Feeds

Are IP addresses personal data?

ACS Law ruling raises some interesting questions

Security for virtualized datacentres

Let’s revisit that old chestnut: “Is an IP address you use in an internet session personal data about you?” The reason: I have just come across two legal references which relate to copyright infringement where the argument that an IP address is personal data was accepted.

The first reference I found was the Monetary Penalty Notice that ACS Law obtained (and the £200K fine that later became a £1k fine...). The company used to send ISPs a list of IP addresses suspected of being involved in breaches of copyright on a regular basis. (The company went out of business because of its poor security, which is why the eventual penalty was reduced to £1K).

In the ACS Law Monetary Penalty Notice, the Information Commissioner's Office (ICO) clearly states:

The Commissioner understands that the data requests sent to each ISP by the data controller (in this case) were for information populating a spreadsheet containing hundreds and sometimes thousands of IP addresses. ... ISPs responded to the data controller by returning the spreadsheet with all the existing data, together with the name and address of the registered account holder that they had input alongside each entry.

So the ISPs mentioned above, presumably because they have blocks of IP addresses specifically allocated to them, were able to provide a link between a requested IP address and a specific individual account-holder. In this way, the IP address formed part of the personal data each ISP had in its possession.

This point was reinforced with a judicial review concerning the Digital Economy Act 2010, where it was claimed by many organiSations that some regulations enacted by Government were incompatible with a number of provisions of EU law. One part of this argument related to the Data Protection Directive (DPD) 95/46/EC.

The judgement states that, as common ground between the parties, an IP address is personal data. In detail, it states that:

It is common ground that... (various provisions in the Digital Economy Act)... are likely to require ISPs to process “personal data” within the meaning of Articles 2(a) and (b) of the DPD. The ISP must link the IP address provided by the copyright owner with an individual subscriber’s name and address, and write to them and compile lists... [that can be supplied to Third Parties – paragraph 152].

So suppose an ISP allows other organisations to capture or monitor a user’s IP address, eg, for the purpose of behavioral marketing. As the ISP is processing personal data (see above), isn’t it allowing part of the personal data under its control (eg, the IP address it has been allocated, and possibly owns, which also relates to the browsing habits of a known individual) to be used for third party marketing?

As all Tribunal determinations on third party marketing have stated that this needs the prior consent of each data subject (ie, each and every account-holder), shouldn’t the ISP be doing something to alert or protect its customers from the use of their IP addresses for third party marketing? Like getting their consent, perhaps?

Now look at the issue from the standpoint of those behavioral marketeers that arrange for a pop-up box to appear after monitoring IP addresses; for convenience, I show examples of these boxes posted on Wiki. What is the purpose of the pop-up box? Answer, of course, “marketing”.

Note that many pop-up boxes shown provide links to enable direct contact with the customer. So where organisations are using/monitoring the IP address to identify potential leads, they know that identifying information about an individual is likely to come into their possession.

If this is the case, then this too falls within the UK Act’s definition of personal data. It follows that personal data is being processed for a marketing purpose, without the data subject having been given the advance choice to opt out of the marketing purpose (eg, in a fair processing notice).

Is the release of IP addresses like the release of anonymous statistics?

There are those who would argue that an IP address, by itself, does not identify the individual. In support, they might quote recent judgements about “anonymous statistics”, which appear to suggest that the disclosure of anonymised information, extracted from personal data, is not a release of personal data.

I argue that the position the release of these "anonymous statistics" and IP addresses is not the same and can be distinguished very easily as follows.

Consider the ProLife Alliance Freedom of Information request to the Department of Health (DoH) for the release of abortion statistics concerning the number of late-term abortions. The DoH refused the request and claimed that the requested information was personal data, the Information Commissioner said the statistics were not personal data, the Tribunal said they were personal data, and Cranston J, in his judgement published in June, agreed with the Commissioner (but on different grounds).

Cranston J argued that to consider the requested data as personal data would establish a principle, which would prevent any publication of medical statistics, however broad. To justify his position, he then went on to examine whether identifiability was likely (a) in the hands of the data controller and (b) in the hands of recipients who get the statistics.

He was satisfied that if identification in the hands of the recipient was “extremely remote”, then the information was not personal data.

Now we come to the difference that distinguishes the disclosure of statistics and the disclosure of IP addresses. With the former, the data controller might be able to identify an individual from the statistics in conjunction with other information in its possession. By contrast, the recipient of the statistical data, following the logic of Cranston J, is remote from making such an identification.

This starkly contrasts with the disclosure or capture of IP addresses. Although an individual cannot be identified from just the IP address, the user or recipient of that IP address has every intent to identify a potential customer as part of his marketing purpose.

Additionally, the holder of the IP address knows that in the hands of the ISP, the IP address definitely forms part of a collection of personal data. With statistics, this point might not be so clear-cut: for instance the public authority might create a set of statistics for release under FOI where it cannot perform the back-identification.

That is why I am increasingly drawn to the conclusion that IP addresses have to be treated as personal data by behavioral marketers, as there is a prior intent to identify the individual behind the IP address.

I am also coming to the conclusion that ISPs can do more to protect their customers from unwanted marketing, especially if they own a block of IP addresses.

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

References

Intelligent flash storage arrays

More from The Register

next story
Scrapping the Human Rights Act: What about privacy and freedom of expression?
Justice minister's attack to destroy ability to challenge state
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Hey Brit taxpayers. You just spent £4m on Central London ‘innovation playground’
Catapult me a Mojito, I feel an Digital Innovation coming on
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
EU to accuse Ireland of giving Apple an overly peachy tax deal – report
Probe expected to say single-digit rate was unlawful
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
EU probes Google’s Android omerta again: Talk now, or else
Spill those Android secrets, or we’ll fine you
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.