European Regulators Mull Protecting IP Addresses - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Information Management
07:46 PM
Connect Directly

European Regulators Mull Protecting IP Addresses

The proposal suggests that when a person can be identified by an IP address, that information should be treated as personal information.

While government agencies in the United States still struggle with keeping Social Security numbers from being readable through envelope windows -- as recently happened in Wisconsin -- European regulators are debating whether Internet Protocol (IP) addresses should be protected as if they were sensitive personal data.

The issue was discussed on Monday at a meeting of the European Parliament's Committee on Civil Liberties, Justice, and Home Affairs and representatives of Google, Microsoft, Yahoo, and the Interactive Advertising Bureau (IAB) Europe, among others, were present to guard the online ad business against new, potentially burdensome privacy requirements.

Peter Scharr, Germany's data protection commissioner, reportedly said that when a person can be identified by an IP address, that information should be treated as personal information. Other European policy groups, such as the Article 29 Working Party, and politicians, including Portuguese MEP Carlos Coelho of the Center-right European People's Party, apparently share this view.

"It's interesting that this is being led by Germany," said Dave Jevans, chairman of the Anti-Phishing Working Group and CEO of Iron Key. "Germany is putting in laws that require every ISP to track IP addresses for law enforcement purposes. I find it somewhat ironic."

Jevans also observed that Germany is pushing to require anonymization services to retain records of the IP addresses of their users. This, of course, would make such services something less than anonymous.

Were IP addresses to be categorized as personal information, Web sites, search engines, and advertisers would have to change the way they handle and store IP data in order to comply with more stringent privacy standards. Such change typically comes at a cost.

Mike Zaneis, VP of public policy for the Interactive Advertising Bureau, the U.S. counterpart of IAB Europe, said that the IAB generally supports a self-regulatory approach. He cautioned against embracing rules that would hinder the ability of advertisers to deliver relevant ads. "The relevancy of the ads is what pays for the free content online," he said, noting that limitations on storing IP addresses could curtail free Internet services.

Ray Everett-Church, director of policy for e-mail reputation company Habeas, observes that U.S. health care privacy law already contemplates IP addresses as potentially being part of what might be considered personally identifiable information, in situations where the numbers could be associated with other identifying information. "While an IP address could be stable enough over time to be linked to an individual in a reliable way, given the prevalence of dynamic IP addresses it's very much a moving target," he said in an e-mail. "It makes sense to consider that an IP address could be personally identifiable when associated with other information -- the kind of information in the hands of companies like Google and Microsoft -- but all by itself, an IP address tells you nothing more personal about somebody than any other random assortment of numbers."

"If [the European proposal] gains traction, it's going to have a big impact on online advertising and search engines," said Jevans, who expressed skepticism about the idea.

Google's chief privacy counsel, Peter Fleischer, spoke at a Monday afternoon panel on search privacy. In the process of reiterating Google's continued commitment to privacy and defending Google's acquisition of DoubleClick, he expressed support for the sort of self-regulation favored by the U.S. Federal Trade Commission and tech industry groups.

"The FTC proposals can serve as a good foundation for establishing self-regulatory practices as they touch on each important privacy and security issue implicated in online advertising: transparency, consumer choice, security, and protection of sensitive personal data such as health condition or sexual orientation," said Fleischer in prepared remarks. "We will engage with the FTC and industry to work through these principles."

While Jevans believes the United States is a long way from embracing anything like the proposed European regulations, he suggested that classifying IP addresses as personally identifiable information (PII) might be a way to make the push for broader government surveillance powers more palatable. "If [law makers] make people read [IP addresses] as PII, they may, in the same fell swoop, add more data retention requirements," he said.

A consequence of that, Jevans said, might be to make anonymizing software and services, like Tor and Anonymizer, more controversial and perhaps more popular. "It's funny," he said, "because that stuff was originally developed by the Navy and now they hate it."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Why 2021 May Turn Out to be a Great Year for Tech Startups
John Edwards, Technology Journalist & Author,  2/24/2021
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll