Home
 » ISP News » 
Sponsored

UPD European Court Rules IP Internet Addresses are Personal Information

Thursday, October 20th, 2016 (4:24 pm) - Score 2,329
ip address internet protocol

Every device that connects to the Internet needs an Internet Protocol (IP) address to be assigned by your broadband / mobile ISP, but is that address “personal“? According to a new ruling from the European Court of Justice (ECJ), yes it is.. sort of.

Firstly, we should point out that IP addresses tend to either be Static (i.e. the address stays the same even after you disconnect), Dynamic (i.e. the address may change if you have to reconnect) or Dynamic CGNAT / Shared (i.e. the address may change, but it can also be shared by other users at the same time as yourself). Most people connect via the dynamic system, while business connections usually adopt a static one.

The next thing to consider is that an IP address connects to a device (e.g. broadband router), which usually belongs to the bill payer. But the service itself could also be shared between many other users, such as on a public WiFi or business network. On top of that your IP address, which is owned by the network operator, is exposed to the Internet as you surf around and use different services (i.e. you have to share your IP with any server that you wish to access and all of those in-between).

In that sense a dynamic IP address isn’t strictly personal information because you can almost never be sure of the exact user. However some do contend that if, for example, vehicle registration marks are seen as personal data then so should be the same for an IP. But of course cars are much more strictly licensed, owned, taxed and drivers can be identified directly by using eyes or cameras etc. The Internet is more complex.

However we now have an interesting case, which was pushed by Patrick Breyer (German Pirate Party) against the German Government. Patrick accessed a number of websites run by the German government and was unhappy to find that his IP address, along with other data, was being stored in log files and that they were searchable by third-parties.

The former is fairly normal (all websites know your IP in order to process requests and for security measures etc.) and so is the latter because nearly all websites gather statistics that include IP data, which is often processed by third parties like Google etc.

But the German government dismissed Patrick’s complaint and his subsequent appeals because he was using a Dynamic IP (i.e. the actual user / owner couldn’t be accurately identified) and so he took his case to the ECJ, which was asked to consider the following two points.

ECJ Points for Review

(1) Must Article 2(a) of Directive 95/46 … be interpreted as meaning that an internet protocol address (IP address) which an [online media] service provider stores when his website is accessed already constitutes personal data for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject?

(2) Does Article 7(f) of [that directive] preclude a provision in national law under which a service provider may collect and use a user’s personal data without his consent only to the extent necessary in order to facilitate, and charge for, the specific use of the telemedium by the user concerned, and under which the purpose of ensuring the general operability of the telemedium cannot justify use of the data beyond the end of the particular use of the telemedium?’

The ECJ has now ruled that, in the case of no.1 above, the directive “must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.”

In short, a dynamic IP address can technically now be considered personal information, assuming you can legally get the associated ISP to help with that identification (easier said than done). It’s a decision that could have far reaching ramifications, not only for Governments but also almost anybody who runs an Internet service or website in the EU. Tracking, processing and logging of IPs is a big part of how Internet services work.

However on point no.1 the ECJ did recognise that it “must be determined whether the possibility to combine a dynamic IP address with the additional data held by the [ISP] constitutes a means likely reasonably to be used to identify the data subject.”

The court noted that identification of the data subject may run into problems if it’s “prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant.”

Most ordinary websites would neither be able, nor have the resources or desire, to go through the courts in order to identify one of their users, which is also assuming they even have a viable IP address or legal grounds to make such a request to an ISP in the first place (plus the ISP may not even hold the data). This is an IP address that, we must not forget, is neither created nor owned by the Internet user. Fun.

As for no.2, the ECJ ruling didn’t change much and confirmed that “an online media services provider may collect and use personal data relating to a user of those service, without his consent, only in so far as the collection and use of that information are necessary to facilitate and charge for the specific use of those services by that user” (a little ambiguous, as perhaps intended).

The full ruling can be read here and at this stage some aspects still appear open to interpretation, which may need to be tested in further cases before we know precisely how this might affect the wider online world.

UPDATE 21st October 2016

It’s been noted to us by Patrick Breyer himself that the English translation of the judgement (as linked above), which was originally made in French, suffers from what may be a small but critical flaw in the language.

Paragraph 49, which concludes the outcome for point no.1, states: “where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.” But the French version reads, “lorsqu’il dispose de moyens légaux lui permettant de faire identifier la personne concernée grâce aux informations supplémentaires dont dispose le fournisseur d’accès à Internet de cette personne.”

Now my French is appalling and I wouldn’t trust any of the online translators with this, but in Breyer’s view the French version actually translates to “let [a third party] identify.” Put another way, while also taking account of Paragraph 47 (“competent authority … can take the steps necessary to obtain that information from the internet service provider and to bring criminal proceedings“), even if the data processor has no legal means of identification, its data can be identified by other processors and that suffices to make it personal data.

So in theory it is not required that the website operator can identify a user, instead it is sufficient that he/she can merely have him identified by the authorities. On the other hand the ECJ was not tasked with deciding on some of the wider issues, such as whether website operators may retain IP addresses in bulk or whether the users privacy rights prevail. No doubt future cases may have to examine those.

Leave a Comment
4 Responses
  1. Avatar Steve Jones

    Interesting. There are a few sites (Wikipedia for one) that records the originating IP address and makes it available. In the case of Wikipedia it’s to record the IP address that changed an entry where anonymous editing is allowed (assuming it still is). There’s one very good reason to allow IP addresses to be publicly viewed in some cases, and that’s it helps identify sock-puppets. There’s certainly been a few cases of that on Wikipedia.

    In any event, it’s unclear how this pans out and what it means in practice. I don’t see it impacting private logs at all. I recently had an email account locked because of multiple attempts to log on with the wrong password, and it’s rather useful to be able to see the activity log against the account and where the attempts came from.

  2. Avatar Regis

    how does this affect the system where multiple users share the same ip? eg mobiles

  3. Avatar Sam

    You can bet there is a reason for this decision that has nothing to do with protecting us and everything to do with protecting them whoever they are, i.e., the upper crust. Always this is how it works out. Making their corporations people how did that work out for us, so they can rob and murder us with impunity. Already, the new owner’s of the Internet are making their move.

    • Avatar Mike

      “More broadly, Conrad and other ICANN officials stressed, it doesn’t make sense to suggest a country controls the internet which, Conrad said, “is comprised of a set of privately operated networks which agree to exchange traffic using a common set of protocols. There is no central point of control of the internet at all. So, the idea that the U.S. is somehow giving up control through a contract that its entire purpose is to allow the administration of a set of identifiers is just sort of ludicrous.” – Politifact

      At a technical level, the very premise you base your last claim on is false.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Hyperoptic £19.95 (*22.00)
    Avg. Speed 50Mbps, Unlimited
    Gift: Promo Code: HYPER20
  • NOW TV £22.00 (*40.00)
    Avg. Speed 36Mbps, Unlimited
    Gift: None
  • SSE £22.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • xln telecom £22.74 (*47.94)
    Avg. Speed 66Mbps, Unlimited
    Gift: None
  • Vodafone £22.95
    Avg. Speed 35Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
The Top 20 Category Tags
  1. BT (2697)
  2. FTTP (2546)
  3. FTTC (1745)
  4. Building Digital UK (1685)
  5. Politics (1580)
  6. Openreach (1544)
  7. Business (1365)
  8. FTTH (1287)
  9. Statistics (1192)
  10. Mobile Broadband (1161)
  11. Fibre Optic (1037)
  12. 4G (1001)
  13. Wireless Internet (988)
  14. Ofcom Regulation (987)
  15. Virgin Media (963)
  16. EE (668)
  17. Sky Broadband (651)
  18. TalkTalk (634)
  19. Vodafone (628)
  20. 5G (464)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact