Are IP addresses personal information?
Internet protocol (IP) addresses, a string of numbers that identifies a computer, should generally be regarded as personal information, the head of the European Union’s group of data privacy regulators said on Monday.
Germany’s data-protection commissioner, Peter Scharr, leads the EU group preparing a report on how well the privacy policies of internet search engines operated by Google, Yahoo!, Microsoft and others comply with EU privacy law.
He told a European Parliament hearing on online data protection that when someone was identified by an IP address, “then it has to be regarded as personal data”.
His view differs from that of Google, which insists an IP address merely identifies the location of a computer, not who the individual user is—something strictly true but which does not recognise that many people regularly use the same computer terminal and IP address.
Scharr acknowledged that IP addresses for a computer may not always be personal or linked to an individual. For example, some computers in internet cafés or offices are used by several people.
But these exceptions have not stopped the emergence of a host of “whois” internet sites that apply the general rule that typing in an IP address will generate a name for the person or company linked to it.
Treating IP addresses as personal information would have implications for how search engines record data.
Google led the pack by being the first last year to cut the time it stored search information to 18 months. It also reduced the time limit on the cookies that collect information on how people use the internet from a default of 30 years to an automatic expiry of two years.
But a privacy advocate at the non-profit Electronic Privacy Information Centre (Epic) said it was “absurd” for Google to claim that stripping out the last two figures from the stored IP address made the address impossible to identify by making it one of 256 possible configurations.
“It’s one of the things that make computer people giggle,” Epic executive director Marc Rotenberg said. “The more the companies know about you, the more commercial value is obtained.”
Google’s global privacy counsel Peter Fleischer, however, said Google collects IP addresses to give customers a more accurate service because it knows what part of the world a search result comes from and language is used—and that is not enough to identify an individual user.
“If someone taps in ‘football’, you get different results in London than in New York,” he said.
He said the way Google stores IP addresses means one of them forms part of a crowd, giving valuable information on general trends without infringing on an individual’s privacy.
Google says it needs to store search queries and gather information on online activity to improve its search results and to provide advertisers with correct billing information that shows that genuine users are clicking on online ads.
Internet “click fraud” can be tracked down by showing that the same IP address is jumping repeatedly to the same ad. Advertisers pay for each time a different person views the ad, so dozens of views by the same person can rack up costs without giving the company the publicity it wanted.
Microsoft does not record the IP address that identifies an individual computer when it logs search terms. But then its internet strategy relies on users logging into the Passport network that is linked to its popular Hotmail and Messenger services.
The company’s European internet policy director, Thomas Myrup Kristensen, described the move as part of Microsoft’s commitment to privacy.
“In terms of the impact on user privacy, complete and irreversible anonymity is the most important point here—more impactful than whether the data is retained for 13 versus 18 versus 24 months,” he said.
But neither of the search engines received a pat on the back from Spain’s data-protection regulator, Artemi Rallo Lombarte, who criticised them for not trying to make their privacy policies accessible to normal people.
Their privacy policies “could very well be considered virtual or fictional ... because search engines do not sufficiently emphasise their own privacy policies on their home pages, nor are they accessible to users”, he said, describing the policies as “complex and unintelligible to users”.—Sapa-AP