By Nate Anderson | Published: February 22, 2008 – 01:20PM CT
In a new public policy posting, Google software engineer Alma Whitten made the case that IP addresses aren’t so much personal information as potentially personal information. Many IP addresses assigned to consumers don’t reliably map to a single machine (due to the wonders of DHCP), and even when they do, it’s only the machine and not the person who is identified. Google clearly hopes to avoid a “black-and-white declaration that all IP addresses are always personal data.”
The possibility was raised last month at a hearing of the European Parliament’s Civil Liberties Committee. At the hearing, European data protection authorities put forward the idea of adding IP addresses to the list of personal information, but Google’s Global Privacy Counsel Peter Fleischer objected in words that might sound familiar. “There is no black or white answer,” Fleischer said. “Sometimes an IP address can be considered as personal data and sometimes not; it depends on the context, and which personal information it reveals.”
Germany’s Federal Data Protection Commissioner, Peter Schaar, reiterated the idea two weeks ago when he told the Financial Times that he supports making IP addresses into personal information, and that he is also confident the idea will pass legislative scrutiny.
In opposing that view, Whitten’s blog post makes the case that IP addresses are only sometimes personally identifiable, then goes on to say that web sites should have the freedom to continue recording the numbers. This is important to Google, of course, which uses IP addresses to help combat click fraud and do geographic targeting, among other things.
“IP addresses recorded by every web site on the planet without additional information should not be considered personal data,” said Whitten, “because these websites usually cannot identify the human beings behind these number strings.” That’s generally true, though these IP addresses can be looked up and linked with specific machines by ISPs acting under court order.
While European regulations wouldn’t necessarily affect Google’s operations in the rest of the world, the company certainly doesn’t want to see a precedent for this sort of IP address protection. The blog post concludes, “The policy debate about data protection and IP addresses will continue, but it’s important to have a firm grasp of the technical realities of the debate in order to reach conclusions that makes sense.”
Translation: if legislators really understood what they were regulating, they’d agree with us.