Eric Brunner-Williams wrote:
Correct. In the EU DP framework (see: http://ec.europa.eu/justice_home/fsj/privacy/), personal privacy doesn't arise from private law (contract or property), but from public law (the human rights statements contained in the treaty under which the EU is formed).
However, Google/DoubleClick claim they have the right to collect PII data and disclose less than their complete data collection policy, and in particular, claim that endpoint identifiers do not tend to identify individuals. Further, they assert a property claim on such collected data.
See the partialip definition in the W3C's P3P Spec for an attempt to straddle the fence at offset 7:
"a partialip element represents an IP version 4 address (only - not a version 6 address) which has had at least the last 7 bits of information removed"
The theory for partialip was that a full address (v4 or v6) was PII, and a partial (for v4 only, at 7bits) was not PII.
Eric
P. S. How many bits in the mask are necessary to achieve the non-PII aim?
One might observe that the ip address is not used in isolation. Some other metadata is being collected whether it's the product of a search query or a referrer url or whatever dataset contains the ips but that an ip address anonymized by dropping 8 bits from the mask in conjunction with the other information is probably more than enough to uniquely identify an individual in the sorts of data sets that are being discussed here. this rather timely article has some pointers on the subject. http://www.schneier.com/crypto-gram-0801.html#1