Tuesday, February 26, 2008

Should IP Addresses Be Considered Personal Information?

Sun Microsystem's CEO, Scott McNealy, famously declared several years ago, "You have no privacy, get over it". Not all of us are too comfortable with that. As the internet becomes further integrated into our daily life experiences, our personal information is constantly being collected and passed around on an unprecedented scale.

Consumer groups and privacy advocates have sought legal recourse, and governments have been debating the extent to which digital privacy policies ought to have reach. The political battle becomes particularly clear when comparing the United States, which frames the issue in terms of protecting "personally identifiable information", with the European Union, which refers to it as "personal data". This distinction may seem trivial, but it gets at a fundamental question: Do we only have privacy rights over our social security number, credit report, and other traditional tools of identity management, or can we claim those same rights over our digital identity - such as IP addresses, Facebook profiles, and email messages - as well?

IP addresses are particularly controversial, and much of the legal debate over digital privacy focuses on them. Google's Public Policy Blog offers a solid layman's explanation:

An Internet Protocol (IP) address is an address for a computer on the Internet, which exists to allow data to be delivered to that computer. When you enter a website's name - like http://www.google.com - that is actually a handy shortcut for the website's IP address - right now, one of Google's is So when a website needs to send your computer something (for instance, your Google search results), it needs your IP address to send it to the right computer.

The situation gets a bit more complex, though, because the IP addresses that people use can change frequently. For instance, your Internet service provider (ISP) may have a block of 20,000 IP addresses and 40,000 customers. Since not everyone is connected at the same time, the ISP assigns a different IP address to each computer that connects, and reassigns it when they disconnect (the actual system is a bit more complex, but this is representative of how it works). Most ISPs and businesses use a variation of this "dynamic" type of assigning IP addresses, for the simple reason that it allows them to optimize their resources.

Because of this, the IP address assigned to your computer one day may get assigned to several other computers before a week has passed. If you, like me, have a laptop that you use at work, at home, and at your corner café, you are changing IP addresses constantly. And if you share your computer or even just your connection to your ISP with your family, then multiple people are sharing one IP address.

Europe has already passed policies which treat IP addresses as personal data that are legally protected as private information. The U.S. has thus far failed to do so, but efforts are underway at both the state and federal levels.

Companies like Google have lobbied hard to prevent IP addresses from being protected, arguing that since IP addresses on their own cannot reliably personally identify individuals, government intervention would only serve as an unnecessary burden on business. They tout how they've self-regulated by making their logs anonymous and by shortening the length of their cookies stored on people's computers. However, these statements are grossly misleading. Their logs remain anonymous only until a government subpoena requests more details (as was the case with Yahoo, MSN, and AOL), and the shortened cookie length is still numbered in terms of years.

In the meantime, these companies have only become more aggressive in creating digital profiles on us, scanning the content of our email messages and IM conversations, keeping records of all of our Google searches and websites we've visited, tracking our online purchases, and data mining all of our surfing habits. The is typically done in the name of more efficient marketing, which is likewise the reason why our information also is bought, sold, and traded between different companies on a regular basis. As of right now, legally we cannot see the information collected on ourselves, but third-party vendors can.

Without question, better privacy protections are vitally necessary and ought to be implemented - not only by allegedly self-regulating corporations, but also by governmental institutions. IP addresses are a good place to start.


Post a Comment

<< Home