UPDATE: ‘IP addresses “not personal data” says Irish court’
in Datanomy, 20 April 2010
- IP Addresses and User Privacy
In Europe, experience with totalitarian governments has justified the search for stronger laws and policies for the protection of personal information. On the other hand, Google grew up in the US which has a rather liberal approach, emphasizing the First Amendment, and Freedom of Speech and information. There is no data protection commission or commissioners in the US equivalent to those in Europe. These two divergent approaches create uncertainty regarding what can be expected from a company like Google operating from the US but reaching EU users.
There has been ongoing discussion between EU authorities and Google since 2007 over the issue of collecting private information, which relates in particular to the issue of IP addresses and cookies.
Eventually Google consented to limiting the retention of personal data communicated by its users to nine months. However, there is still wide controversy as to whether Internet Protocol (“IP”) Addresses are, or are not, personal data that is subject to protection by the EU regulations. There is a significant divergence of privacy laws across the 27-member European Union complicating the regulation of an internet that has no frontiers.
Recently a Swedish Court has ruled that IP addresses are personal data.
On the other hand, a German Court has ruled that IP addresses are not personal data.
Under the latter interpretation storing IP addresses without additional information doesn’t violate data protection legislation because they are not personal data – when stored by publishers they cannot be easily used to determine a person’s identity and this lacks the ‘necessary quality of determinability’ to be personal data. The identity cannot be determined without disproportionate burden using normally available knowledge and tools. They could be personal data in some cases but they are not generally.
However, Germany’s Data Protection Commissioner, Peter Scharr has been leading research assessing the privacy policies of internet search engines operated by Google, Yahoo Microsoft and others and their compliance with the EU privacy law. Scharr told a European Parliament hearing on online data protection that when someone is identified by an IP ‘then it has to be regarded as personal data’.
The UK Information Commissioner Office (ICO) Guidance of 2007 stipulates that IP Addresses, in isolation, will not be considered Personal Data unless and when used to build a profile on an individual or in the hands of an ISP. According to the guidance this is not technically an easy task. It adds that many IP addresses, particularly those allocated to individuals, are ‘dynamic’. Therefore, the allocated IP address is not permanent, although with the spread of the broadband, more and more connections are constantly maintained and the IP address is not often renewed. As for static IP Addresses, these can in the same way as some cookies be linked to a particular PC which may then be traced to an individual user. So, where a link is established to a static IP Address, the addresses and the profiles could be personal information.
Spain’s Data Protection Regulator, Artemi Rallo Lombarte, has criticized search engine operators for not trying to make their privacy policies accessible to normal people.
The approach of the French Courts is indicated by the following. On 27 April 2007 the Paris Court of Appeal considered a case involving person to person computer networks and ruled that “the IP address does not allow the identification of the persons who used this computer since only the legitimate authority for investigation may obtain the user identity from the ISP. It should also be remembered that each computer connected to the Internet is identified by a unique number called an ‘Internet address’ or IP address that allows it to be found among connected computers or to find the sender of the message”. In a similar ruling on 15 May 2007, the Court argued that “this series of numbers indeed constitutes by no means indirect nominative data of the person in that it only relates to a machine, and not to the individual who is using the computer in order to commit a counterfeit.” The Court concluded that the collection of IP addresses does not constitute processing of personal data, and therefore there was no need for NIL prior authorization, as required by the French Data Protection Act.
These rulings do not seem to be fully consistent with the applicable European legal framework. The concept of “personal data” in Directive 95/46/EC does not require that an IP address allow identification of the user, but only that it relates to an identifiable natural person. The argument that an IP address only relates to a machine and not to the individual who is using it, is not convincing either.
On 6 September 2007, the Court of First Instance of Saint-Brieuc, came to the opposite conclusion.
According to the court, “The IP Address, is, strictly speaking, an identifier of a machine when the latter is connected to the internet, and not that of a person. However in the same way as a telephone number it is, strictly speaking, none other than a line for which a subscription has been made by a given person. An IP number associated with an internet access provider necessarily corresponds to the connection of a computer for which a given person has entered into a subscription with an access provider.”
On 12 December 2007 the Paris Court of Appeal issued a decision on the legal obligation of Google Inc., as a blog hosting provider, to retain data identifying a blog user. The court stated, inter alia, that “the user profile” that Google Inc. holds does not meet its obligation of user identification. The court was using this opportunity to require that the IP address be held by the hosting provider, even if it constitutes personal data that makes it possible to identify a computer.
However, in a similar case on 23 June 2008, the court of first instance of Paris ruled that the retention of IP addresses fulfills the above mentioned legal obligation of the host provider, because an IP address allows the identification of a blog user: “But given that, following the obligation in question, a web host has the duty to hold and retain data enabling the identification in question: that which the company JFG Networks sent in its mail of 23 April 2008 and that the technical intermediary” was able to provide the relevant services, it cannot be accused therefore of failing to fulfill its obligations in respect of the electronic address provided during its registration by the blog administrator.
The view of the US Courts is also uncertain. The Supreme Court of the State of New Jersey stated in its unanimous decision “We now hold that citizens have a reasonable expectation of privacy … in the subscriber information they provide to internet service providers–just as New Jersey citizens have a privacy interest in their bank records stored by banks and telephone billing records kept by phone companies”
Admitting that IP addresses are private, the Supreme Court ruled that for the police to access an ISP’s log of surfing users a municipal court subpoena was not enough. They need a grand jury subpoena from higher court than usual. This case was an important step towards the recognition of IP addresses and the need to protect privacy in the digital world where so much can be easily collected. The Electronic Frontier Foundation, ACLU, EPIC Center and others, had filed a friend of the court brief in the case.
It’s important to note that in addition to the information collected via IP addresses there are expectations of privacy regarding clickstream data associated with it. “With a complete listing of IP addresses, one can track a person’s Internet usage”, the opinion reads. The court referred to a law review article by privacy expert Daniel Solove for the proposition that clickstream data can allow the government to learn “the names of stores at which a person shops, the political organizations a person finds interesting, a person’s … fantasies, her health concerns, and so on.” The court went on to hold that users only disclose information to internet service providers for the limited purpose of being able to access the Web “and not to promote the release of personal information to others.” “Under our precedents, users are entitled to expect confidentiality under these circumstances,” the court wrote.
Surprisingly, more recently a Federal Judge in Seattle has held that IP addresses are not personally identifiable information.
According to U.S. District Court Judge Richard Jones: “In order for ‘personally identifiable information to be personally identifiable it must identify a person. But an IP address identifies a computer.” In this case, Microsoft was accused of violating user agreement by collecting IP addresses in the course of the updates. It is not technically impossible for Microsoft as well as Google to track the IP address to the user’s identity if the user is at the same time a client of their other services such as MSN mail services or Googlemail for Google. This is the reason why the EFF advises users at least not to search Google while connected to their Googlemail account.
Marc Rotenberg, executive director of the Electronic Privacy Information Center, criticized the Microsoft ruling as “a silly decision.” “The judge didn’t understand the significance of the IP address or the reason that it was collected,” he says.
He had also said that it was “absurd” for Google to claim that stripping out the last two figures from the stored IP address made the address impossible to identify by making it one of 256 possible configurations.
“It’s one of the things that make computer people giggle. The more the companies know about you, the more commercial value is obtained.” Privacy activists argue that IP addresses should count as a Personal data under the Data protection legislation.
The Hong Kong Privacy Commissioner has held a more conservative view, stating that An IP Ad per se does not meet the requirement of Personal Data.
For the record Microsoft has declared that it does not record IP Addresses that identify an individual PC.
The European Regulatory Perspective
The Committee of Europe’s Privacy watchdog has said that an IP Address should be treated as Personal Data by ISPs and search engines even if they are not always Personal Data. ‘Unless the ISP is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified it will have to treat all IP information as Personal Data to be on the safe side. These considerations apply equally to search engine operators’.
Ultimately, the EU regulator considers that ‘IP addresses, strings of numbers that identify computers on the internet, should generally be regarded as Personal Information.’ Most E.U. and national law that describes how personal data is handled was developed in the 1970s and a comprehensive overhaul is needed to meet the challenges of the Internet age. The new regulations need to take account of the development of Web 2.0 and Web 3.0.
A European Commission advisory panel, called the Article 29 Working Group, has worked to better understand the issue. The Panel found it useful to understand how the IP address operates. The latter are ‘series of digits (four digits comprised between 0 and 255). Every time that an individual goes onto the Internet using an Internet access device, for example to surf the Web, the Internet Service Provider (ISP) attributes an IP address to the device that he is using. But access providers know who is behind an IP address, and it is possible for a third party to correlate the information and determine to whom a profile corresponds.
This is how the search engine identifies a user and continually records the clicked links, the sites visited, ads viewed, as well as the key word searches made, frequency of use or visits to a given site. It correlates all of this information to the user IP’s address thanks to cookies placed on that person’s computer whenever he or she logs on to the Internet. Cookies are connection logs; they enable the websites to identify the users and record their “itinerary”.’ This is why the Electronic Privacy Information Center: finds it ‘it is “absurd” for Google to claim that stripping out the last two figures from the stored IP Ad made the address impossible to identify by making it one of the 256 possible configurations’. ‘For a better traceability, many commercial websites make use of “ID cookies” which are stored on the visitor’s computer in order to enable a unique recognition on the next visit. ‘In the case of search engines, the searching behavior is often recorded and retained for a certain period’ .
What is a Personal Data under the EU regulations:
95/46/EC, also known as the “Data Protection Directive”, offers protection against the processing of private data. Article 2 sub (a) of the Directive reads as follows: “Personal data shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”.
The Article 29 Working Party issued its Opinion 1/2008 on data protection issues related to search Engines in April 2008.
The opinion concluded that the Data Protection Directive generally applies to the processing of personal data by search engines, even when their headquarters are outside the European Economic Area:
“Search engine providers must delete or irreversibly anonymize personal data once they no longer serve the specified and legitimate purpose they were collected for and be capable of justifying retention and the longevity of cookies deployed at all times…. The Working Party recalls the obligation of search engines to clearly inform the users upfront of all intended uses of their data and to respect their right to readily access, inspect or correct their personal data in accordance with Article 12 of the Data Protection Directive” (Executive Summary, Para. 5).
C.f. further the Opinion, par. III.3, especially, p. 12:
“In general, a natural person can be considered as “identified” when, within a group of persons, he or she is “distinguished” from all other members of the group”.
See also Recital 26 of Directive 95/46/EC:
“…. whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; …”
The next International Conference of Data Protection and Privacy Commissioners will be hosted by the Spanish Data Protection Authority in November this year in Madrid.
The Spanish Data Protection Director, Artemi Rallo Lombarte stated:
“the challenge we face as the organizers of the 31st International Conference is that of achieving the approval of a joint proposal on “International Standards for the Protection of Privacy and Personal Data,” allowing the development of a universal, binding legal document.”
Protection of Personal Data On-Line: IP Addresses – personal identifier or personal data?
A name is undoubtedly a personal identifier. However a person can still change his or her name by marriage, by special request or by fraud. More frequently, an IP address is changed or renewed, specifically when dynamic, mostly automatically and without human interference. In both cases the identifier does NOT define the person but is a link that POINTS TO that person. Nothing identifies a person with certainty. Maybe his or her teeth unless they have been extracted or never recorded.
What is important is the link created between the person and the identifier. The key that creates the link is available to ISPs and some site owners and search engines such as Google. A postal address in itself is not an identifier. However it becomes so when associated to a particular individual or family domiciled at the address. Even a diary is not a personal identifier but becomes personal data when a link can lead to its author.
According to Opinion 1/2008 of the Article 29 Data Protection Working Party on data protection issues related to search engines, ‘when a cookie contains a unique user ID, this ID is clearly personal data.’ Also, ‘cookies deployed by search engines typically contain information about the user’s operating system and browser, and a unique identification number for each user account: “When a computer has a dynamic and variable IP address, and cookies are not erased at the end of a session, such a cookie makes it possible to trace the user from one IP address to the next.” Cookies that collect information about how people use the internet can automatically expire after 2 years or continue for 30 years.
The Electronic Frontier Foundation (EFF) In its online document ‘Six Tips to Protect Your Search Privacy’ shows how search engines can connect different user collected information to identify them.
It is stipulated:
1. Don’t put personally identifying information in your search terms (easy)
2. Don’t use your ISP’s search engine (easy)
3. Don’t login to your search engine or related tools (intermediate). In particular it recommends: f you have accounts with services like Google GMail or Hotmail, do not search through the corresponding search engine (Google or MSN Search, respectively), especially not while logged in.
4. Block “cookies” from your search engine (intermediate)
- Vary your IP address (intermediate)
- Use web proxies and anonymizing software like Tor (advanced) ‘to hide your IP address from the web sites you visit or the other computers you communicate with on the Internet, …’
Additionally, the document mentions :
- “Mail.google.com and google.com leave some additional cookies that will identify you while searching, but which Customize Google (and GoogleAnon) will not anonymize. Unless you remember to quit your browser, some of those cookies persist even if you logout of Gmail. Future versions of these privacy-protection tools may help fix this problem.’
Privacy Implications for Google : Should users yield control over their personal information to Google?
This issue has various facets, some of which are discussed below :
A. Retaining IP Addresses
Google insists that an IP Address merely identifies the location of a computer, not who the individual user is. The law firm Pinsent Masons LLP in its website “Out-Law” responds: “that is true but does not take into consideration that many people regularly use the same computer and IP Addresses.” ‘Whois’ internet sites allow users to link an IP address to the user’s name or company linked to it.
According to Google’s Global Privacy Counsel, Peter Fleischer:
‘Google collects IP Adresses to give customers a more accurate service because it knows what part of the world a search result comes from and what language is used — and that was not enough to identify an individual user….’
An issue here is that users are not aware of which information is collected from them. The opt out option will give them a choice.
B. Addressing ‘Click Fraud’
There are legitimate reasons why Google should wish to track IP Addresses. For example, Google claims that internet “click fraud” can be tracked by showing that the same IP Address is jumping repeatedly to the same address. Advertisers pay each time a different person views the Ad, so dozens of views by the same person can rack up costs without giving the company the publicity it wanted.
C. Surveillance and Targeted Advertising
As indicated above a key competitive advantage for Google, with the world’s largest search engine and suite of complementary applications, is information about the search preferences of its users, enabling it to sell more targeted advertising services to its clients.
The new Federal Trade Commission Chairman Jon Leibowitz, appointed in February this year, has made behavioral targeting his first priority.
Behavioral targeting delivers ads to individuals based on the Web pages they visit and searches they carry out. In the EU, Meglena Kuneva, the European consumer affairs commissioner, has argued that basic consumer rights are being violated by companies that profile and target consumers.
According to the EU Eight Data Protection Principles, data should not be collected without data subjects’ consent and only for a specific use.
The Code of Fair Information Practices developed in the US in 1973 for the US Department of Health, Education & Welfare presents five principles: openness, disclosure, secondary use, correction, and security. They are similar to the EU requirement but expressed differently and not as extensive as the EU principles. The latter include minimization (only information relevant to the task at hand is gathered), restoration (those altering the privacy status quo should bear the cost of restoring it), safety net or the equity principle (minimum privacy available to all), timelines (data are expected to be current and old data destroyed), the principle of joint ownership of transactional data and the obligation of common share of any gains, the principle of consistency and ultimately, the principle of accountability for any breach including mechanisms for victims to discover and be compensted for breaches.
‘Why should privacy matter?’ users might ask, not grasping why they should fear the collection of their data for targeted advertising. Two main reason are suggested by Hal Roberts: firstly, Google could lose our data. If that has happened to credit card companies, government bureaus and other organizations why not Google? Recently Google was victim of human mistake releasing data. Secondly, data stored by Google could be accessed by governments as was the case in the law suit opposing Viacom to Google’s subsidiary, YouTube.
The privacy scholar, Daniel Solove has done extensive research on privacy. Facing the ‘I’ve got nothing to hide argument’, he asked the reader of his blog, Concurring Opinions, to bring good responses to the argument.
People give out bits of information in different settings, only revealing a small part of themselves in each context. The pieces of data spread around throughout daily activities give the expectation individually that relatively little is revealed. However, when these pieces are consolidated together like a piece of puzzle the aggregator acquires much greater knowledge about the person’s life. Financial institutions have a major interest in collecting data such as credit reports to evaluate lending risks. In the same way future employers or education admissions tend to refer to digital footprints left behind by candidates to help their decision makings. This is not without the risk of false ‘extrapolation’ from information taken out of its context and losing its significance.
By indexing web content Google is continually compiling user information. It also actively pulls out users’ information from other Social Networking Sites like Facebook or Twitter without users’ acknowledgment or consent. Taken out of context this information can cause prejudice. It can be wrongfully interpreted or harmful for users’ reputations. Hal Roberts from the Berkman Center of Internet and Society researched surveillance of the internet as reported by Ethan Zuckerman.
The statistics he reveals, dating from the end of 2008, show that each of Google’s advertising entities – Adwords and Double Click – own 35% of the online market.
In an interview with KAI RYSSDAL in July 7, 2009, Google’s Chairman and CEO, Eric Schmidt admitted that 97% of Google’s revenues come from advertising. Randal Stross
recalls in his book how two Google employees found the process for targeted advertising by simply “downloading semantic analysis software from the internet that could analyze any block of text, identifying the grammatical function of every word in every sentence, and then figuring out the sentence meaning into a few keywords.” They initially feared a negative reaction from the co-founders, Sergey Brin and Larry Page, regarding the privacy impact of the new tool. Stross also reported in 2000 that when Sergey Brin, still student at the Stanford University, was interviewed, he had declared ‘deliberately following a different path from Yahoo, which offered a complete set of information services that were intended to keep users from having any reason to go to another web site’ claiming “all we do is search”. The original intention was to stick to search delivery, not wanting to enter into competition with companies to whom they would deliver search services.
Less than a decade later the company has dramatically expanded. Google launched gmail with a powerful search engine. And if this is not enough, Google desktop helps users search their own desktops. Eric Schmidt said in his recent interview talking about advertising that “we think that we can build much more sophisticated advertising products. Ones which are even more personal, more mobile, more interactive, tell the story better.”
These types of information flows are not without the risk of leakage or human errors.
Organizations such as Electronic Frontier Foundation (EFF) have expressed concerns about the scale of information manipulated by Google.
Google’s technology becomes more penetrating and intrusive while our society becomes more transparent and porous. Modern types of surveillance, says Hal Roberts, have become more sophisticated than the Orwellian Big Brother model where the Ministry of Love watched you while you watched it. They are closer in character to the Jeremy Bentham Panoptican model also referred to by Benett & Raab in ‘Governance of Privacy’. There is an assumption that individuals placed in a position where they are constantly watched will enforce their own behavior.
This is in the case of conscious surveillance but Google’s surveillance is surreptitious. In the internet age the information is broadly delivered by data subjects themselves. As noted by Benett & Raab ‘information collection often occurs invisibly, automatically and remote – being built into routine activities.’ Importantly, ‘awareness and genuine consent of the part of the subject may be lacking.’
In summary, uncertainty remains about the effect of surveillance, supposedly made for targeted advertsing services, on individuals’ behavior and the effect of surveillance on free speech.