Reading Peter Olthoorn’s book on Google (a link is found here), I ran into a passage on IP addresses. Where Google states that it does not see an IP address as privacy sensitive. An IP address could be used by more than one person, it claims. The Article 29 Working Party, the EU privacy commissioners, states that it is privacy sensitive as a unique identifier of a private person. It got me wondering whether it is this simple. Here a blog post meant to give some food for thought and debate. I invite you to think about the question ‘how private is an IP address’?
One person, one IP address
There is no doubt that if one person sits behind one IP address that this unique address will tell everything about this person as far as his online behaviour is concerned. But how unique is an IP address? There may be more examples, but these stick out most for me.
In a world in which IPv4 is depleting fast, although a lot slower than predicted over the past years, ISPs prepare for the depletion by stacking more an more persons behind one IP address. Instead of migrating to IPv6 with a sheer endless range of IP addresses. The technique of stacking is called Çarrier-Graded NAT (An explanation is found on Wikipedia.) This means that more than one person is behind an IP address, perhaps a whole building, a village or more. So this takes away from an IP address’ uniqueness.
Mobile (and wifi)
The same goes for the mobile environment, where an IP address is used for one session and is given to the next person in line requesting access to the Internet. There’s nothing unique about this particular IP address as it is in use by different persons during time constantly. Also just think of the use of wifi in an hotel, bar, train station, airport, etc.
What complicates matters is the fact that judges do not seem to acknowledge an IP address as a unique qualifier where proving the guild of spammers and scammers is concerned. In the case of Nigerian 419 scammers in Amsterdam a judge ruled that it could not be proven who pushed the button on a specific pc at a specific address. The defendants claimed that anybody in the neighbourhood walked in and used the pc, so anyone could have operated the scam. If this is the only prove a judge allows, there’s only one thing to it: be in the room when the perpetrator pushed the button. Of course this is (near) impossible.
OPTA recognised this problem from the first investigation and researches for any circumstantial evidence in spam cases. However in the latest case the CBb (College van Beroep voor het bedrijfsleven) ruled out the evidence provided by OPTA that it could not be proven beyond doubt that two of the defendants, even as they profited hugely, could be seen as “the sender”. (The third fled the country after the visitation by OPTA and never filed for appeal.)
In other words the IP address used by the spammers and scammers is not seen as sufficient in evidence. If this is the case, it may be time that the article 29 Working Party reviews its advice on IP addresses. In my opinion it can’t be that on the one hand an IP address is privacy sensitive data, while on the other this same address is not seen as substantial evidence in court. This hampers law enforcers double. Not to speak of different rules and rulings in different countries on privacy (sensitive data). It makes cooperation and sharing data a very difficult thing to do.
It is about time that there is one clear ruling on what data can be exchanged between law enforcers of different elk, cyber incident and security personnel, NGO’s dealing with botnet mitigation and industry. And in what form. E.g. Is warning an ISP that one of his clients is infected by a trojan allowed, including the IP address? Some think that the answer is no. Or warning that one of its clients is attacking a critical infrastructure as part of a ddos attack?
If the necessary exchange of data happens insufficiently or worse not at all, because of rules concerning privacy are unclear, cyber criminals and other offenders are dealt an all to successful hand this way. It is time to create a level playing field so that it is clear to all what data can be exchanged under what circumstance, so that international and national cooperation can take off in a justified, accountable and verifiable, but across the board fashion. Our very lives may depend on it.
Hence the importance of Workshops #87 and #90 at the upcoming IGF in Baku, Azerbaijan that NLIGF, in cooperation with myself, is organising for November. iFreedom, privacy and law enforcement and international cooperation and privacy on critical infrastructure cyber incidents. What is the way forward? Who should take the lead? And how to create that much needed level playing field? These are questions that need to be dealt with at the global level to protect the Internet, you and me.
Wout de Natris, De Natris Consult
Leiderdorp, 9 July 2012