IP Addresses Are Considered Personally Identifiable Information in the EU
There’s a very interesting report out on the fact that IP addresses are now potentially considered personally identifiable information in the EU. Whoah! I’m sure people can think of their own reasons this might be a big deal, but here is just a small smattering of stuff that I came up with:
Advertising: banner ads are almost always pulled from a third party. That third party gets things like referrers and, what else, IP addresses! Sorry, say goodbye to third party ad revenue! Yes, that means you, Adsense and Overture! People can no longer leak that information to you as it’s PII!
Tracking Pixels: tracking pixels are used by companies all over the world because it’s often easier than dealing with their own logs and buying and configuring their own log analysis software (especially if they get a lot of traffic). So Omniture and Google’s Urchin could be hard hit here.
Embedded content: There are tons of bulletin boards, message boards, blogs, etc… out there that allow images to be posted off host. People like it because it doesn’t force them to have to build upload scripts, and maintain them. Sorry, no more embedded content, and that includes things like Youtube because that would leak the people’s IP addresses to third parties. Also, things like Gmodules which often pull in content from other domains would be a big no no without some changes. Same with Google cache, translation services, etc… etc…!
There’s dozens of issues out there, but you’ll notice that this particular issue would wreak havoc on Google’s business model if it’s ever fully enforced. It’ll be interesting to see how this plays out and if there is any other tricky way people can use to get around this (like hashing the IP or stripping off the last bits - which is mentioned in the last part of the article but probably isn’t much actual protection since that only makes it 255 times harder to guess at best). This is one to watch folks!
January 22nd, 2008 at 10:31 am
This is already the case in several countries, such as Germany.
January 22nd, 2008 at 12:50 pm
IP address is appropriately categorized as PII, even if you can’t tie it to just one user in every instance. Your home address and birthdate are similar examples.
However, if a company acknowledges (by way of a privacy policy) what PII is collected and how they use it, haven’t they adequately made the user aware of the practices? Perhaps legislation will regulate how IP addresses have to be stored and segmented, but it’s the user’s choice to agree to the policy by accessing the website/application/widget.
I agree it does make for an interesting snafu with embedded content where agreement to any policy is hardly explicit, except on the part of the website owner and not the viewers.
January 22nd, 2008 at 2:37 pm
I doubt it would ever be fully enforced - while the EU is very protective of it’s consumers, it’s not about to go destroying businesses left right and center.
January 22nd, 2008 at 9:42 pm
I guess they will just add into some usage agreements so users have to expose their IP (and more) after all.
Much like UAC in Vista. If a user is to launch a cute program but requiring admin rights, he wouldn’t know its a trojan. Poof. Security, and privacy, there you go.
January 24th, 2008 at 12:56 pm
in the us we are already seeing ip addresses as pii; case in point de-identification of PHI lists 18 identifiers of which ip address is one.
privacy is not dead.. damn close though.
January 26th, 2008 at 11:13 am
Hi.
Do you know about any software that can disguise you as googlebot (both user agent and ip). I want to see the content of a cloaked page that uses noarchive tag. is that possible ??
thanks for a great blog.
January 26th, 2008 at 9:04 pm
Reminisces the innovative widget of IP!
January 27th, 2008 at 6:48 am
@Peter
You cant spoof ips on the internet and you cant spoof tcp at all. Maybe you could try playing with the google translator (or other google services). You might get it to work as a proxy.
January 27th, 2008 at 8:19 am
@Peter - or you can just look at the cached page in Google, unless you need to see the headers, then you might just be out of luck.
January 28th, 2008 at 4:26 am
@Keith;
Oh indeed, apart from the fact that you might just have to visit the website in order to view their privacy policy. Just like some companies put they EULA inside the shrinkwrap with statements similar to: “by opening this shrinkwrap you agree to this EULA”, utter-horsecrap.
It does present some interesting issues and possible lawsuits for us to ponder.
January 30th, 2008 at 5:20 pm
Erm… has the author totally forgotten how the web works?
in all of these examples, the PII is never passed to the third party from the main website..
The main website give the user’s browser a link to the third party’s server, which the user’s computer sends it’s IP address to. The PII is being sent directly from the user to the 3rd party…The main site has _no_ communication with the third party in this transaction, hence they can’t be said to have transfered any confidential data whatsoever.
There may be situations that will be affected by this (especially surrounding publicising the subsequent log files etc).. but those 3 aren’t.. sorry.
Jeff…
January 31st, 2008 at 8:34 am
@Jeff - I’m pretty sure I know how the web works. No threat of my ignorance there. However, I think you are failing to see the point. If I do go to a site and those “links” - which aren’t actually links, but iframes and JavaScript - the computer automatically sends their IP (which is now considered PII) to the third party. The third party now knows who has visited the original site. The original website didn’t have to communicate that information (in the same way they don’t have to communicate passwords to have them stolen via XSS - that doesn’t make that not a vulnerability).
My interpretation may be wrong given the fact that I haven’t read the individual laws and I don’t believe there is precedence set, but as stated, there are far and wide reaching implications that definitely would include issues like this (leaking the IP address of who has visited your site to others).