My Address Is None.Of.Your.Business
Many years ago, back when 2 32 was more than enough for anyone, the notion was that every computer on the Internet would have its own IP address, but the fact that 4,294,967,296 isn't enough has led large networks, including almost all consumer ISPs, to use DHCP, so users don't keep their addresses anymore for very long. Any system for tracking them by IP address would be unreliable.
So what does it mean to treat IP addresses as personal data?
When I send you an e-mail, what you receive includes a set of e-mail headers that shows the IP addresses of every computer along the way, including the computer I used to send the message. It has become standard practice for e-mail systems and security systems to track these IP addresses, partly to note which ones are being abusive. Often spam-fighting organizations, including recipient ISPs, will report on abuse by specific IPs. Organizations like Spamhaus not only track IP addresses and the abuse they perform, but make that information available to all comers. Once again, this is a good thing.
Web servers, by default, log all interaction including the IP address of the system that contacted them. This can be useful for tracking abuse. Some argue, as does The New York Times Bits blogger, that a Web site tracking IP addresses is tracking personally identifiable information; me, I just don't see the big deal. It's nowhere near as effective as using cookies to track people, and I don't think that's such a big deal either.
Remember, because of NAT and DHCP, you can't reliably track most users by IP address, even though you might track their IP address. So does the EU propose that it be more difficult for companies to justify tracking IP addresses?
In the end, what worries me most is that a lot of security practice involves tracking IP addresses. Maybe you can't identify people by name through it, but you can do useful analysis of it. I hope the EU is careful not to ban such analysis or make it impossibly complex.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.