Court Says IP Addresses Aren't Personally Identifiable Information
from the ok... dept
We've noted that in Europe, IP addresses are considered private info, and I've pointed out that I don't think IP addresses, by themselves, should be considered private. I agree that combined with other identifying information an IP address can reveal info about you, but just the numbers alone are not private. And it appears a judge agrees, noting that IP addresses are not "personally identifiable" information (sent in by Dave Barnes). I'm actually surprised about this, because most people seem to disagree with me on IP addresses. However, this does raise a separate question: if courts say IP addresses are not personally identifiable, then does that shoot a large hole in most of the RIAA cases which rely on IP addresses? After all, the judge in this ruling said:"In order for 'personally identifiable information' to be personally identifiable, it must identify a person. But an IP address identifies a computer."
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: ip addresses, personal info
Reader Comments
Subscribe: RSS
View by: Time | Thread
Interesting...
This is a bit of nitpicking, but an IP address identifies a addressable device and not necessarily just computers. That device in turn can be a router, phone, computer, or microwave oven for that matter. The big issue I have with saying an IP address identifies a computer is that many times the IP address identifies a NAT based router or proxy server which further hides the true device making the request and of course has no provable correlation to the person that may or may not have been involved in said request.
Freedom
[ link to this | view in chronology ]
Re: Interesting...
Usually only when those devices themselves incorporate computers. Routers, especially, are just specialized computers.
[ link to this | view in chronology ]
Re: Re: Interesting...
I stand corrected. According to the Merriam Webster definition of a computer: a programmable usually electronic device that can store, retrieve, and process data.
That pretty much covers anything :)
I just think the average Joe thinks of a computer in the terms of a PC type device.
Freedom (aka Average Joe!)
[ link to this | view in chronology ]
Typo
Just saying
[ link to this | view in chronology ]
Re: Typo
[ link to this | view in chronology ]
IP address is like a license plate
I think that question was the best argument Jammie Thomas had, and it really didn't work out so well for her. This ruling isn't going to change much, me thinks.
[ link to this | view in chronology ]
Like a car?
[ link to this | view in chronology ]
An IP address does not identify a piece of hardware at all. It identifies an addressable connection to the Internet. There is no way of knowing what is at the endpoint of that connection. I can connect a computer today, a different computer tomorrow, and a router the day after that. Depending on the upstream equipment, I may have to clone/fudge MAC IDs, but in general, there is no possible way for anyone to know what is connected to a particular IP.
However, combined with a date and time and relevant ISP records, an IP address does identify the subscriber to whom a connection was contractually supplied. The degree to which the subscriber is responsible for activity on that connection, regardless of whether he or she is aware of it, I presume is a convoluted legal matter; but at least it ought to be understood that the link between an IP and a person is exactly that. I should think it would be much like being the registered owner of a car: while that doesn't prove you were driving it at any given time, it generally still confers a certain degree of legal responsibility.
[ link to this | view in chronology ]
Re:
The registered owner of an IP address is usually an ISP, not some subscriber that they temporarily let use it.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
And not legally responsible for the actions of the driver, even though they are the owner.
[ link to this | view in chronology ]
Re:
1) Addresses can be spoofed, both IP and MAC.
2) ISP logs can be erroneous and/or read incorrectly.
[ link to this | view in chronology ]
Re:
Any references or tips on a practical way to “spoof” an IP address? Because I’m currently spending a lot of time in Costa Rica, and I’m about ready to punch a hole in my monitior the next time I follow a link to a video only to be told I can’t see it because I’ve committed the unpardonable sin of not being physically located in the god-blessed United States.
[ link to this | view in chronology ]
Other numbers too
I wonder though if someone might now argue that social security numbers only identify social security accounts and not actual people.
[ link to this | view in chronology ]
Re: Other numbers too
[ link to this | view in chronology ]
To Anon Coward. "Routers, especially, are just specialized computers" while this is true. Freedom is pointing out that pinpointing a computer doesn't pinpoint a user. And an IP on a router, can not even pinpoint a computer, let alone a user. My wireless router has 4-6 computers attached to it depending on the day.
[ link to this | view in chronology ]
Re:
I didn't say otherwise, but Freedom said he had an "issue" with the idea that someone might say that an IP address was assigned to a "computer" when it was assigned to a "router", indicating that he thought routers were not computers, which is not accurate and why I pointed it out. Sorry if that bothers you.
[ link to this | view in chronology ]
NAT and Security
What, force people to be better than hackers??
[ link to this | view in chronology ]
Even more...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Unless you pay in cash, your ISP certainly knows who you are. Even on the off chance they don't, they know physically where you end-point (telephone, cable, dsl, etc modem) is located. So, you are entirely traceable.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
Not quite. They may know who is billed for the service, but that doesn't mean they know who is sitting at the keyboard of some computer using that service. So "you" are not "entirely traceable" by that alone.
[ link to this | view in chronology ]
For example, Ms. Thomas in Minnesota was not held liable based solely on her IP address. It was the cumulative effect of an IP address associated with her internet account, the sudden "failure" and replacement of her hard drive right after she received a notice that her address was associated with unauthorized downloading using a p2p client, a hardwired router versus a wireless router, and a host of other evidence submitted at trial that obviously convinced the jury that more likely than not she was the one responsible for downloading and sharing unauthorized content. She had the opportunity to rebut the plaintiff's evidence before two juries, each of which did not find her testimony credible and determined she was liable.
Cases such as these are not built merely on an IP address. It is just a starting point from which a plaintiff must gather and present significantly more evidence to a court.
I know that the Thomas case is not the subject of this article, but it seems fair to mention it in order to address what is apparently a widespread misunderstanding of how our legal system actually works.
[ link to this | view in chronology ]
Re:
It is not hard for one to accept that she MOST LIKELY did down load music.
What is hard is to accept what the potential penalties are.
All based on investigations that are not able to actually identify who did what besides which are themself most likely illegal.
[ link to this | view in chronology ]
Re:
1) Your phone number, via caller id, is associated with infringing activity
2) This alone is used to make threats and seak payment
3) Search warrent is granted and items confiscated
4) Oh, did I mention that caller id can be spoofed
"preponderance of the evidence" is not a good thing.
[ link to this | view in chronology ]
I don't think that exists even in criminal cases.
For example, Ms. Thomas in Minnesota was not held liable based solely on her IP address.
Who said she was? Your straw man?
Cases such as these are not built merely on an IP address.
However, that is often what legal threats, accusations and settlement offers are often based on. Then, when push comes to shove, such cases are often dropped before they can be decided in court. The Thomas case was an exception because they had so much other evidence to go along with the address and to characterize the Thomas case as typical is misleading.
I know that the Thomas case is not the subject of this article...
Nor, as I said, typical.
...but it seems fair to mention it in order to address what is apparently a widespread misunderstanding of how our legal system actually works.
The way it works is that even innocent people can be bullied into settling just because they can't afford to defend themselves. What a great system.
[ link to this | view in chronology ]
What Judge, I want to know whom to vote for. We need more Judges that understand this.
[ link to this | view in chronology ]
Mom Blogs
[ link to this | view in chronology ]
Point of Civil Procedure
[ link to this | view in chronology ]
IP Address Is Soft-Serve
----
I recently wrote a mashup application that helped reconcile a customer's Network management software with their in-house Asset management software.
There was a high order of corruption in their Asset records due to the fact that they decided to end-around the network management software and discover, then TIE the IP address of a device to the Asset record of physical devices.
The problem is that there is a clear dichotomy between NETWORK management and ASSET management. Network management deals with the ever-flexible "what is out there right now, live on the network, and how is it currently configured". Asset management is supposed to track a physical device from purchase/lease through disposal.
The simple fact their Asset management devs overlooked is that IP addresses are soft - mutable and transportable. The hardware is real, complete with stickers and mass, and might be assigned hundreds of IP addresses in its lifetime. Not only that, but the network interface card within a system can be portable, making even the MAC address (yes, also spoofable) a dodgy way to track a multi-component SYSTEM.
----
An IP address is absolutely not Personally Identifiable information about a human. Neither should an IP address be considered a legal way to identify a SYSTEM beyond reasonable doubt.
Even though we can usually track IP addresses to systems to users *in the moment*, the information 'on-the-wire' can still be falsified. Not to mention the ease rapidity with which network management records can be plugged by a semi-competent corporate hack.
[ link to this | view in chronology ]
Not even that - technically. It identifies a 'host' on a network that can change.
Really, it's a temporary mapping - that can be changed at anytime by a person that has some basic knowledge - I can just reset my cable modem and *poof* - magically, I get a new IP address.
The MAC address does in fact identify - not a computer still - but a network interface. I could have multiple IP addresses and MAC addresses on a single PC - I could also have a PC with neither a MAC address or an IP address.
The only real "link" is a log on a server. Usually in plain text. So - let's assume some guy at your ISP is a download *fiend* - how hard would it be for him/her to do a find and replace on a text file? Seriously.
[ link to this | view in chronology ]
Privacy and social contract
According to the article linked in the Techdirt post, the statement quoted was part of the dismissal of a suit in which consumers alleged that Microsoft violated its user agreement by “collecting” IP addresses while stating that it would not collect any “personally identifiable information.”
Since it is impossible to communicate on the Internet without temporarily obtaining the IP address of the other party, I presume they mean that Microsoft retained a list the of IP addresses involved.
Now, what could “personally identifiable information” mean to an ordinary person reading a user agreement? How about a street address, a license plate number or a telephone number? None of these “identify a person,” as the judge claims “personally identifiable information” must do; but of course, these things are exactly what we understand the term to include. “Personally identifiable information” is information that can be used, either by itself or with other available information, to provide significant help in identifying someone — either by connecting the information to a standard form of identification (such as a name or social security number), or by recognizing when the same person is encountered again in the future (such as with a tracking cookie). It is also quite sufficient to fall within an ordinary understanding of the phrase if the information makes it probable (not necessarily certain) that the person in question is a member of a close unit (such as a family or household) that can be identified or recognized.
Privacy is less straightforward, and complicated by two different senses of the word. My street address is not “private” in the sense that my diary is private: anyone can stand on the street in front of my house and determine my address, while no one can (legally) sneak into my home and read my diary. We also use the word “private” to describe how we expect an entity which acquires information about us to behave in regard to that information. In this context, “private” is not so much a characteristic of the information as an indication that there are limits we expect the entity which gathers the information to honor. These limits come from a shared (or not) understanding of what constitutes civilized behavior. If I give you my phone number, I have an expectation of what you might do with it, and what you should not do with it. I probably won’t be disturbed if you give it to UPS to help them deliver a package you’ve sent to my house; I probably will be upset if you write it on the bathroom wall in the local park.
As the ability to store, aggregate and cross-reference data has exploded, the idea of “private” as a yes-or-no attribute is no longer very useful. There is still, of course, the privacy of the diary, whether it’s on paper or in a computer file; but the other sort of privacy — the one involved in user agreements and privacy policies — is no longer comprehensible in terms of one bit of information being private and another public. Information about you that can be used against you is out there; privacy now must concern what uses of information are socially and legally acceptable, and how easy it is for entities which might not honor social and legal boundaries to access sensitive information. (They can get it if they work hard enough; practicality, not possibility, is the realistic limitation.)
I contend, for example, that though a prospective employer obviously could search LiveJournal or Facebook, or your private web site, for information about you, it should be seen as improper to use that as input to a hiring decision (unless you’ve freely offered it as a reference). Our ability to speak our minds should not be dictated by fear of future unemployment. This is an example where the information itself can’t be called “private” in any real sense — it’s intentionally been posted for all to see — yet some uses of that information impinge on our liberty (effectively creating a kind of “prior restraint”), and I think those uses can reasonably be said to invade our privacy.
It makes no sense to say an IP address, or any other data, is private, or not private; what is relevant, if you are retaining data, is why you are keeping it, and what you will do (or allow to be done) with it. If you are providing added value to your users, that’s generally good; but if your use of data about your users subjects them to unwelcome intrusions, or exposes information about them that they would have preferred not be so widely or easily known, or just generally works against them (even if you don’t disclose the data to a third party), they will consider it a breach of privacy.
I have doubts that much of this can be handled sensibly by law; most respect for the boundaries of privacy will have to grow from recognition of the value of reputation. It is perhaps possible that law could help by requiring greater transparency in the handling of data — for the most part, not limiting what businesses can do with data, but insisting that how any data collected on the web is used must be made known, in detail, to the public, and not merely disclaimed in a vague user agreement or privacy policy.
[ link to this | view in chronology ]
"Jones issued the ruling in the context of a class-action lawsuit brought by consumers "
hmmm, so the fact that this single judge didnt actualy bother to even hear the case in trial, yet its suddenly become a "ruling" doesnt strike you as odd....!
theres no ruling here..., only a judge that on the face of it, didnt see fit to drag MS through yet another US court room case, you have to wonder if he really even bothered to look up, and read the current "real rulings" cases such as pointed out in the linked original story above.
"New Jersey Supreme Court ruled that Internet service providers can't disclose a subscriber's IP address to the police without a grand jury subpoena.
...
"We now hold that citizens have a reasonable expectation of privacy ... in the subscriber information they provide to internet service providers--just as New Jersey citizens have a privacy interest in their bank records stored by banks and telephone billing records kept by phone companies," the court stated in its unanimous decision. "
[ link to this | view in chronology ]
http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=81306
"...
W ith the case, the New Jersey Supreme Court joined European authorities in holding that IP addresses are private.
The ruling seems to signal that the court is concerned about privacy erosion in a society where data is increasingly stored digitally. Lee Tien, a lawyer with the digital rights group Electronic Frontier Foundation, called the holding a "harbinger of a trend" toward protecting online privacy. That organization, along with the ACLU, Electronic Privacy Information Center and others, filed a friend of the court brief in the case.
The New Jersey court specifically examined not just IP addresses, but also the clickstream data associated with particular addresses, and appeared to find an expectation of privacy in that data as well. "With a complete listing of IP addresses, one can track a person's Internet usage," the opinion reads. The court then quoted a law review article by privacy expert Daniel Solove for the proposition that clickstream data can allow the government to learn "the names of stores at which a person shops, the political organizations a person finds interesting, a person's ... fantasies, her health concerns, and so on."
The court went on to hold that users only disclose information to Internet service providers for the limited purpose of being able to access the Web "and not to promote the release of personal information to others."
"Under our precedents, users are entitled to expect confidentiality under these circumstances," the court wrote.
...
"
[ link to this | view in chronology ]
IP Not personally identifiable
And furthermore, how do we distinguish from people who chose to have a static IP? Then does this not identify someone?
Is a phone number any different?
"It doesn't identify a person, but a phone"
Nice rhetoric
...
[ link to this | view in chronology ]
http://proxy.skynetblogs.be/
[ link to this | view in chronology ]