In article <Pine.GSO.4.64.0801231750350.24354@clifden.donelan.com>, Sean Donelan <sean@donelan.com> writes
In the US, folks are fighting the RIAA claiming that an IP address isn't enough to identify a person.
In Europe, folks are fighting the Google claiming that an IP address is enough to identify a person.
I guess it depends on which side of the pond you are on.
The European Data Protection perspective (which has been the same since 1999, and expressed quite robustly in 2000, no new ideas have suddenly appeared) is this: Many IP addresses *are* enough to identify a person. Although sometimes you need additional information. The law talks about "identifying directly or indirectly", the latter as a result of having some *other* information available[1]. It's not a case of getting a hit based on IP address alone (which in any event needs at least a registry lookup to turn into a person's name). And therefore because *some* IP addresses indisputably identify people, you must put in place precautions to handle *all* such information appropriately (IP addresses don't come with a bit set to say "I'm an identifiable user" or "I'm not"). That's just the way European Law works. The American perspective might be (and I'm guessing here) that if only *some* IP addresses identify people, you should assume that *all* IP addresses are unreliable identifiers. [Many of the comments in this thread express somewhat of that view]. That might even be a good idea in a shoot-first ask-questions-later environment. My advice would be to try *not* to deploy such an environment :) [1] In the case of being a dial-up ISP, the RADIUS logs; others have mentioned the association between commercial wifi connections and their (roaming) subscribers. -- Roland Perry