Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

IP addresses and PII

IP addresses and PII

  • Comments 3

I don't normally cheer for Google when I don't have shares in the company, but this time I will make an exception.

Alma Whitten, Software Engineer at Google, today posted to their Public Policy Blog that IP addresses shouldn't be considered Personally Identifiable Information (PII).  This is not a problem in the United States but it is in the EU, and if the EU actually were to legislate this it would most definitely affect Microsoft and Google's business functionality in the EU.

Whereas Google has an interest in collecting IP addresses in terms of going geographical search targeting and marketing, for spam filtering purposes this affects us greatly.  Can we collect and record IP addresses for data mining purposes?  Part of fighting spam is knowing who the people are behind the spam storm.  If the EU restricted what we could do with IP addresses, we wouldn't be able to mine through our data in order to look for patterns of spamminess.  The ruling would be that we could potentially use IP information to identify a specific person, which is a no-no, according to the EU.

I would think that blacklist operators like Spamhaus could be impacted by this as well.  They publish a blacklist of known spam operators and they quite deliberately go to the trouble of identifying IPs to individuals.  I could see how a spammer could mount a legal challenge to have themselves removed from Spamhaus.  Of course, I am not a lawyer but lawsuits can drain the life out of you.

I come down on the side of IP addresses not being PII.  I was a little surprised that this was coming from Germany; I would have thought a law this bad would have originated from the French.

You may want to check out the original article, it's a good read.

Leave a Comment
  • Please add 5 and 6 and type the answer here:
  • Post
  • PingBack from http://www.biosensorab.org/2008/02/22/ip-addresses-and-pii/

  • I find your take a bit biast. Yes, fighting spam is important and IPs are useful tools in identifying spammers.

    However, the vast amount of personal information collected for business purposes, for personalized advertising to say the least is alarming. There is no privacy in the new millenium and the worrying part is not that privacy is diminished but that the hands which hold such personal information are too few, e.g. Google, Yahoo and Microsoft, companies which have their shareholders interests above all other interests, companies which should not be entrusted which such a huge responsibility of using such data responsibly.

    Yes, I agree that a formula should be found that safeguards both privacy but does not compromise fighting spam. After all the police keeps personal information about criminals. However, this has to be worked out in an open frame of mind and taking into consideration all views, even the French, even EU law which has protected the individual, in my opinion, much more than USA law, from the environment, to human rights, to privacy acts, unlike the USA which has been more prone to give companies more freedom.

    Next time you make a comment, think that Europe has a history much longer than the United States. A turbulent history. A history which has taught people that if you do not act early to protect human rights, it might be too late afterwards. Try to understand the reasoning behind such proposals and try to work out a compromise if you want everyone to progress. If you start calling names and talking about the attitude of the French, they might do the same against you remember.

  • I think it's great that Google is arguing on the side of reason here.

    There's a whole bummer associated with this, though -- if Google doesn't think an IP address is PII, then why do they hide the source IP of Gmail users?

    It seems as they're arguing that the law would allow them to identify those webmail users' IP addresses. As the other webmails do.

    It's a very important aspect of abuse prevention and investigation and it irks me to no end that Google doesn't do the right thing.

    Their argument against PII potentially comes off as "we want it for us but we don't want you to have it, neener." Very disappointing.

Page 1 of 1 (3 items)