Software // Information Management
07:46 PM
Connect Directly

European Regulators Mull Protecting IP Addresses

The proposal suggests that when a person can be identified by an IP address, that information should be treated as personal information.

While government agencies in the United States still struggle with keeping Social Security numbers from being readable through envelope windows -- as recently happened in Wisconsin -- European regulators are debating whether Internet Protocol (IP) addresses should be protected as if they were sensitive personal data.

The issue was discussed on Monday at a meeting of the European Parliament's Committee on Civil Liberties, Justice, and Home Affairs and representatives of Google, Microsoft, Yahoo, and the Interactive Advertising Bureau (IAB) Europe, among others, were present to guard the online ad business against new, potentially burdensome privacy requirements.

Peter Scharr, Germany's data protection commissioner, reportedly said that when a person can be identified by an IP address, that information should be treated as personal information. Other European policy groups, such as the Article 29 Working Party, and politicians, including Portuguese MEP Carlos Coelho of the Center-right European People's Party, apparently share this view.

"It's interesting that this is being led by Germany," said Dave Jevans, chairman of the Anti-Phishing Working Group and CEO of Iron Key. "Germany is putting in laws that require every ISP to track IP addresses for law enforcement purposes. I find it somewhat ironic."

Jevans also observed that Germany is pushing to require anonymization services to retain records of the IP addresses of their users. This, of course, would make such services something less than anonymous.

Were IP addresses to be categorized as personal information, Web sites, search engines, and advertisers would have to change the way they handle and store IP data in order to comply with more stringent privacy standards. Such change typically comes at a cost.

Mike Zaneis, VP of public policy for the Interactive Advertising Bureau, the U.S. counterpart of IAB Europe, said that the IAB generally supports a self-regulatory approach. He cautioned against embracing rules that would hinder the ability of advertisers to deliver relevant ads. "The relevancy of the ads is what pays for the free content online," he said, noting that limitations on storing IP addresses could curtail free Internet services.

Ray Everett-Church, director of policy for e-mail reputation company Habeas, observes that U.S. health care privacy law already contemplates IP addresses as potentially being part of what might be considered personally identifiable information, in situations where the numbers could be associated with other identifying information. "While an IP address could be stable enough over time to be linked to an individual in a reliable way, given the prevalence of dynamic IP addresses it's very much a moving target," he said in an e-mail. "It makes sense to consider that an IP address could be personally identifiable when associated with other information -- the kind of information in the hands of companies like Google and Microsoft -- but all by itself, an IP address tells you nothing more personal about somebody than any other random assortment of numbers."

"If [the European proposal] gains traction, it's going to have a big impact on online advertising and search engines," said Jevans, who expressed skepticism about the idea.

Google's chief privacy counsel, Peter Fleischer, spoke at a Monday afternoon panel on search privacy. In the process of reiterating Google's continued commitment to privacy and defending Google's acquisition of DoubleClick, he expressed support for the sort of self-regulation favored by the U.S. Federal Trade Commission and tech industry groups.

"The FTC proposals can serve as a good foundation for establishing self-regulatory practices as they touch on each important privacy and security issue implicated in online advertising: transparency, consumer choice, security, and protection of sensitive personal data such as health condition or sexual orientation," said Fleischer in prepared remarks. "We will engage with the FTC and industry to work through these principles."

While Jevans believes the United States is a long way from embracing anything like the proposed European regulations, he suggested that classifying IP addresses as personally identifiable information (PII) might be a way to make the push for broader government surveillance powers more palatable. "If [law makers] make people read [IP addresses] as PII, they may, in the same fell swoop, add more data retention requirements," he said.

A consequence of that, Jevans said, might be to make anonymizing software and services, like Tor and Anonymizer, more controversial and perhaps more popular. "It's funny," he said, "because that stuff was originally developed by the Navy and now they hate it."

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.