4 min read

European Regulators Mull Protecting IP Addresses

The proposal suggests that when a person can be identified by an IP address, that information should be treated as personal information.
While government agencies in the United States still struggle with keeping Social Security numbers from being readable through envelope windows -- as recently happened in Wisconsin -- European regulators are debating whether Internet Protocol (IP) addresses should be protected as if they were sensitive personal data.

The issue was discussed on Monday at a meeting of the European Parliament's Committee on Civil Liberties, Justice, and Home Affairs and representatives of Google, Microsoft, Yahoo, and the Interactive Advertising Bureau (IAB) Europe, among others, were present to guard the online ad business against new, potentially burdensome privacy requirements.

Peter Scharr, Germany's data protection commissioner, reportedly said that when a person can be identified by an IP address, that information should be treated as personal information. Other European policy groups, such as the Article 29 Working Party, and politicians, including Portuguese MEP Carlos Coelho of the Center-right European People's Party, apparently share this view.

"It's interesting that this is being led by Germany," said Dave Jevans, chairman of the Anti-Phishing Working Group and CEO of Iron Key. "Germany is putting in laws that require every ISP to track IP addresses for law enforcement purposes. I find it somewhat ironic."

Jevans also observed that Germany is pushing to require anonymization services to retain records of the IP addresses of their users. This, of course, would make such services something less than anonymous.

Were IP addresses to be categorized as personal information, Web sites, search engines, and advertisers would have to change the way they handle and store IP data in order to comply with more stringent privacy standards. Such change typically comes at a cost.

Mike Zaneis, VP of public policy for the Interactive Advertising Bureau, the U.S. counterpart of IAB Europe, said that the IAB generally supports a self-regulatory approach. He cautioned against embracing rules that would hinder the ability of advertisers to deliver relevant ads. "The relevancy of the ads is what pays for the free content online," he said, noting that limitations on storing IP addresses could curtail free Internet services.

Ray Everett-Church, director of policy for e-mail reputation company Habeas, observes that U.S. health care privacy law already contemplates IP addresses as potentially being part of what might be considered personally identifiable information, in situations where the numbers could be associated with other identifying information. "While an IP address could be stable enough over time to be linked to an individual in a reliable way, given the prevalence of dynamic IP addresses it's very much a moving target," he said in an e-mail. "It makes sense to consider that an IP address could be personally identifiable when associated with other information -- the kind of information in the hands of companies like Google and Microsoft -- but all by itself, an IP address tells you nothing more personal about somebody than any other random assortment of numbers."

"If [the European proposal] gains traction, it's going to have a big impact on online advertising and search engines," said Jevans, who expressed skepticism about the idea.

Google's chief privacy counsel, Peter Fleischer, spoke at a Monday afternoon panel on search privacy. In the process of reiterating Google's continued commitment to privacy and defending Google's acquisition of DoubleClick, he expressed support for the sort of self-regulation favored by the U.S. Federal Trade Commission and tech industry groups.

"The FTC proposals can serve as a good foundation for establishing self-regulatory practices as they touch on each important privacy and security issue implicated in online advertising: transparency, consumer choice, security, and protection of sensitive personal data such as health condition or sexual orientation," said Fleischer in prepared remarks. "We will engage with the FTC and industry to work through these principles."

While Jevans believes the United States is a long way from embracing anything like the proposed European regulations, he suggested that classifying IP addresses as personally identifiable information (PII) might be a way to make the push for broader government surveillance powers more palatable. "If [law makers] make people read [IP addresses] as PII, they may, in the same fell swoop, add more data retention requirements," he said.

A consequence of that, Jevans said, might be to make anonymizing software and services, like Tor and Anonymizer, more controversial and perhaps more popular. "It's funny," he said, "because that stuff was originally developed by the Navy and now they hate it."