Uh, yeah IP addresses are identifying

| Comments (0) | Networking
The EU has decided that IP addresses need to be treated as personally identifying information.
Google and other companies maintain that I.P. addresses are not personally identifiable information. One part of the argument is that I.P. addresses identify a computer, not the person using it. True. But that’s the same as a telephone; just because a call was made from a number doesn’t tell you exactly who was talking. Nonetheless, I suspect that most people believe their phone number is quite personal.

The other part of the argument has to do with dynamic I.P. addresses, the practice by Internet providers of switching the I.P. address of home users. Even there, I.P. addresses are not as anonymous as they would appear. Internet service providers keep records of what I.P. addresses are assigned to which customers at what times. Combine these I.S.P. records with a log file from a Web site, and you have a map to who has done what on the Internet.

Look, this isn't even close. It's certainly true that many home users have IP addresses that are assigned via DHCP, so in principle they're dynamic, but that doesn't mean that you don't regularly get the same IP. From what I hear, common practice for full-time Internet connections is to regularly assign the same IP addresses to the same host. The IP addresses change occasionally, but mostly they're semi-static, so the IP address is generally a pretty useful identifier. And of course, even if your IP address does change regularly, it's still possible to cross-correlate activities at multiple sites at the same time.

Of course, this doesn't tell you how IP address information should be handled. Web servers routinely log client IP addresses and your average small Web site has zilcho in the way of policies or mechanisms for purging this kind of information from their logs. So, saying that IP addresses need to be kept confidential would entail pretty significant changes to operational practice. So, it's a balancing act, but it's certainly not true that there's no privacy risk from IP information leaking; quite the contrary.

Leave a comment