Everyone believes in privacy (except Scott McNealy); we just differ on how much is the right amount. It is possible to go too far in advocating for privacy. That way lies uncertainty.
This seems to be the fate of the European Union, whose Data Privacy Commission leader recently said that IP addresses are personal data when they are used to identify people. This is an example of privacy priorities run amok.
It’s 25 years now since TCP/IP became the protocol of the Internet (actually it was the Arpanet at the time), and in all that time tools and systems have been developed that begin with the assumption that IP addresses want to be found and want to be identified. For instance, as the article about the EU I linked to notes, “whois” services have developed to identify owners of IP addresses. This is a good thing.
I’m on the Verizon FiOS network here, and I ran my outside IP address on the whois service provided by ARIN (the American Registry for Internet Numbers, the body responsible for allocating IP addresses in the United States, Canada, a number of Caribbean and Pacific islands, and Antarctica). Here’s what it shows:
OrgName: Verizon Internet Services Inc.
OrgID: VRIS
Address: 1880 Campus Commons Dr
City: Reston
StateProv: VA
PostalCode: 20191
Country: US
NetRange: 71.160.0.0 – 71.191.255.255
CIDR: 71.160.0.0/11
NetName: VIS-BLOCK
NetHandle: NET-71-160-0-0-1
Parent: NET-71-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.BELLATLANTIC.NET
NameServer: NS2.BELLATLANTIC.NET
NameServer: NS2.VERIZON.NET
NameServer: NS4.VERIZON.NET
Comment:
RegDate: 2005-06-01
Updated: 2006-12-29
OrgAbuseHandle: VISAB-ARIN
OrgAbuseName: VIS Abuse
OrgAbusePhone: +1-214-513-6711
OrgAbuseEmail: security@verizon.net
OrgTechHandle: ZV20-ARIN
OrgTechName: Verizon Internet Services
OrgTechPhone: 800-243-6994
OrgTechEmail: IPNMC@gnilink.net
# ARIN WHOIS database, last updated 2008-01-21 19:10
# Enter ? for additional hints on searching ARIN’s WHOIS database.
Like domain name whois information, the point of this is to allow others on the network to make contact for official purposes, such as to notify them of security problems emanating from that network. The answer above doesn’t identify me; it identifies my ISP and says a little something about how its network is configured. Of course, for almost all individual users this information will relate to their ISP as opposed to themselves.
You can identify me further by looking up my reverse DNS-in Windows go to the command line and enter “NSLOOKUP <IP address>.” The reverse DNS is a unique name that corresponds to that one address. Sometimes there are things you can infer about a user from the name, but usually it’s no more informative than the IP address itself.
My Address Is None.Of.Your.Business
}
Many years ago, back when 2 32 was more than enough for anyone, the notion was that every computer on the Internet would have its own IP address, but the fact that 4,294,967,296 isn’t enough has led large networks, including almost all consumer ISPs, to use DHCP, so users don’t keep their addresses anymore for very long. Any system for tracking them by IP address would be unreliable.
So what does it mean to treat IP addresses as personal data?
When I send you an e-mail, what you receive includes a set of e-mail headers that shows the IP addresses of every computer along the way, including the computer I used to send the message. It has become standard practice for e-mail systems and security systems to track these IP addresses, partly to note which ones are being abusive. Often spam-fighting organizations, including recipient ISPs, will report on abuse by specific IPs. Organizations like Spamhaus not only track IP addresses and the abuse they perform, but make that information available to all comers. Once again, this is a good thing.
Web servers, by default, log all interaction including the IP address of the system that contacted them. This can be useful for tracking abuse. Some argue, as does The New York Times Bits blogger, that a Web site tracking IP addresses is tracking personally identifiable information; me, I just don’t see the big deal. It’s nowhere near as effective as using cookies to track people, and I don’t think that’s such a big deal either.
Remember, because of NAT and DHCP, you can’t reliably track most users by IP address, even though you might track their IP address. So does the EU propose that it be more difficult for companies to justify tracking IP addresses?
In the end, what worries me most is that a lot of security practice involves tracking IP addresses. Maybe you can’t identify people by name through it, but you can do useful analysis of it. I hope the EU is careful not to ban such analysis or make it impossibly complex.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s blog Cheap Hack.