Court Says IP Addresses Aren't Personally Identifiable Information
from the ok... dept
We’ve noted that in Europe, IP addresses are considered private info, and I’ve pointed out that I don’t think IP addresses, by themselves, should be considered private. I agree that combined with other identifying information an IP address can reveal info about you, but just the numbers alone are not private. And it appears a judge agrees, noting that IP addresses are not “personally identifiable” information (sent in by Dave Barnes). I’m actually surprised about this, because most people seem to disagree with me on IP addresses. However, this does raise a separate question: if courts say IP addresses are not personally identifiable, then does that shoot a large hole in most of the RIAA cases which rely on IP addresses? After all, the judge in this ruling said:
“In order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer.”
Filed Under: ip addresses, personal info
Comments on “Court Says IP Addresses Aren't Personally Identifiable Information”
Interesting...
>> “In order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer.”
This is a bit of nitpicking, but an IP address identifies a addressable device and not necessarily just computers. That device in turn can be a router, phone, computer, or microwave oven for that matter. The big issue I have with saying an IP address identifies a computer is that many times the IP address identifies a NAT based router or proxy server which further hides the true device making the request and of course has no provable correlation to the person that may or may not have been involved in said request.
Freedom
Re: Interesting...
That device in turn can be a router, phone, computer, or microwave oven for that matter.
Usually only when those devices themselves incorporate computers. Routers, especially, are just specialized computers.
Re: Re: Interesting...
>> Routers, especially, are just specialized computers.
I stand corrected. According to the Merriam Webster definition of a computer: a programmable usually electronic device that can store, retrieve, and process data.
That pretty much covers anything 🙂
I just think the average Joe thinks of a computer in the terms of a PC type device.
Freedom (aka Average Joe!)
Typo
“then that does that shoot a large hole in most of the RIAA cases”
Just saying
Re: Typo
Oops. Fixed. Thanks.
IP address is like a license plate
Yeah, an IP address is public, but the question is, does that point to the machine using the address or not? And even if you get the machine right, does it point to the user using the machine or not?
I think that question was the best argument Jammie Thomas had, and it really didn’t work out so well for her. This ruling isn’t going to change much, me thinks.
Like a car?
I’m wondering if this won’t result in some kind of action for failing to secure your IP addressable device, much like you can get a ticket in some jurisdictions for leaving your keys in the car.
Sometimes this stuff really is scary… even the folks that get it, sort of, don’t get it.
An IP address does not identify a piece of hardware at all. It identifies an addressable connection to the Internet. There is no way of knowing what is at the endpoint of that connection. I can connect a computer today, a different computer tomorrow, and a router the day after that. Depending on the upstream equipment, I may have to clone/fudge MAC IDs, but in general, there is no possible way for anyone to know what is connected to a particular IP.
However, combined with a date and time and relevant ISP records, an IP address does identify the subscriber to whom a connection was contractually supplied. The degree to which the subscriber is responsible for activity on that connection, regardless of whether he or she is aware of it, I presume is a convoluted legal matter; but at least it ought to be understood that the link between an IP and a person is exactly that. I should think it would be much like being the registered owner of a car: while that doesn’t prove you were driving it at any given time, it generally still confers a certain degree of legal responsibility.
Re: Re:
I should think it would be much like being the registered owner of a car: while that doesn’t prove you were driving it at any given time, it generally still confers a certain degree of legal responsibility.
The registered owner of an IP address is usually an ISP, not some subscriber that they temporarily let use it.
Re: Re: Re:
So if we must continue down the Car analogy road… the ISP is a Car Rental Agency.
Re: Re: Re: Re:
So if we must continue down the Car analogy road… the ISP is a Car Rental Agency.
And not legally responsible for the actions of the driver, even though they are the owner.
Re: Re:
Good summary, but you left out two very important items.
1) Addresses can be spoofed, both IP and MAC.
2) ISP logs can be erroneous and/or read incorrectly.
Re: Re: Re:
Addresses can be spoofed, both IP and MAC.
Any references or tips on a practical way to “spoof” an IP address? Because I’m currently spending a lot of time in Costa Rica, and I’m about ready to punch a hole in my monitior the next time I follow a link to a video only to be told I can’t see it because I’ve committed the unpardonable sin of not being physically located in the god-blessed United States.
Other numbers too
And street address just identify building locations, phone numbers just identify telephones, license plate numbers just identify automobiles, etc., etc.. None of those actually identify a person, although a person may be associated with them. So that would make none of that protected personal information.
I wonder though if someone might now argue that social security numbers only identify social security accounts and not actual people.
Re: Other numbers too
Social security numbers alone are not personal information under most laws/regulations. Usually you have to have first name (or initial) and last name + the SSN before you have anything that needs to be treated as PII
Freedom is correct, was going to make the same comment…
To Anon Coward. “Routers, especially, are just specialized computers” while this is true. Freedom is pointing out that pinpointing a computer doesn’t pinpoint a user. And an IP on a router, can not even pinpoint a computer, let alone a user. My wireless router has 4-6 computers attached to it depending on the day.
Re: Re:
Freedom is pointing out that pinpointing a computer doesn’t pinpoint a user.
I didn’t say otherwise, but Freedom said he had an “issue” with the idea that someone might say that an IP address was assigned to a “computer” when it was assigned to a “router”, indicating that he thought routers were not computers, which is not accurate and why I pointed it out. Sorry if that bothers you.
NAT and Security
With people opening up their wireless networks and having multiple PC’s behind one IP address, there is no real way to say who did what.
What, force people to be better than hackers??
Even more...
The judge was too limiting when he said that an IP address identifies a computer. It may identify a router or proxy server or similar device. When using, for example, a router, your computer’s IP address is totally isolated from the outside world and just because you may be connected to a router with its own IP address doesn’t even mean you are in the same physical location as the router (merely the general vicinity in the case of a wireless router).
You can mask an IP if you know what you are doing. You can also remain unknown especially since there are company that will provide you an internet connection no questions ask and don’t have to provide anyone else including the law. Sure the FBI can subpoena this info but that comes back to being able to mask your IP. MY IP address changes every time I connect to the internet. If you know what you are doing, you can be unknown and do what you want.
Re: Re:
No quite. While you *can* hide behind a NAT box or a proxy server, you can’t “mask” your IP address. You could forge the packets you transmit with a different IP, but then you’d never get a response.
Unless you pay in cash, your ISP certainly knows who you are. Even on the off chance they don’t, they know physically where you end-point (telephone, cable, dsl, etc modem) is located. So, you are entirely traceable.
Re: Re: Re:
You are totally ignoring the elephant in the room ?
Re: Re: Re:
Unless you pay in cash, your ISP certainly knows who you are.
Not quite. They may know who is billed for the service, but that doesn’t mean they know who is sitting at the keyboard of some computer using that service. So “you” are not “entirely traceable” by that alone.
Thank goodness that in civil litigation the standard of proof is by a “preponderance of the evidence”, and not the apparently wished for standard by many of the commenters at this site of “proof to an absolute degree of certainty and nothing less.”
For example, Ms. Thomas in Minnesota was not held liable based solely on her IP address. It was the cumulative effect of an IP address associated with her internet account, the sudden “failure” and replacement of her hard drive right after she received a notice that her address was associated with unauthorized downloading using a p2p client, a hardwired router versus a wireless router, and a host of other evidence submitted at trial that obviously convinced the jury that more likely than not she was the one responsible for downloading and sharing unauthorized content. She had the opportunity to rebut the plaintiff’s evidence before two juries, each of which did not find her testimony credible and determined she was liable.
Cases such as these are not built merely on an IP address. It is just a starting point from which a plaintiff must gather and present significantly more evidence to a court.
I know that the Thomas case is not the subject of this article, but it seems fair to mention it in order to address what is apparently a widespread misunderstanding of how our legal system actually works.
Re: Re:
“For example, Ms. Thomas in Minnesota was not held liable based solely on her IP address. It was the cumulative effect of an IP address associated with her internet account, the sudden “failure” and replacement of her hard drive right after she received a notice that her address was associated with unauthorized downloading using a p2p client, a hardwired router versus a wireless router, and a host of other evidence submitted at trial that obviously convinced the jury that more likely than not she was the one responsible for downloading and sharing unauthorized content. She had the opportunity to rebut the plaintiff’s evidence before two juries, each of which did not find her testimony credible and determined she was liable.”
It is not hard for one to accept that she MOST LIKELY did down load music.
What is hard is to accept what the potential penalties are.
All based on investigations that are not able to actually identify who did what besides which are themself most likely illegal.
Re: Re:
Could the same logic be applied to phone numbers ?
1) Your phone number, via caller id, is associated with infringing activity
2) This alone is used to make threats and seak payment
3) Search warrent is granted and items confiscated
4) Oh, did I mention that caller id can be spoofed
“preponderance of the evidence” is not a good thing.
Thank goodness that in civil litigation the standard of proof is by a “preponderance of the evidence”, and not the apparently wished for standard by many of the commenters at this site of “proof to an absolute degree of certainty and nothing less.”
I don’t think that exists even in criminal cases.
For example, Ms. Thomas in Minnesota was not held liable based solely on her IP address.
Who said she was? Your straw man?
Cases such as these are not built merely on an IP address.
However, that is often what legal threats, accusations and settlement offers are often based on. Then, when push comes to shove, such cases are often dropped before they can be decided in court. The Thomas case was an exception because they had so much other evidence to go along with the address and to characterize the Thomas case as typical is misleading.
I know that the Thomas case is not the subject of this article…
Nor, as I said, typical.
…but it seems fair to mention it in order to address what is apparently a widespread misunderstanding of how our legal system actually works.
The way it works is that even innocent people can be bullied into settling just because they can’t afford to defend themselves. What a great system.
“And it appears a judge agrees”
What Judge, I want to know whom to vote for. We need more Judges that understand this.
Thanks for sharing this useful information. It’s great.
Mom Blogs
Point of Civil Procedure
Having an IP address which on its face shows illegal/infringing activity running through it may be enough to persuade a judge to issue a subpoena for the rest of the information needed to commence a civil action. Once commenced, any additional parties that may need to be added can come out in the discovery phase.
IP Address Is Soft-Serve
Here’s a little anecdote.
—-
I recently wrote a mashup application that helped reconcile a customer’s Network management software with their in-house Asset management software.
There was a high order of corruption in their Asset records due to the fact that they decided to end-around the network management software and discover, then TIE the IP address of a device to the Asset record of physical devices.
The problem is that there is a clear dichotomy between NETWORK management and ASSET management. Network management deals with the ever-flexible “what is out there right now, live on the network, and how is it currently configured”. Asset management is supposed to track a physical device from purchase/lease through disposal.
The simple fact their Asset management devs overlooked is that IP addresses are soft – mutable and transportable. The hardware is real, complete with stickers and mass, and might be assigned hundreds of IP addresses in its lifetime. Not only that, but the network interface card within a system can be portable, making even the MAC address (yes, also spoofable) a dodgy way to track a multi-component SYSTEM.
—-
An IP address is absolutely not Personally Identifiable information about a human. Neither should an IP address be considered a legal way to identify a SYSTEM beyond reasonable doubt.
Even though we can usually track IP addresses to systems to users *in the moment*, the information ‘on-the-wire’ can still be falsified. Not to mention the ease rapidity with which network management records can be plugged by a semi-competent corporate hack.
“But an IP address identifies a computer.”
Not even that – technically. It identifies a ‘host’ on a network that can change.
Really, it’s a temporary mapping – that can be changed at anytime by a person that has some basic knowledge – I can just reset my cable modem and *poof* – magically, I get a new IP address.
The MAC address does in fact identify – not a computer still – but a network interface. I could have multiple IP addresses and MAC addresses on a single PC – I could also have a PC with neither a MAC address or an IP address.
The only real “link” is a log on a server. Usually in plain text. So – let’s assume some guy at your ISP is a download *fiend* – how hard would it be for him/her to do a find and replace on a text file? Seriously.
Privacy and social contract
While the first, striking thing about this is the judge’s misconception that an IP address identifies a computer, that’s not the worst of it.
According to the article linked in the Techdirt post, the statement quoted was part of the dismissal of a suit in which consumers alleged that Microsoft violated its user agreement by “collecting” IP addresses while stating that it would not collect any “personally identifiable information.”
Since it is impossible to communicate on the Internet without temporarily obtaining the IP address of the other party, I presume they mean that Microsoft retained a list the of IP addresses involved.
Now, what could “personally identifiable information” mean to an ordinary person reading a user agreement? How about a street address, a license plate number or a telephone number? None of these “identify a person,” as the judge claims “personally identifiable information” must do; but of course, these things are exactly what we understand the term to include. “Personally identifiable information” is information that can be used, either by itself or with other available information, to provide significant help in identifying someone — either by connecting the information to a standard form of identification (such as a name or social security number), or by recognizing when the same person is encountered again in the future (such as with a tracking cookie). It is also quite sufficient to fall within an ordinary understanding of the phrase if the information makes it probable (not necessarily certain) that the person in question is a member of a close unit (such as a family or household) that can be identified or recognized.
Privacy is less straightforward, and complicated by two different senses of the word. My street address is not “private” in the sense that my diary is private: anyone can stand on the street in front of my house and determine my address, while no one can (legally) sneak into my home and read my diary. We also use the word “private” to describe how we expect an entity which acquires information about us to behave in regard to that information. In this context, “private” is not so much a characteristic of the information as an indication that there are limits we expect the entity which gathers the information to honor. These limits come from a shared (or not) understanding of what constitutes civilized behavior. If I give you my phone number, I have an expectation of what you might do with it, and what you should not do with it. I probably won’t be disturbed if you give it to UPS to help them deliver a package you’ve sent to my house; I probably will be upset if you write it on the bathroom wall in the local park.
As the ability to store, aggregate and cross-reference data has exploded, the idea of “private” as a yes-or-no attribute is no longer very useful. There is still, of course, the privacy of the diary, whether it’s on paper or in a computer file; but the other sort of privacy — the one involved in user agreements and privacy policies — is no longer comprehensible in terms of one bit of information being private and another public. Information about you that can be used against you is out there; privacy now must concern what uses of information are socially and legally acceptable, and how easy it is for entities which might not honor social and legal boundaries to access sensitive information. (They can get it if they work hard enough; practicality, not possibility, is the realistic limitation.)
I contend, for example, that though a prospective employer obviously could search LiveJournal or Facebook, or your private web site, for information about you, it should be seen as improper to use that as input to a hiring decision (unless you’ve freely offered it as a reference). Our ability to speak our minds should not be dictated by fear of future unemployment. This is an example where the information itself can’t be called “private” in any real sense — it’s intentionally been posted for all to see — yet some uses of that information impinge on our liberty (effectively creating a kind of “prior restraint”), and I think those uses can reasonably be said to invade our privacy.
It makes no sense to say an IP address, or any other data, is private, or not private; what is relevant, if you are retaining data, is why you are keeping it, and what you will do (or allow to be done) with it. If you are providing added value to your users, that’s generally good; but if your use of data about your users subjects them to unwelcome intrusions, or exposes information about them that they would have preferred not be so widely or easily known, or just generally works against them (even if you don’t disclose the data to a third party), they will consider it a breach of privacy.
I have doubts that much of this can be handled sensibly by law; most respect for the boundaries of privacy will have to grow from recognition of the value of reputation. It is perhaps possible that law could help by requiring greater transparency in the handling of data — for the most part, not limiting what businesses can do with data, but insisting that how any data collected on the web is used must be made known, in detail, to the public, and not merely disclaimed in a vague user agreement or privacy policy.
“Last month, Jones sided with Microsoft and dismissed the case before trial. ”
“Jones issued the ruling in the context of a class-action lawsuit brought by consumers “
hmmm, so the fact that this single judge didnt actualy bother to even hear the case in trial, yet its suddenly become a “ruling” doesnt strike you as odd….!
theres no ruling here…, only a judge that on the face of it, didnt see fit to drag MS through yet another US court room case, you have to wonder if he really even bothered to look up, and read the current “real rulings” cases such as pointed out in the linked original story above.
“New Jersey Supreme Court ruled that Internet service providers can’t disclose a subscriber’s IP address to the police without a grand jury subpoena.
…
“We now hold that citizens have a reasonable expectation of privacy … in the subscriber information they provide to internet service providers–just as New Jersey citizens have a privacy interest in their bank records stored by banks and telephone billing records kept by phone companies,” the court stated in its unanimous decision. “
and not only did that “New Jersey Supreme Court ruled about the IP, but also the personal datastreams that go with it…
http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=81306
“…
With the case, the New Jersey Supreme Court joined European authorities in holding that IP addresses are private.
The ruling seems to signal that the court is concerned about privacy erosion in a society where data is increasingly stored digitally. Lee Tien, a lawyer with the digital rights group Electronic Frontier Foundation, called the holding a “harbinger of a trend” toward protecting online privacy. That organization, along with the ACLU, Electronic Privacy Information Center and others, filed a friend of the court brief in the case.
The New Jersey court specifically examined not just IP addresses, but also the clickstream data associated with particular addresses, and appeared to find an expectation of privacy in that data as well. “With a complete listing of IP addresses, one can track a person’s Internet usage,” the opinion reads. The court then quoted a law review article by privacy expert Daniel Solove for the proposition that clickstream data can allow the government to learn “the names of stores at which a person shops, the political organizations a person finds interesting, a person’s … fantasies, her health concerns, and so on.”
The court went on to hold that users only disclose information to Internet service providers for the limited purpose of being able to access the Web “and not to promote the release of personal information to others.”
“Under our precedents, users are entitled to expect confidentiality under these circumstances,” the court wrote.
…
“
IP Not personally identifiable
But which IP I had, when, is.
And furthermore, how do we distinguish from people who chose to have a static IP? Then does this not identify someone?
Is a phone number any different?
“It doesn’t identify a person, but a phone”
Nice rhetoric
…
Colises, you need to use the right tool for the right job, in your case with trying to gain access to such a repressive country as the US , your first port of call would be to use a selection of these proxys so as to appear inside the US borders on your temp ISP connection rather than IP spoofing.
http://proxy.skynetblogs.be/