My Address Is None.Of.Your.Business

By Larry Seltzer  |  Posted 2008-01-22 Print this article Print


Many years ago, back when 2 32 was more than enough for anyone, the notion was that every computer on the Internet would have its own IP address, but the fact that 4,294,967,296 isn't enough has led large networks, including almost all consumer ISPs, to use DHCP, so users don't keep their addresses anymore for very long. Any system for tracking them by IP address would be unreliable.

So what does it mean to treat IP addresses as personal data?

When I send you an e-mail, what you receive includes a set of e-mail headers that shows the IP addresses of every computer along the way, including the computer I used to send the message. It has become standard practice for e-mail systems and security systems to track these IP addresses, partly to note which ones are being abusive. Often spam-fighting organizations, including recipient ISPs, will report on abuse by specific IPs. Organizations like Spamhaus not only track IP addresses and the abuse they perform, but make that information available to all comers. Once again, this is a good thing.

Web servers, by default, log all interaction including the IP address of the system that contacted them. This can be useful for tracking abuse. Some argue, as does The New York Times Bits blogger, that a Web site tracking IP addresses is tracking personally identifiable information; me, I just don't see the big deal. It's nowhere near as effective as using cookies to track people, and I don't think that's such a big deal either.

Remember, because of NAT and DHCP, you can't reliably track most users by IP address, even though you might track their IP address. So does the EU propose that it be more difficult for companies to justify tracking IP addresses?

In the end, what worries me most is that a lot of security practice involves tracking IP addresses. Maybe you can't identify people by name through it, but you can do useful analysis of it. I hope the EU is careful not to ban such analysis or make it impossibly complex.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel