[governance] IP Addresses Are Personal Data, E.U. Regulator Says

yehudakatz at mailinator.com yehudakatz at mailinator.com
Tue Jan 22 13:21:05 EST 2008 

IP Addresses Are Personal Data, E.U. Regulator Says

The Washington Post
By Aoife White
Associated Press
Tuesday, January 22, 2008; D01
washingtonpost.com

Art. Ref.:
http://www.washingtonpost.com/wp-dyn/content/article/2008/01/21/AR2008012101340
.html?hpid=sec-tech

Print:
http://www.washingtonpost.com/wp-dyn/content/article/2008/01/21/AR2008012101340
_pf.html

Google News - all 203 news articles:
http://news.google.com/nwshp?tab=wn&ncl=1126688783&hl=en&topic=t
--

BRUSSELS -- IP addresses, strings of numbers that identify computers on the
Internet, should generally be regarded as personal information, the head of the
European Union's group of data privacy regulators said Monday.

Germany's data-protection commissioner, Peter Scharr, leads the E.U. group,
which is preparing a report on how well the privacy policies of Internet search
engines operated by Google, Yahoo, Microsoft and others comply with E.U.
privacy law.

Scharr told a European Parliament hearing on online data protection that when
someone is identified by an IP, or Internet protocol, address, "then it has to
be regarded as personal data."

His view differs from that of Google, which insists an IP address merely
identifies the location of a computer, not who the individual user is. That is
true but does not take into consideration that many people regularly use the
same computer and IP address.

Scharr acknowledged that IP addresses for a computer may not always be personal
or linked to an individual. For example, some computers in Internet cafes or
offices are used by several people.

These exceptions have not stopped the emergence of a host of "whois" Internet
sites, which allow users to type in an IP address and will then generate a name
for the person or company linked to it.

Treating IP addresses as personal information would have implications for how
search engines record data.

Google was the first last year to cut the time it stored search information to
18 months. It also reduced the time limit on the cookies that collect
information on how people use the Internet from a default of 30 years to an
automatic expiration in two years.

A privacy advocate at the nonprofit Electronic Privacy Information Center said
it was "absurd" for Google to claim that stripping out the last two figures
from the stored IP address made the address impossible to identify by making it
one of 256 possible configurations.

"It's one of the things that make computer people giggle," the center's
executive director, Marc Rotenberg, said. "The more the companies know about
you, the more commercial value is obtained."

Google's global privacy counsel, Peter Fleischer, said Google collects IP
addresses to give customers a more accurate service because it knows what part
of the world a search result comes from and what language is used -- and that
was not enough to identify an individual user.

"If someone taps in 'football,' you get different results in London than in New
York," he said.

The way Google stores IP addresses meant that one address forms part of a
crowd, giving valuable information on general trends without infringing on an
individual's privacy, he said.

Google says it needs to store search queries and gather information on online
activity to improve its search results and to provide advertisers with correct
billing information that shows that genuine users are clicking on online ads.

Internet "click fraud" can be tracked by showing that the same IP address is
jumping repeatedly to the same ad. Advertisers pay for each time a different
person views the ad, so dozens of views by the same person can rack up costs
without giving the company the publicity it wanted.

Microsoft does not record the IP address that identifies an individual computer
when it logs search terms. Its Internet strategy relies on users logging into
the Passport network that is linked to its popular Hotmail and Messenger
services.

The company's European Internet policy director, Thomas Myrup Kristensen,
described the move as part of Microsoft's commitment to privacy. "In terms of
the impact on user privacy, complete and irreversible anonymity is the most
important point here -- more impactful than whether the data is retained for 13
versus 18 versus 24 months," he said.

Neither of the search engines received a pat on the back from Spain's data
protection regulator, Artemi Rallo Lombarte, who criticized them for not trying
to make their privacy policies accessible to normal people.

Their privacy policies "could very well be considered virtual or fictional . .
. because search engines do not sufficiently emphasize their own privacy
policies on their home pages, nor are they accessible to users," he said,
describing the policies as "complex and unintelligible to users."

---
-30-
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.cpsr.org
To be removed from the list, send any message to:
     governance-unsubscribe at lists.cpsr.org

For all list information and functions, see:
     http://lists.cpsr.org/lists/info/governance

More information about the Governance mailing list