This blog post is an article that was published in Virus Bulletin, August 2012
© Virus Bulletin/Wout de Natris
For as long as I have been involved in spam enforcement and the sharing of data between entities, public and private, the discussion as to whether an IP address is personal data has been on the agenda. There is no doubt that providing an IP address to an entity can lead to the identification of the end-user. (Although this may be changing somewhat because of IPv4 depletion and the introduction of carrier-graded NATs, where more and more end devices are behind one IP address.)
To look at the issue from a different angle, consider the following scenario: I’m walking down the street – it’s very quiet, nobody else is around. I notice that a fire has broken out in an apartment block and someone is trapped, shouting for help. I shout: ‘Do you give consent for me to hand over your personal data (your address) to the emergency services?’ The person in the building replies ‘No, I don’t’. There is nothing I can do but walk on. Next, I see two people on the street, one of whom appears to be attacking the other. They are standing in a doorway. I shout ‘Do you want me to call the police?’ ‘Yes!’, replies the person being attacked, but the attacker shouts ‘No! I live here and by giving the police this address you would be infringing on my privacy!’. Again, there is nothing I can do but put my phone away and walk on.
In reality, of course, I would have called the emergency services without hesitation and without a second thought to the sensitive data involved. Privacy infringement would not have entered the minds of the victims, the police, the fire brigade, or even the privacy commissioner. However, as soon as we enter the digital realm and a break-in is discovered (whether in real time or after the event), a DDoS attack is noticed, or spam is seen being sent from a machine, we tread very carefully and avoid reporting the incident for fear of divulging sensitive data, i.e. the IP address. In my opinion there is no difference between this and the ‘real-world’ situations described above: a law has been broken or an emergency situation has arisen, and it should immediately be reported to the proper authority. By giving the street address in the two real-world examples, I do not say anything about who’s living there (I may not even know). The most important thing is that someone needs help. On the Internet someone also needs help – perhaps a private individual, a company, a government or other organization – but here that does not seem to count for as much. If someone discovering a crime on the Internet says ‘from this IP address a crime or violation has happened/is happening’, they do not say anything about the owner of the machine (just like reporting a fire or burglary). The only difference is that a (regulatory) enforcement agency or botnet mitigation centre may be asked for assistance rather than the police or fire brigade.
If a government has provided the (regulatory) enforcement agencies with the proper powers to investigate (not all regulatory enforcement agencies have these powers), they have the right to ask for privacy-sensitive data under specific circumstances. It is up to a judge either to approve the information request beforehand or judge afterwards, depending on the choice made in the law. No privacy is infringed by reporting, and if it is, a judge will set it right.
I think it’s time to set the record straight on privacy and if necessary set rules on what’s allowed and what isn’t. The fact that breaking and entering in the form of accessing or taking over a computer (and its subsequent use for ill (purposes) cannot be reported just does not sit right with me. I wonder whether privacy is really the reason for not reporting such incidents. It’s time to find out what the other reasons could be and for governments, where possible, to provide the ideal situation for entities to report in. Reporting would greatly enhance safety and security in the online world and in the real world too – hacked computers and online intrusions are in the end real-life threats as money and identities are stolen, sensitive data is abused and organizations are threatened.
Wout de Natris, De Natris Consult