EU Official: IP Is Personal

Joel Jaeggli joelja at bogus.com
Wed Jan 23 22:05:07 UTC 2008


Eric Brunner-Williams wrote:
> Correct. In the EU DP framework (see:
> http://ec.europa.eu/justice_home/fsj/privacy/), personal
> privacy doesn't arise from private law (contract or property), but from
> public law (the human rights
> statements contained in the treaty under which the EU is formed).
> 
> However, Google/DoubleClick claim they have the right to collect PII
> data and disclose less than
> their complete data collection policy, and in particular, claim that
> endpoint identifiers do not tend
> to identify individuals. Further, they assert a property claim on such
> collected data.
> 
> See the partialip definition in the W3C's P3P Spec for an attempt to
> straddle the fence at offset 7:
> 
> "a partialip element represents an IP version 4 address (only - not a
> version 6 address) which has
> had at least the last 7 bits of information removed"
> 
> The theory for partialip was that a full address (v4 or v6) was PII, and
> a partial (for v4 only, at 7bits)
> was not PII.
> 
> Eric
> 
> P. S. How many bits in the mask are necessary to achieve the non-PII aim?

One might observe that the ip address is not used in isolation. Some
other metadata is being collected whether it's the product of a search
query or a referrer url or whatever dataset contains the ips but that an
ip address anonymized by dropping 8 bits from the mask in conjunction
with the other information is probably more than enough to uniquely
identify an individual in the sorts of data sets that are being
discussed here.

this rather timely article has some pointers on the subject.

http://www.schneier.com/crypto-gram-0801.html#1





More information about the NANOG mailing list