EU Official: IP Is Personal

Scott McGrath mcgrath at fas.harvard.edu
Thu Jan 24 14:10:08 UTC 2008


We have a similar system based around Cisco's CNR which is a popular 
DHCP/DNS system used by large ISP's and other large organization and it 
is the IP+Timestamp coupled with the owner to MAC relationship which 
allows unique  identification of a user and we have strict data 
retention policies so that after the data has been maintained for the 
interval specified by the Provost it is permanently removed from the 
database.

We treat IP/Mac information as personally identifiable information  and 
as such  limit access to this information to authorized users  only.

But there seems to be  a misapprehension  that  a  dynamically assigned 
address cannot be associated with a individual.

Eric Gauthier wrote:
> Heya,
>
>   
>>> In the US, folks are fighting the RIAA claiming that an IP address isn't
>>> enough to identify a person.
>>>
>>> In Europe, folks are fighting the Google claiming that an IP address is
>>> enough to identify a person.
>>>
>>> I guess it depends on which side of the pond you are on.
>>>
>>>       
>> They are both right. If you have a dynamic IP such as most college students
>> have, it is here-today-gone-tomorrow.
>>     
>
>
> Our University uses dynamic addressing but we are able to identify likely users
> in response to the RIAA stuff.  There is a hidden step in here, at least for our 
> University, in the IP-to-Person mapping.  Our network essentially tracks the 
> IP-to-MAC relationship and the MAC-to-Owner relationship.  For us, its not the 
> IP that identifies a person, but the combination of IP plus Timestamp, which can 
> be used to walk our database and produce a system owner.
>
> I'm guessing that Google et. al. have a similar multi-factor token set (IP, time,
> cookie, etc) which allows them to map back to a "person".
>
> Eric :)
>   



More information about the NANOG mailing list