hank@efes.iucc.ac.il (Hank Nussbacher) writes:
http://ap.google.com/article/ALeqM5g08qkYTaNhLlscXKMnS3V8dkc-WwD8UAGH900
they say it's personally identifiable information, not personal property. EU's concern is the privacy implications of data that google and others are saving, they are not making a statement related to address ownership. -- Paul Vixie
Paul Vixie wrote:
hank@efes.iucc.ac.il (Hank Nussbacher) writes:
http://ap.google.com/article/ALeqM5g08qkYTaNhLlscXKMnS3V8dkc-WwD8UAGH900
they say it's personally identifiable information, not personal property. EU's concern is the privacy implications of data that google and others are saving, they are not making a statement related to address ownership.
Correct. In the EU DP framework (see: http://ec.europa.eu/justice_home/fsj/privacy/), personal privacy doesn't arise from private law (contract or property), but from public law (the human rights statements contained in the treaty under which the EU is formed). However, Google/DoubleClick claim they have the right to collect PII data and disclose less than their complete data collection policy, and in particular, claim that endpoint identifiers do not tend to identify individuals. Further, they assert a property claim on such collected data. See the partialip definition in the W3C's P3P Spec for an attempt to straddle the fence at offset 7: "a partialip element represents an IP version 4 address (only - not a version 6 address) which has had at least the last 7 bits of information removed" The theory for partialip was that a full address (v4 or v6) was PII, and a partial (for v4 only, at 7bits) was not PII. Eric P. S. How many bits in the mask are necessary to achieve the non-PII aim?
Eric Brunner-Williams wrote:
Correct. In the EU DP framework (see: http://ec.europa.eu/justice_home/fsj/privacy/), personal privacy doesn't arise from private law (contract or property), but from public law (the human rights statements contained in the treaty under which the EU is formed).
However, Google/DoubleClick claim they have the right to collect PII data and disclose less than their complete data collection policy, and in particular, claim that endpoint identifiers do not tend to identify individuals. Further, they assert a property claim on such collected data.
See the partialip definition in the W3C's P3P Spec for an attempt to straddle the fence at offset 7:
"a partialip element represents an IP version 4 address (only - not a version 6 address) which has had at least the last 7 bits of information removed"
The theory for partialip was that a full address (v4 or v6) was PII, and a partial (for v4 only, at 7bits) was not PII.
Eric
P. S. How many bits in the mask are necessary to achieve the non-PII aim?
One might observe that the ip address is not used in isolation. Some other metadata is being collected whether it's the product of a search query or a referrer url or whatever dataset contains the ips but that an ip address anonymized by dropping 8 bits from the mask in conjunction with the other information is probably more than enough to uniquely identify an individual in the sorts of data sets that are being discussed here. this rather timely article has some pointers on the subject. http://www.schneier.com/crypto-gram-0801.html#1
* Eric Brunner-Williams:
However, Google/DoubleClick claim they have the right to collect PII data and disclose less than their complete data collection policy, and in particular, claim that endpoint identifiers do not tend to identify individuals. Further, they assert a property claim on such collected data.
If IP addresses don't identify anything, why do they collect and keep them? Anyway, mandatory data retention seems to change the consensus whose job it is to retain a certain level of perceived anonymity. Even if the retention policies do not actually change that much, it's usually assumed that the ISPs do no good job at protecting customer identity anymore. (You have to see this in a context where most of the consumer Internet connections change their assigned IP address at least once a day, which explains the old expectation to some degree.) Now that ISPs are out of the loop, the attention turns to folks at higher protocol levels. Some folks probably think that by complaining loadly enough, they might be hosting a Google Privacy Research Center soon, or something like that. *sigh*
On Wed, 23 Jan 2008, Florian Weimer wrote:
If IP addresses don't identify anything, why do they collect and keep them?
In the US, folks are fighting the RIAA claiming that an IP address isn't enough to identify a person. In Europe, folks are fighting the Google claiming that an IP address is enough to identify a person. I guess it depends on which side of the pond you are on.
On Wed, Jan 23, 2008 at 05:52:41PM -0500, Sean Donelan wrote:
On Wed, 23 Jan 2008, Florian Weimer wrote:
If IP addresses don't identify anything, why do they collect and keep them?
In the US, folks are fighting the RIAA claiming that an IP address isn't enough to identify a person.
In Europe, folks are fighting the Google claiming that an IP address is enough to identify a person.
I guess it depends on which side of the pond you are on.
They are both right. If you have a dynamic IP such as most college students have, it is here-today-gone-tomorrow. If you have static IP (business, us slugs in the Swamp, etc) you are identifyable. -- -=[L]=- I wouldn't take any advice, if I were you.
On Wed, 23 Jan 2008, Lou Katz wrote:
They are both right. If you have a dynamic IP such as most college students have, it is here-today-gone-tomorrow.
The local antipiracy organization in Sweden needed a permit to collect/handle IP+timestamp and save it in their database, as this information was regarded as personal information. Since ISPs regularily save who has an IP at what time, IP+timestamp can be used to discern at least what access port a certain IP was at, or in case of PPPoE etc, what account was used to obtain the IP that that time. I still think IP+timestamp doesn't imply what person did something, license plate information tracking is also considered personal information even though it says nothing about who drove the car at that time, and I think IP+timestamp is approximately on the same level as a car license plate when it comes to level of personal information. -- Mikael Abrahamsson email: swmike@swm.pp.se
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Jan 24, 2008, at 2:09 AM, Mikael Abrahamsson wrote:
The local antipiracy organization in Sweden needed a permit to collect/handle IP+timestamp and save it in their database, as this information was regarded as personal information. Since ISPs regularily save who has an IP at what time, IP+timestamp can be used to discern at least what access port a certain IP was at, or in case of PPPoE etc, what account was used to obtain the IP that that time.
I still think IP+timestamp doesn't imply what person did something
it doesn't, no any more than the association of your cell phone with a cell tower conclusively implies that the owner of a telephone used it to do something in particular. However, in forensic data retention and wiretap procedures, the assumption is made that the user of a telephone or a computer is *probably* a person who normally has access to it. In the EU Data Retention model, I will argue that the only thing that makes sense to use as a "Session Detail Record" is an IPFIX/Netflow record correlated with with any knowledge the ISP might have of the person using the source and/or destination IP address at the time. When the address is temporarily or "permanently" assigned to a subscriber, such as a wireless address in a T-Mobile Hotspot (which one has to identify one's account when logging into, which presumptively identifies the subscriber) or the address assigned to a Cable Modem subscriber (home/SOHO), this tends to have a high degree of utility. In the wiretap model, one similarly selects the traffic one intercepts on the presumption that a surveillance subject is probably the person using the computer. For them, it's all about probability. It doesn't have to be "one" if it is reasonable to presume that it is in the neighborhood. What I find interesting here is the Jekyll/Hyde nature of it. European ISPs are required to keep expensive logs of the behavior of subscribers for forensic data mining, accessible under subpoena, for extensive periods like 6-24 months (last I heard it was 7 years in Italy, but that may now be incorrect), but the information is deemed private and therefore inappropriate to keep under EU privacy rules. ISPs are required to keep inappropriate information at their own expense in case forensic authorities decide to pay an occasional pittance to access some small quantity of it. -----BEGIN PGP SIGNATURE----- iD8DBQFHmA3hbjEdbHIsm0MRAhsKAJ4+xXkJm/JM/lDL1YpufmUYZdhClACgrvxD keX0Zsm+QtJG6RcCMrJcVqk= =DpcR -----END PGP SIGNATURE-----
On Thu, 24 Jan 2008, Fred Baker wrote:
I still think IP+timestamp doesn't imply what person did something
it doesn't, no any more than the association of your cell phone with a cell tower conclusively implies that the owner of a telephone used it to do something in particular. However, in forensic data retention and wiretap procedures, the assumption is made that the user of a telephone or a computer is *probably* a person who normally has access to it.
Data retention and LEO compliance are serious issues for network authorities to handle. The original topic was about IP addresses, though. I'd like to try and go there from a different angle. IP addresses however, "belong" to (allocated..) authorities such as ISPs, and I would personally like to see some better AUP on what is allowed to come from these. Practically. I'd like to see some larger effort to make network reputation happen, whether in making sure connections come from the real authority (BCP38 and similar) or to be able to deny a network connectivity to our own back yard. I am not going for the "user activity is an ISP's responsibility" but rather than a "misbehaving network should be treated as such". For whatever definition of misbehaving we can accept. I want this to be more about what this can do for us rather than some "this will be abused so let's not do it" civil society discussion. At first glance this appears off-topic for the thread, but operationally network reputation and ownership is much more relevant than if people's rights are being walked all over. Security is a strong supporter of privacy as much as it is misused as an excuse for infringing upon it. Considering possibilities, other than avoiding spoofing, what would network reputation which is reliable help us do operationally? Gadi.
Security is a strong supporter of privacy ... I've removed the part of this sentence I don't understand.
Privacy involves more than just non-disclosure, it also involves issues like identifiable retention and identifiable 3rd-party provisioning and identifiable other-policy collection linkages, and ... There were, and are people who contribute from time to time to the IETF, who decided that it was sufficient to indicate if the source of a flow had a "privacy preference". Look for binary valued labels in RFCs pertaining to the provisioning of PII to some well known data collectors (and data publishers). There were also, and I suppose also are, people who contribute from time to time to the IETF, who have decided that it is insufficient to indicate the policy preference, if any, of flow sources, absent indications of the policy practices of flow otherpoints, which may also be flow endpoints. Look for labels which cannot be projected to a binary values without loss of information in RFCs pertaining to the provisioning of PII to some well known data collectors (and data publishers). Which is a long-winded way of saying that security != privacy. Eric
In article <1E2B60F8-A74E-41C7-B1F0-84F4B42911F2@cisco.com>, Fred Baker <fred@cisco.com> writes
What I find interesting here is the Jekyll/Hyde nature of it. European ISPs are required to keep expensive logs of the behavior of subscribers for forensic data mining, accessible under subpoena, for extensive periods like 6-24 months (last I heard it was 7 years in Italy, but that may now be incorrect), but the information is deemed private and therefore inappropriate to keep under EU privacy rules. ISPs are required to keep inappropriate information at their own expense in case forensic authorities decide to pay an occasional pittance to access some small quantity of it.
Putting aside for a moment the issue of "whose dollars pay for it" there is no fundamental contradiction in the proposition that private sector information can be mandated to be kept for minimum periods, is confidential, but nevertheless can be acquired by lawful subpoena. Think about banking records, for example, which are confidential, routinely examined in criminal enquiries, and which have to be kept for various minimum periods by accountancy law. Operationally, the banks have had to invest in special departments to do just that, it's simply part of the cost of doing business. -- Roland Perry Internet Policy Agency
Roland Perry wrote:
Putting aside for a moment the issue of "whose dollars pay for it" there is no fundamental contradiction in the proposition that private sector information can be mandated to be kept for minimum periods, is confidential, but nevertheless can be acquired by lawful subpoena.
Think about banking records, for example, which are confidential, routinely examined in criminal enquiries, and which have to be kept for various minimum periods by accountancy law. Operationally, the banks have had to invest in special departments to do just that, it's simply part of the cost of doing business.
The difference with banking records and computer generated records is, you can literally track down whether by PIN on an ATM along with for the majority of times an image taken from a camera. Try doing this with IP generated information. While law enforcement subpoenas away information, there is no guarantee person X is definitively behind even a static IP address. Its hearsay no matter how you want to look at this. Outside of the fact that lawyers still up to this day and age can't seem to grasp an all-in-one argument to get IP address information thrown out, what's next? Perhaps law enforcement agencies forcing vendors to include enough memory on wireless devices to track who logged in on a hotspot? Everyone sees the need for all sorts of accounting on the networking side of things but how legitimate is the information when anyone can share MAC addresses, jump into hotspots anonymously, quickly break into wireless networks, venture into an Internet cafe paying cash, throw on a bootable (throwaway) distribution of BSD/Linux/Solaris, do some dirty deed and leave it up to someone else to take the blame. -- ==================================================== J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E
I am frankly shocked that some people claim that you cannot identify people by the IP address. There was a scandal in the States where a well known ISP released search records and the New York Times was able to identify individuals using the IP address together with the search records. If a daily newspaper can, I suspect just about any body can ... I see no difference between a static IP address and a credit card number. Neither are the individual's property, but that doesn't mean there should not be legal or ethical obligations surrounding them. As always my opinions are my opinions and not official corporate policy Roderick S. Beck Director of European Sales Hibernia Atlantic 1, Passage du Chantier, 75012 Paris http://www.hiberniaatlantic.com Wireless: 1-212-444-8829. Landline: 33-1-4346-3209. French Wireless: 33-6-14-33-48-97. AOL Messenger: GlobalBandwidth rod.beck@hiberniaatlantic.com rodbeck@erols.com ``Unthinking respect for authority is the greatest enemy of truth.'' Albert Einstein. -----Original Message----- From: owner-nanog@merit.edu on behalf of J. Oquendo Sent: Thu 1/24/2008 12:57 PM To: Roland Perry Cc: nanog@merit.edu Subject: Re: EU Official: IP Is Personal Roland Perry wrote:
Putting aside for a moment the issue of "whose dollars pay for it" there is no fundamental contradiction in the proposition that private sector information can be mandated to be kept for minimum periods, is confidential, but nevertheless can be acquired by lawful subpoena.
Think about banking records, for example, which are confidential, routinely examined in criminal enquiries, and which have to be kept for various minimum periods by accountancy law. Operationally, the banks have had to invest in special departments to do just that, it's simply part of the cost of doing business.
The difference with banking records and computer generated records is, you can literally track down whether by PIN on an ATM along with for the majority of times an image taken from a camera. Try doing this with IP generated information. While law enforcement subpoenas away information, there is no guarantee person X is definitively behind even a static IP address. Its hearsay no matter how you want to look at this. Outside of the fact that lawyers still up to this day and age can't seem to grasp an all-in-one argument to get IP address information thrown out, what's next? Perhaps law enforcement agencies forcing vendors to include enough memory on wireless devices to track who logged in on a hotspot? Everyone sees the need for all sorts of accounting on the networking side of things but how legitimate is the information when anyone can share MAC addresses, jump into hotspots anonymously, quickly break into wireless networks, venture into an Internet cafe paying cash, throw on a bootable (throwaway) distribution of BSD/Linux/Solaris, do some dirty deed and leave it up to someone else to take the blame. -- ==================================================== J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E
Rod Beck wrote:
I am frankly shocked that some people claim that you cannot identify people by the IP address. There was a scandal in the States where a well known ISP released search records and the New York Times was able to identify individuals using the IP address together with the search records.
And here is a shocker... Supposing I despised you enough to do something horrendous to your reputation. I despised you enough to perhaps surf around your neighborhood for an open wifi connection, if I connect to what I believe is yours even the better. Since I despise you so much, I begin say, spreading viruses, spreading malware, attempting to break into banks, maybe chatting with minors. Remember now, I am in close proximity to your home, who knows maybe I was lucky enough to stumble upon your wireless connection. Should I go on with this?
I see no difference between a static IP address and a credit card number. Neither are the individual's property, but that doesn't mean there should not be legal or ethical obligations surrounding them.
There is a humongous difference. There is nothing more then a broad assumption that you are the individual sitting behind your IP address. There can only be proof if its shown that it was impossible for someone to have connected via your home address. Wireless router throws everything out the door unless you're using WPA, WEP which even then there is the possibility of someone still breaking into your connection. RADIUS accounting for say PPP? Oh... You'd like to verify my identity via caller ID? Caller ID spoofing defeats this too. So what's next? I'll respond offline, lest I get flamed, banned, shown the AUP again and have my fingers hit with a ruler... (sorry Alex, Martin) -- ==================================================== J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E
I refer you to the following posting: "Our University uses dynamic addressing but we are able to identify likely users in response to the RIAA stuff. There is a hidden step in here, at least for our University, in the IP-to-Person mapping. Our network essentially tracks the IP-to-MAC relationship and the MAC-to-Owner relationship. For us, its not the IP that identifies a person, but the combination of IP plus Timestamp, which can be used to walk our database and produce a system owner. I'm guessing that Google et. al. have a similar multi-factor token set (IP, time, cookie, etc) which allows them to map back to a "person"." It is easy to back into people's identity. Regards, Roderick S. Beck Director of European Sales Hibernia Atlantic 1, Passage du Chantier, 75012 Paris http://www.hiberniaatlantic.com Wireless: 1-212-444-8829. Landline: 33-1-4346-3209. French Wireless: 33-6-14-33-48-97. AOL Messenger: GlobalBandwidth rod.beck@hiberniaatlantic.com rodbeck@erols.com ``Unthinking respect for authority is the greatest enemy of truth.'' Albert Einstein.
Rod Beck wrote:
I refer you to the following posting:
It is easy to back into people's identity.
So simple even a caveman can do it http://www.klcconsulting.net/smac/ -- ==================================================== J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E
In article <47988B2D.806@infiltrated.net>, J. Oquendo <sil@infiltrated.net> writes
Putting aside for a moment the issue of "whose dollars pay for it" there is no fundamental contradiction in the proposition that private sector information can be mandated to be kept for minimum periods, is confidential, but nevertheless can be acquired by lawful subpoena. Think about banking records, for example, which are confidential, routinely examined in criminal enquiries, and which have to be kept for various minimum periods by accountancy law. Operationally, the banks have had to invest in special departments to do just that, it's simply part of the cost of doing business.
The difference with banking records and computer generated records is, you can literally track down whether by PIN on an ATM along with for the majority of times an image taken from a camera. Try doing this with IP generated information. While law enforcement subpoenas away information, there is no guarantee person X is definitively behind even a static IP address. Its hearsay no matter how you want to look at this. Outside of the fact that lawyers still up to this day and age can't seem to grasp an all-in-one argument to get IP address information thrown out, what's next? Perhaps law enforcement agencies forcing vendors to include enough memory on wireless devices to track who logged in on a hotspot?
Everyone sees the need for all sorts of accounting on the networking side of things but how legitimate is the information when anyone can share MAC addresses, jump into hotspots anonymously, quickly break into wireless networks, venture into an Internet cafe paying cash, throw on a bootable (throwaway) distribution of BSD/Linux/Solaris, do some dirty deed and leave it up to someone else to take the blame.
It's a bit like licence plates on a car. Seeing a bank robber jump into a car and then using the licence plate as a "best guess" where to find the perpetrator has a lot of reasons why it's not 100% accurate. Maybe the licence plate was entirely false, or perhaps cloned from another vehicle the model colour and age. But there are enough dumb crooks out there driving cars with real licence plates, that as a first approximation it's still worth insisting everyone *has* a licence plate, and some semblance of responsibility to keep real owner details on file. -- Roland Perry
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Jan 24, 2008, at 12:50 PM, Roland Perry wrote:
no fundamental contradiction in the proposition that private sector information can be mandated to be kept for minimum periods, is confidential, but nevertheless can be acquired by lawful subpoena.
they are if the records are kept for no private sector purpose, which is the case here. The corollary that is being built on is telco call detail records, which were once used in billing. But the ISPs have no use for the data and storing it costs power, cooling, disk-or-other- storage, and so on. Get an ISP or other data center to give you an idea how many megawatts they go through and what that costs... -----BEGIN PGP SIGNATURE----- iD8DBQFHmJTTbjEdbHIsm0MRAkawAKDnhoWSoMvmSkvYrGMKyjcOg479fACfY5IC XPNxwAA1fsU6j5Z/r5REBLw= =2fCn -----END PGP SIGNATURE-----
In article <3DE3808E-5984-4245-8B06-8D3BEB247604@cisco.com>, Fred Baker <fred@cisco.com> writes
no fundamental contradiction in the proposition that private sector information can be mandated to be kept for minimum periods, is confidential, but nevertheless can be acquired by lawful subpoena.
they are if the records are kept for no private sector purpose, which is the case here. The corollary that is being built on is telco call detail records, which were once used in billing. But the ISPs have no use for the data and storing it costs power, cooling, disk-or-other- storage, and so on. Get an ISP or other data center to give you an idea how many megawatts they go through and what that costs...
You make the assumption that the banks have some business purpose to keep data for more than 6 months? My online bank makes it hard for me to go back further than that, but I'm sure the regulator insists they do. Your other objections are just "whose dollars" issue (ignoring the public policy debate, but this is a technical list). -- Roland Perry
Lou Katz wrote:
They are both right. If you have a dynamic IP such as most college students have, it is here-today-gone-tomorrow.
If you have static IP (business, us slugs in the Swamp, etc) you are identifyable.
Hi Lou, Long time. The thing is this isn't an atemporal question. The association of an address and any other information that tends to identify an individual (say my googling the complete works of the co-author of "Survey of Modern Algebra", along with Saunders MacLaine, in particular reference [1], the "original" treatise on shaped charges, and my groveling for clue in DNS ops, and my ...) tends to unique closure over finite time. So, for a single datagram sourced from a just-allocated at random DHCP pool, wicked hard to make PII. But for many hours or days of stream to a variety of data collectors, some of which share raw or correlated data, the problem is not insoluable. Eric [1] Garret Birkhoff, et al. "Explosives With Lined Cavities". Journal of Applied Physics. June 1948, p. 563-582.
Heya,
In the US, folks are fighting the RIAA claiming that an IP address isn't enough to identify a person.
In Europe, folks are fighting the Google claiming that an IP address is enough to identify a person.
I guess it depends on which side of the pond you are on.
They are both right. If you have a dynamic IP such as most college students have, it is here-today-gone-tomorrow.
Our University uses dynamic addressing but we are able to identify likely users in response to the RIAA stuff. There is a hidden step in here, at least for our University, in the IP-to-Person mapping. Our network essentially tracks the IP-to-MAC relationship and the MAC-to-Owner relationship. For us, its not the IP that identifies a person, but the combination of IP plus Timestamp, which can be used to walk our database and produce a system owner. I'm guessing that Google et. al. have a similar multi-factor token set (IP, time, cookie, etc) which allows them to map back to a "person". Eric :)
Eric Gauthier wrote:
Heya,
In the US, folks are fighting the RIAA claiming that an IP address isn't enough to identify a person.
In Europe, folks are fighting the Google claiming that an IP address is enough to identify a person.
I guess it depends on which side of the pond you are on.
They are both right. If you have a dynamic IP such as most college students have, it is here-today-gone-tomorrow.
Our University uses dynamic addressing but we are able to identify likely users in response to the RIAA stuff. There is a hidden step in here, at least for our University, in the IP-to-Person mapping. Our network essentially tracks the IP-to-MAC relationship and the MAC-to-Owner relationship. For us, its not the IP that identifies a person, but the combination of IP plus Timestamp, which can be used to walk our database and produce a system owner.
There are a couple of ways that can break down. "Hey, dude, lemme borrow your laptop for a minute." Or "ifconfig eth0 ether aa:bb:cc:dd:ee:ff"
I'm guessing that Google et. al. have a similar multi-factor token set (IP, time, cookie, etc) which allows them to map back to a "person".
Which, for similar reasons, does not, in any absolutely reliable way, identify a *person* at the keyboard. -- Jeff McAdams "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin
Hi Jeff, I agree. But gives a lot more information that most people will be comfortable disclosing. It may not guarantee identity, but it can help narrow it down to a household or billing account. I think it is time that privacy trump business interests. Roderick S. Beck Director of European Sales Hibernia Atlantic 1, Passage du Chantier, 75012 Paris http://www.hiberniaatlantic.com Wireless: 1-212-444-8829. Landline: 33-1-4346-3209. French Wireless: 33-6-14-33-48-97. AOL Messenger: GlobalBandwidth rod.beck@hiberniaatlantic.com rodbeck@erols.com ``Unthinking respect for authority is the greatest enemy of truth.'' Albert Einstein.
We have a similar system based around Cisco's CNR which is a popular DHCP/DNS system used by large ISP's and other large organization and it is the IP+Timestamp coupled with the owner to MAC relationship which allows unique identification of a user and we have strict data retention policies so that after the data has been maintained for the interval specified by the Provost it is permanently removed from the database. We treat IP/Mac information as personally identifiable information and as such limit access to this information to authorized users only. But there seems to be a misapprehension that a dynamically assigned address cannot be associated with a individual. Eric Gauthier wrote:
Heya,
In the US, folks are fighting the RIAA claiming that an IP address isn't enough to identify a person.
In Europe, folks are fighting the Google claiming that an IP address is enough to identify a person.
I guess it depends on which side of the pond you are on.
They are both right. If you have a dynamic IP such as most college students have, it is here-today-gone-tomorrow.
Our University uses dynamic addressing but we are able to identify likely users in response to the RIAA stuff. There is a hidden step in here, at least for our University, in the IP-to-Person mapping. Our network essentially tracks the IP-to-MAC relationship and the MAC-to-Owner relationship. For us, its not the IP that identifies a person, but the combination of IP plus Timestamp, which can be used to walk our database and produce a system owner.
I'm guessing that Google et. al. have a similar multi-factor token set (IP, time, cookie, etc) which allows them to map back to a "person".
Eric :)
On Jan 24, 2008 6:10 AM, Scott McGrath <mcgrath@fas.harvard.edu> wrote:
We have a similar system based around Cisco's CNR which is a popular DHCP/DNS system used by large ISP's and other large organization and it is the IP+Timestamp coupled with the owner to MAC relationship which allows unique identification of a user
[snip] Let's not confuse identifying a person with identifying a particular network interface. The disparity between the two may vary widely with NAT, wifi, shared machines, etc. -- darkuncle@{gmail.com,darkuncle.net} || 0x5537F527 http://darkuncle.net/pubkey.asc for public key
On Wed, Jan 23, 2008 at 04:44:55PM -0800, Lou Katz wrote:
On Wed, Jan 23, 2008 at 05:52:41PM -0500, Sean Donelan wrote:
In the US, folks are fighting the RIAA claiming that an IP address isn't enough to identify a person.
In Europe, folks are fighting the Google claiming that an IP address is enough to identify a person.
I guess it depends on which side of the pond you are on.
They are both right. If you have a dynamic IP such as most college students have, it is here-today-gone-tomorrow.
In our environment it's common for the same system to retain the same dynamic address for months or even years. Our DHCP servers will try to assign the same address to the same client for as long as possible. For data protection purposes, we've long considered IP addresses to be personal information. They're often sufficient to track the same user, and not infrequently identify a particular user without the need for information other than a DNS lookup (people still seem fond of unimaginative hostnames like fred-pc.dept.ox.ac.uk). Can IP addresses always identify a unique individual? Definitely not, not even to those of us with access to the logs. NAT, MAC-spoofing, shared/multi-user systems and so forth still get in the way from time to time. Newer technologies such as 802.11x will stop some means of evasion in the future, and also make it easier for us to track directly by username rather than network interface. Robin -- Robin Stevens <robin.stevens@oucs.ox.ac.uk> Work (+44)(0)1865 273212 Networks & Telecommunications Group Fax (+44)(0)1865 273275 Oxford University Computing Services http://www.cynic.org.uk/
Robin Stevens wrote:
Can IP addresses always identify a unique individual? Definitely not, not even to those of us with access to the logs. NAT, MAC-spoofing, shared/multi-user systems and so forth still get in the way from time to time. Newer technologies such as 802.11x will stop some means of evasion in the future, and also make it easier for us to track directly by username rather than network interface.
Robin
Framing Private Ryan (a look at the dangers behind technology) http://www.infiltrated.net/?p=77 -- ==================================================== J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E
I'm sorry, but, I have a great deal of difficulty seeing how an IP can be considered personally identifying. For example, in my home, I have static addresses. However, the number of different people using those addresses would, to me, imply that you cannot personally identify anyone based solely on the IP address they are using within my network. Certainly, you cannot say that I initiated all of the packets which came from my addresses. Another example would be a retail store that I work with as a SCUBA Instructor. They also have static IP addresses, but, I would not say that any of the traffic coming from the store is necessarily personally identifiable. Our entire staff (half a dozen instructors, a dozen or so divemasters and AIs, the owner, and at least one other retail assistant) source traffic from within that network. The larger the business, the less identifiable the addresses become, generally. However, even in these ultra-small examples, I don't feel that the addresses are, in themselves, personally identifying. Owen
Owen DeLong wrote:
I'm sorry, but, I have a great deal of difficulty seeing how an IP can be considered personally identifying.
In the case the german regulator is dealing with the ip address is not be considered exclusive of the rest of a data set. The question is given a commercially valuable dataset which contains ip addresses what is sufficient to anonymize the users while maintaining the value of the data. The regulator has one view, which is probably wrong and search engine company (google is the one that is quoted) has another which is also probably wrong. Can someone able to mine search engine log data pick out individual users? Yes it's been demonstrated several times. Can you pick individuals out of "anonymized" datasets? Yes to that too. Can an IP address in exclusion to anything else be used to pick out an individual? possibly under some circumstances, but definitely not with a high degree of certainty.
For example, in my home, I have static addresses. However, the number of different people using those addresses would, to me, imply that you cannot personally identify anyone based solely on the IP address they are using within my network. Certainly, you cannot say that I initiated all of the packets which came from my addresses.
Another example would be a retail store that I work with as a SCUBA Instructor. They also have static IP addresses, but, I would not say that any of the traffic coming from the store is necessarily personally identifiable. Our entire staff (half a dozen instructors, a dozen or so divemasters and AIs, the owner, and at least one other retail assistant) source traffic from within that network.
The larger the business, the less identifiable the addresses become, generally. However, even in these ultra-small examples, I don't feel that the addresses are, in themselves, personally identifying.
Owen
In the case the german regulator is dealing with the ip address is not be considered exclusive of the rest of a data set. The question is given a commercially valuable dataset which contains ip addresses what is sufficient to anonymize the users while maintaining the value of the data. The regulator has one view, which is probably wrong and search engine company (google is the one that is quoted) has another which is also probably wrong.
First of all, this is not about the German data protection agency but about the EU Committee on Civil Liberties, Justice and Home Affairs. Secondly, there is no need to flail around wondering what is the meaning of this one choice quote that an Associated Press reporter built their story around. The EU publishes its position on its website: <http://www.europarl.europa.eu/meetdocs/2004_2009/documents/dv/opinion_0 4-2007_personal_data_/Opinion_04-2007_personal_data_en.pdf> Peter Schaar is the Chairman of the group which produced this document. Note that this came out in April of last year. The meeting that the reporter attended was a public seminar discussing various case studies. There is no transcript of the meeting and no formal submission from Peter Schaar or the German data protection agency so I assume that the reported comments came during some discussion of Google's submission which is here: <http://www.europarl.europa.eu/meetdocs/2004_2009/documents/dv/google_pr ivacy_booklet_pfleischer_/Google_Privacy_booklet_PFleischer_en.pdf> If you want to see the program for the meeting, it is here: <http://www.europarl.europa.eu/meetdocs/2004_2009/documents/dv/programme _rev2_0/programme_rev2_0EN.pdf> It would be interesting to see some INFORMED discussion on the EU's position or Google's position, because the EU and Google are powerful organizations which matter. But there is really no point in prolonged discussion of some reporter's choice quote which may or may not have been taken out of context. --Michael Dillon
On Thu, 24 Jan 2008 14:35:41 PST, Owen DeLong said:
I'm sorry, but, I have a great deal of difficulty seeing how an IP can be considered personally identifying.
I dunno. I think I have a pretty good guess of who 192.159.10.227 is, or at least who it was as of 14:35 -0800 today.
In article <Pine.GSO.4.64.0801231750350.24354@clifden.donelan.com>, Sean Donelan <sean@donelan.com> writes
In the US, folks are fighting the RIAA claiming that an IP address isn't enough to identify a person.
In Europe, folks are fighting the Google claiming that an IP address is enough to identify a person.
I guess it depends on which side of the pond you are on.
The European Data Protection perspective (which has been the same since 1999, and expressed quite robustly in 2000, no new ideas have suddenly appeared) is this: Many IP addresses *are* enough to identify a person. Although sometimes you need additional information. The law talks about "identifying directly or indirectly", the latter as a result of having some *other* information available[1]. It's not a case of getting a hit based on IP address alone (which in any event needs at least a registry lookup to turn into a person's name). And therefore because *some* IP addresses indisputably identify people, you must put in place precautions to handle *all* such information appropriately (IP addresses don't come with a bit set to say "I'm an identifiable user" or "I'm not"). That's just the way European Law works. The American perspective might be (and I'm guessing here) that if only *some* IP addresses identify people, you should assume that *all* IP addresses are unreliable identifiers. [Many of the comments in this thread express somewhat of that view]. That might even be a good idea in a shoot-first ask-questions-later environment. My advice would be to try *not* to deploy such an environment :) [1] In the case of being a dial-up ISP, the RADIUS logs; others have mentioned the association between commercial wifi connections and their (roaming) subscribers. -- Roland Perry
Paul Vixie wrote:
hank@efes.iucc.ac.il (Hank Nussbacher) writes:
http://ap.google.com/article/ALeqM5g08qkYTaNhLlscXKMnS3V8dkc-WwD8UAGH900
they say it's personally identifiable information, not personal property. EU's concern is the privacy implications of data that google and others are saving, they are not making a statement related to address ownership.
Correct. In the EU DP framework (see: [...] P. S. How many bits in the mask are necessary to achieve the non-PII aim?
So, this could be basically a matter of dredging up someone with a /25 allocated to them personally, in the EU service area. I think I know some people like that. I know for a fact that I know people with swamp C's here in the US. That would seem to set the bar higher than a mere 7 bits. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Wed, Jan 23, 2008 at 05:26:09PM +0000, Paul Vixie wrote:
hank@efes.iucc.ac.il (Hank Nussbacher) writes:
http://ap.google.com/article/ALeqM5g08qkYTaNhLlscXKMnS3V8dkc-WwD8UAGH900
they say it's personally identifiable information, not personal property. EU's concern is the privacy implications of data that google and others are saving, they are not making a statement related to address ownership.
Perhaps not. But people will interpret it as they wish to. -- Joe Yao Qinetiq NA / Analex Contractor
participants (23)
-
Eric Brunner-Williams -
Eric Gauthier -
Florian Weimer -
Fred Baker -
Gadi Evron -
Hank Nussbacher -
J. Oquendo -
Jeff McAdams -
Joe Greco -
Joel Jaeggli -
Joseph S D Yao -
Lou Katz -
michael.dillon@bt.com -
Mikael Abrahamsson -
Owen DeLong -
Paul Vixie -
Robin Stevens -
Rod Beck -
Roland Perry -
Scott Francis -
Scott McGrath -
Sean Donelan -
Valdis.Kletnieks@vt.edu