IP addresses and privacy sensitive data. A level playing field needed

Reading Peter Olthoorn’s book on Google (a link is found here), I ran into a passage on IP addresses. Where Google states that it does not see an IP address as privacy sensitive. An IP address could be used by more than one person, it claims. The Article 29 Working Party, the EU privacy commissioners, states that it is privacy sensitive as a unique identifier of a private person. It got me wondering whether it is this simple. Here a blog post meant to give some food for thought and debate. I invite you to think about the question ‘how private is an IP address’?

One person, one IP address

There is no doubt that if one person sits behind one IP address that this unique address will tell everything about this person as far as his online behaviour is concerned. But how unique is an IP address? There may be more examples, but these stick out most for me.

Carrier-graded NAT

In a world in which IPv4 is depleting fast, although a lot slower than predicted over the past years, ISPs prepare for the depletion by stacking more an more persons behind one IP address. Instead of migrating to IPv6 with a sheer endless range of IP addresses. The technique of stacking is called Çarrier-Graded NAT (An explanation is found on Wikipedia.) This means that more than one person is behind an IP address, perhaps a whole building, a village or more. So this takes away from an IP address’ uniqueness.

Mobile (and wifi)

The same goes for the mobile environment, where an IP address is used for one session and is given to the next person in line requesting access to the Internet. There’s nothing unique about this particular IP address as it is in use by different persons during time constantly. Also just think of the use of wifi in an hotel, bar, train station, airport, etc.

Court verdicts

What complicates matters is the fact that judges do not seem to acknowledge an IP address as a unique qualifier where proving the guild of spammers and scammers is concerned. In the case of Nigerian 419 scammers in Amsterdam a judge ruled that it could not be proven who pushed the button on a specific pc at a specific address. The defendants claimed that anybody in the neighbourhood walked in and used the pc, so anyone could have operated the scam. If this is the only prove a judge allows, there’s only one thing to it: be in the room when the perpetrator pushed the button. Of course this is (near) impossible.

OPTA recognised this problem from the first investigation and researches for any circumstantial evidence in spam cases. However in the latest case the CBb (College van Beroep voor het bedrijfsleven) ruled out the evidence provided by OPTA that it could not be proven beyond doubt that two of the defendants, even as they profited hugely, could be seen as “the sender”. (The third fled the country after the visitation by OPTA and never filed for appeal.)

In other words the IP address used by the spammers and scammers is not seen as sufficient in evidence. If this is the case, it may be time that the article 29 Working Party reviews its advice on IP addresses. In my opinion it can’t be that on the one hand an IP address is privacy sensitive data, while on the other this same address is not seen as substantial evidence in court. This hampers law enforcers double. Not to speak of different rules and rulings in different countries on privacy (sensitive data). It makes cooperation and sharing data a very difficult thing to do.

International cooperation

It is about time that there is one clear ruling on what data can be exchanged between law enforcers of different elk, cyber incident and security personnel, NGO’s dealing with botnet mitigation and industry. And in what form. E.g. Is warning an ISP that one of his clients is infected by a trojan allowed, including the IP address? Some think that the answer is no. Or warning that one of its clients is attacking a critical infrastructure as part of a ddos attack?

If the necessary exchange of data happens insufficiently or worse not at all, because of rules concerning privacy are unclear, cyber criminals and other offenders are dealt an all to successful hand this way. It is time to create a level playing field so that it is clear to all what data can be exchanged under what circumstance, so that international and national cooperation can take off in a justified, accountable and verifiable, but across the board fashion. Our very lives may depend on it.

IGF Baku

Hence the importance of Workshops #87 and #90 at the upcoming IGF in Baku, Azerbaijan that NLIGF, in cooperation with myself, is organising for November. iFreedom, privacy and law enforcement and international cooperation and privacy on critical infrastructure cyber incidents. What is the way forward? Who should take the lead? And how to create that much needed level playing field? These are questions that need to be dealt with at the global level to protect the Internet, you and me.

Wout de Natris, De Natris Consult

Leiderdorp, 9 July 2012


About Wout de Natris

As a consultant I specialise in establishing new and different relationships between industry, governments and law enforcement where internet safety and the fight against cyber crime are concerned. This makes me a bridge builder. Hence the blogs name. In this blog I intend to stress the need for interaction, cooperation and exchange of information in order to change the mentioned relationships. On offer: a comprehensive training on all non-technical aspects of spam enforcement and a cyber awareness presentation for companies and institutions
This entry was posted in Court decision, Cyber crime, Cyber ethics, Cyber security, International cooperation: cross border aspects, Internet governance, Privacy and tagged , , , , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s