (-1, Redundant)

Anonymous Coward | more than 6 years ago | (#22164956)

writing is on the was what got me that comprise fly...don't fear for aal practical windows, SUN or charnel house. The

IPv6 (1)

todslash (1025980) | more than 6 years ago | (#22165112)

Won't a byproduct of IPv6 be that everything will have a unique IP address and so become even more of a unique identifier.

And because there will be so many addresses I'm guessing that they won't get recycled very much at all.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...