http://ap.google.com/article/ALeqM5g08qkYTaNhLlscXKMnS3V8dkc-WwD8UAGH900
-Hank
hank@efes.iucc.ac.il (Hank Nussbacher) writes:
http://ap.google.com/article/ALeqM5g08qkYTaNhLlscXKMnS3V8dkc-WwD8UAGH900
they say it's personally identifiable information, not personal property.
EU's concern is the privacy implications of data that google and others
are saving, they are not making a statement related to address ownership.
Paul Vixie wrote:
hank@efes.iucc.ac.il (Hank Nussbacher) writes:
http://ap.google.com/article/ALeqM5g08qkYTaNhLlscXKMnS3V8dkc-WwD8UAGH900
they say it's personally identifiable information, not personal property.
EU's concern is the privacy implications of data that google and others
are saving, they are not making a statement related to address ownership.
Correct. In the EU DP framework (see: http://ec.europa.eu/justice_home/fsj/privacy/), personal
privacy doesn't arise from private law (contract or property), but from public law (the human rights
statements contained in the treaty under which the EU is formed).
However, Google/DoubleClick claim they have the right to collect PII data and disclose less than
their complete data collection policy, and in particular, claim that endpoint identifiers do not tend
to identify individuals. Further, they assert a property claim on such collected data.
See the partialip definition in the W3C's P3P Spec for an attempt to straddle the fence at offset 7:
"a partialip element represents an IP version 4 address (only - not a version 6 address) which has
had at least the last 7 bits of information removed"
The theory for partialip was that a full address (v4 or v6) was PII, and a partial (for v4 only, at 7bits)
was not PII.
Eric
P. S. How many bits in the mask are necessary to achieve the non-PII aim?
Eric Brunner-Williams wrote:
Correct. In the EU DP framework (see:
http://ec.europa.eu/justice_home/fsj/privacy/), personal
privacy doesn't arise from private law (contract or property), but from
public law (the human rights
statements contained in the treaty under which the EU is formed).However, Google/DoubleClick claim they have the right to collect PII
data and disclose less than
their complete data collection policy, and in particular, claim that
endpoint identifiers do not tend
to identify individuals. Further, they assert a property claim on such
collected data.See the partialip definition in the W3C's P3P Spec for an attempt to
straddle the fence at offset 7:"a partialip element represents an IP version 4 address (only - not a
version 6 address) which has
had at least the last 7 bits of information removed"The theory for partialip was that a full address (v4 or v6) was PII, and
a partial (for v4 only, at 7bits)
was not PII.Eric
P. S. How many bits in the mask are necessary to achieve the non-PII aim?
One might observe that the ip address is not used in isolation. Some
other metadata is being collected whether it's the product of a search
query or a referrer url or whatever dataset contains the ips but that an
ip address anonymized by dropping 8 bits from the mask in conjunction
with the other information is probably more than enough to uniquely
identify an individual in the sorts of data sets that are being
discussed here.
this rather timely article has some pointers on the subject.
* Eric Brunner-Williams:
However, Google/DoubleClick claim they have the right to collect PII
data and disclose less than their complete data collection policy, and
in particular, claim that endpoint identifiers do not tend to identify
individuals. Further, they assert a property claim on such collected
data.
If IP addresses don't identify anything, why do they collect and keep
them?
Anyway, mandatory data retention seems to change the consensus whose job
it is to retain a certain level of perceived anonymity. Even if the
retention policies do not actually change that much, it's usually
assumed that the ISPs do no good job at protecting customer identity
anymore. (You have to see this in a context where most of the consumer
Internet connections change their assigned IP address at least once a
day, which explains the old expectation to some degree.) Now that ISPs
are out of the loop, the attention turns to folks at higher protocol
levels. Some folks probably think that by complaining loadly enough,
they might be hosting a Google Privacy Research Center soon, or
something like that. *sigh*
In the US, folks are fighting the RIAA claiming that an IP address isn't
enough to identify a person.
In Europe, folks are fighting the Google claiming that an IP address is
enough to identify a person.
I guess it depends on which side of the pond you are on.
Perhaps not. But people will interpret it as they wish to.
They are both right. If you have a dynamic IP such as most college students
have, it is here-today-gone-tomorrow.
If you have static IP (business, us slugs in the Swamp, etc) you are identifyable.
The local antipiracy organization in Sweden needed a permit to collect/handle IP+timestamp and save it in their database, as this information was regarded as personal information. Since ISPs regularily save who has an IP at what time, IP+timestamp can be used to discern at least what access port a certain IP was at, or in case of PPPoE etc, what account was used to obtain the IP that that time.
I still think IP+timestamp doesn't imply what person did something, license plate information tracking is also considered personal information even though it says nothing about who drove the car at that time, and I think IP+timestamp is approximately on the same level as a car license plate when it comes to level of personal information.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The local antipiracy organization in Sweden needed a permit to collect/handle IP+timestamp and save it in their database, as this information was regarded as personal information. Since ISPs regularily save who has an IP at what time, IP+timestamp can be used to discern at least what access port a certain IP was at, or in case of PPPoE etc, what account was used to obtain the IP that that time.
I still think IP+timestamp doesn't imply what person did something
it doesn't, no any more than the association of your cell phone with a cell tower conclusively implies that the owner of a telephone used it to do something in particular. However, in forensic data retention and wiretap procedures, the assumption is made that the user of a telephone or a computer is *probably* a person who normally has access to it.
In the EU Data Retention model, I will argue that the only thing that makes sense to use as a "Session Detail Record" is an IPFIX/Netflow record correlated with with any knowledge the ISP might have of the person using the source and/or destination IP address at the time. When the address is temporarily or "permanently" assigned to a subscriber, such as a wireless address in a T-Mobile Hotspot (which one has to identify one's account when logging into, which presumptively identifies the subscriber) or the address assigned to a Cable Modem subscriber (home/SOHO), this tends to have a high degree of utility.
In the wiretap model, one similarly selects the traffic one intercepts on the presumption that a surveillance subject is probably the person using the computer.
For them, it's all about probability. It doesn't have to be "one" if it is reasonable to presume that it is in the neighborhood.
What I find interesting here is the Jekyll/Hyde nature of it. European ISPs are required to keep expensive logs of the behavior of subscribers for forensic data mining, accessible under subpoena, for extensive periods like 6-24 months (last I heard it was 7 years in Italy, but that may now be incorrect), but the information is deemed private and therefore inappropriate to keep under EU privacy rules. ISPs are required to keep inappropriate information at their own expense in case forensic authorities decide to pay an occasional pittance to access some small quantity of it.
Lou Katz wrote:
They are both right. If you have a dynamic IP such as most college students
have, it is here-today-gone-tomorrow.If you have static IP (business, us slugs in the Swamp, etc) you are identifyable.
Hi Lou,
Long time.
The thing is this isn't an atemporal question. The association of an address and any other information that tends
to identify an individual (say my googling the complete works of the co-author of "Survey of Modern Algebra",
along with Saunders MacLaine, in particular reference [1], the "original" treatise on shaped charges, and my
groveling for clue in DNS ops, and my ...) tends to unique closure over finite time.
So, for a single datagram sourced from a just-allocated at random DHCP pool, wicked hard to make PII.
But for many hours or days of stream to a variety of data collectors, some of which share raw or correlated data,
the problem is not insoluable.
Eric
[1] Garret Birkhoff, et al. "Explosives With Lined Cavities". Journal of Applied Physics. June 1948, p. 563-582.
Data retention and LEO compliance are serious issues for network authorities to handle. The original topic was about IP addresses, though. I'd like to try and go there from a different angle.
IP addresses however, "belong" to (allocated..) authorities such as ISPs, and I would personally like to see some better AUP on what is allowed to come from these. Practically.
I'd like to see some larger effort to make network reputation happen, whether in making sure connections come from the real authority (BCP38 and similar) or to be able to deny a network connectivity to our own back yard.
I am not going for the "user activity is an ISP's responsibility" but rather than a "misbehaving network should be treated as such". For whatever definition of misbehaving we can accept. I want this to be more about what this can do for us rather than some "this will be abused so let's not do it" civil society discussion.
At first glance this appears off-topic for the thread, but operationally network reputation and ownership is much more relevant than if people's rights are being walked all over.
Security is a strong supporter of privacy as much as it is misused as an excuse for infringing upon it.
Considering possibilities, other than avoiding spoofing, what would network reputation which is reliable help us do operationally?
Gadi.
Security is a strong supporter of privacy ...
I've removed the part of this sentence I don't understand.
Privacy involves more than just non-disclosure, it also involves issues like identifiable retention
and identifiable 3rd-party provisioning and identifiable other-policy collection linkages, and ...
There were, and are people who contribute from time to time to the IETF, who decided that it
was sufficient to indicate if the source of a flow had a "privacy preference". Look for binary
valued labels in RFCs pertaining to the provisioning of PII to some well known data collectors
(and data publishers).
There were also, and I suppose also are, people who contribute from time to time to the IETF,
who have decided that it is insufficient to indicate the policy preference, if any, of flow sources,
absent indications of the policy practices of flow otherpoints, which may also be flow endpoints.
Look for labels which cannot be projected to a binary values without loss of information in RFCs
pertaining to the provisioning of PII to some well known data collectors (and data publishers).
Which is a long-winded way of saying that security != privacy.
Eric
In article <1E2B60F8-A74E-41C7-B1F0-84F4B42911F2@cisco.com>, Fred Baker <fred@cisco.com> writes
What I find interesting here is the Jekyll/Hyde nature of it. European ISPs are required to keep expensive logs of the behavior of subscribers for forensic data mining, accessible under subpoena, for extensive periods like 6-24 months (last I heard it was 7 years in Italy, but that may now be incorrect), but the information is deemed private and therefore inappropriate to keep under EU privacy rules. ISPs are required to keep inappropriate information at their own expense in case forensic authorities decide to pay an occasional pittance to access some small quantity of it.
Putting aside for a moment the issue of "whose dollars pay for it" there is no fundamental contradiction in the proposition that private sector information can be mandated to be kept for minimum periods, is confidential, but nevertheless can be acquired by lawful subpoena.
Think about banking records, for example, which are confidential, routinely examined in criminal enquiries, and which have to be kept for various minimum periods by accountancy law. Operationally, the banks have had to invest in special departments to do just that, it's simply part of the cost of doing business.
In article <Pine.GSO.4.64.0801231750350.24354@clifden.donelan.com>, Sean Donelan <sean@donelan.com> writes
In the US, folks are fighting the RIAA claiming that an IP address isn't
enough to identify a person.In Europe, folks are fighting the Google claiming that an IP address is
enough to identify a person.I guess it depends on which side of the pond you are on.
The European Data Protection perspective (which has been the same since
1999, and expressed quite robustly in 2000, no new ideas have suddenly
appeared) is this:
Many IP addresses *are* enough to identify a person.
Although sometimes you need additional information.
The law talks about "identifying directly or indirectly", the
latter as a result of having some *other* information
available[1]. It's not a case of getting a hit based on IP
address alone (which in any event needs at least a registry
lookup to turn into a person's name).
And therefore because *some* IP addresses indisputably identify
people, you must put in place precautions to handle *all* such
information appropriately (IP addresses don't come with a bit
set to say "I'm an identifiable user" or "I'm not").
That's just the way European Law works.
The American perspective might be (and I'm guessing here) that if only
*some* IP addresses identify people, you should assume that *all* IP
addresses are unreliable identifiers. [Many of the comments in this
thread express somewhat of that view].
That might even be a good idea in a shoot-first ask-questions-later
environment. My advice would be to try *not* to deploy such an
environment 
[1] In the case of being a dial-up ISP, the RADIUS logs; others have
mentioned the association between commercial wifi connections and their
(roaming) subscribers.
Roland Perry wrote:
Putting aside for a moment the issue of "whose dollars pay for it" there is no fundamental contradiction in the proposition that private sector information can be mandated to be kept for minimum periods, is confidential, but nevertheless can be acquired by lawful subpoena.
Think about banking records, for example, which are confidential, routinely examined in criminal enquiries, and which have to be kept for various minimum periods by accountancy law. Operationally, the banks have had to invest in special departments to do just that, it's simply part of the cost of doing business.
The difference with banking records and computer generated records is, you can literally track down whether by PIN on an ATM along with for the majority of times an image taken from a camera. Try doing this with IP generated information. While law enforcement subpoenas away information, there is no guarantee person X is definitively behind even a static IP address. Its hearsay no matter how you want to look at this. Outside of the fact that lawyers still up to this day and age can't seem to grasp an all-in-one argument to get IP address information thrown out, what's next? Perhaps law enforcement agencies forcing vendors to include enough memory on wireless devices to track who logged in on a hotspot?
Everyone sees the need for all sorts of accounting on the networking side of things but how legitimate is the information when anyone can share MAC addresses, jump into hotspots anonymously, quickly break into wireless networks, venture into an Internet cafe paying cash, throw on a bootable (throwaway) distribution of BSD/Linux/Solaris, do some dirty deed and leave it up to someone else to take the blame.
Heya,
> In the US, folks are fighting the RIAA claiming that an IP address isn't
> enough to identify a person.
>
> In Europe, folks are fighting the Google claiming that an IP address is
> enough to identify a person.
>
> I guess it depends on which side of the pond you are on.
>They are both right. If you have a dynamic IP such as most college students
have, it is here-today-gone-tomorrow.
Our University uses dynamic addressing but we are able to identify likely users
in response to the RIAA stuff. There is a hidden step in here, at least for our
University, in the IP-to-Person mapping. Our network essentially tracks the
IP-to-MAC relationship and the MAC-to-Owner relationship. For us, its not the
IP that identifies a person, but the combination of IP plus Timestamp, which can
be used to walk our database and produce a system owner.
I'm guessing that Google et. al. have a similar multi-factor token set (IP, time,
cookie, etc) which allows them to map back to a "person".
Eric
I am frankly shocked that some people claim that you cannot identify people by the IP address. There was a scandal in the States where a well known ISP released search records and the New York Times was able to identify individuals using the IP address together with the search records.
If a daily newspaper can, I suspect just about any body can …
I see no difference between a static IP address and a credit card number. Neither are the individual’s property, but that doesn’t mean there should not be legal or ethical obligations surrounding them.
As always my opinions are my opinions and not official corporate policy
Roderick S. Beck
Director of European Sales
Hibernia Atlantic
1, Passage du Chantier, 75012 Paris
http://www.hiberniaatlantic.com
Wireless: 1-212-444-8829.
Landline: 33-1-4346-3209.
French Wireless: 33-6-14-33-48-97.
AOL Messenger: GlobalBandwidth
rod.beck@hiberniaatlantic.com
rodbeck@erols.com
``Unthinking respect for authority is the greatest enemy of truth.’’ Albert Einstein.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rod Beck wrote:
I am frankly shocked that some people claim that you cannot identify people by the IP address. There was a scandal in the States where a well known ISP released search records and the New York Times was able to identify individuals using the IP address together with the search records.
And here is a shocker... Supposing I despised you enough to do something horrendous to your reputation. I despised you enough to perhaps surf around your neighborhood for an open wifi connection, if I connect to what I believe is yours even the better.
Since I despise you so much, I begin say, spreading viruses, spreading malware, attempting to break into banks, maybe chatting with minors. Remember now, I am in close proximity to your home, who knows maybe I was lucky enough to stumble upon your wireless connection. Should I go on with this?
I see no difference between a static IP address and a credit card number. Neither are the individual's property, but that doesn't mean there should not be legal or ethical obligations surrounding them.
There is a humongous difference. There is nothing more then a broad assumption that you are the individual sitting behind your IP address. There can only be proof if its shown that it was impossible for someone to have connected via your home address. Wireless router throws everything out the door unless you're using WPA, WEP which even then there is the possibility of someone still breaking into your connection.
RADIUS accounting for say PPP? Oh... You'd like to verify my identity via caller ID? Caller ID spoofing defeats this too. So what's next? I'll respond offline, lest I get flamed, banned, shown the AUP again and have my fingers hit with a ruler... (sorry Alex, Martin)