-
11 Juin 2010 - L’ISOC France élu au CA de l’AFNIC
-
08 Juin 2010 - Participation de l’ISOC à l’AG de l’ APROGED
-
NEWSLETTER ISOC MONDE - Janvier 2010
-
Décembre 2009 : Nouveau CA de l’Internet SOCIETY FRANCE
-
Newsletter ISOC MONDE - Décembre 09
-
Gérard Dantec invité à la Journée d’études CREIS-Terminal sur "La gouvernance d’Internet" le vendredi 11 décembre 2009
-
L’ISOC SOUTIENT le W3C sur les STANDARDS WEB OUVERTS
-
"Vie privée, vie publique au tr@vail" le 22 janvier 2010
Are IP addresses personal data ?
lundi 11 février 2008.Caution : This note is written from a French perspective. It might not fit your own local regulations, especially if you’re from outside the EU. Within the EU, there is an EU directive on personal data so that it should be roughly correct. However, our experience would tend to indicate that other EU countries might have a slightly different take on what personal data are.
Summary
An IP address is allocated to each computer terminal connected to an Internet Protocol (IP) network, enabling it to exchange information with other connected terminals. An IP address identifies a machine. Most of the time, the address is provided by an ISP which keeps tracks of the addresses allocated to its customers at any given time. Therefore ISPs know which user used which address when and an IP address can be used to indirectly identify the person behind a machine. That is the reason why the French CNIL regards it as personal data. This triggers legal restrictions to the automatic processing of IP addresses. It can go as far as forbidding it to protect users privacy.
Author(s) : Laurent Ferrali and Charles Simon, Isoc France’s legal issues working group.
1. What are personal data ?
French regulations define personal data as “any information relating to an identified natural person or one that is identifiable, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to oneself.” It can be one’s first and last names or a car registration plate that can be traced back to its owner.
Similar definitions exist across the European Union. However, due to the lack of an international treaty, there is no specific legal framework in other parts of the world. For example US regulations are fragmented at best to that regard. Therefore European Internet users have to be extra cautious when accessing US-based websites as the provided level of protection of their data can be lower than the one enjoyed within the EU.
Under certain circumstances, the very fact that a piece of information is regarded as one’s personal data will indeed trigger a specific protection guaranteed in France by the CNIL, a public body. For this to happen, data have to be automatically processed and should relate to an identified or identifiable individual, not a company or any other organisations.
2. What is an IP address ?
Every computer connected to the Internet is identified by a unique number by which it can be located amongst all the connected computer or that can serve to trace back the sender of a message . This unique number is called an Internet or IP (for Internet Protocol) address. It is the ISPs that allocate addresses to their customers, meaning that they know at each given moment which address has been allocated to which customers. The IP address is in some ways the phone number of the Internet.
As with phone numbers the continuing growth of the Internet has led to the lengthening of the addresses in order to enable the network to scale up. IPv4 addresses (the ones actually in use) are 32-bit long, meaning that they consist of thirty-two successive 0 or 1. Soon IPv6 addresses (the new ones being deployed) will be 128-bit long and will provide a pool of addresses large enough to allocate one to each atom of the known Universe if we whished it so.
3. Are IP addresses personal data ?
Yes according to the Art.29 Data Protection Working Party. It is a council of all the privacy commissioners across the EU. As it is possible to match an IP address to an internet user at any given moment through the ISPs, the IP address indirectly identifies an individual as a phone number, a social security number or a car registration plate would.
4. What does it imply that IP addresses are personal data ?
In France and, more generally, within the EU, one cannot do as one pleases with personal data. Third parties have to follow a strict set of rules when automatically collecting them. Regulations have to be respected and the CNIL in France and other body across the EU enforce them. For instance one cannot keep such data without a precise, legitimate goal and they should be deleted after a certain, not improperly long, amount of time has passed.
Furthermore, except when regulations state otherwise, you have the right to know that data related to you have been collected and are being kept and you have the right to object to it. You also have the right to access your data and possibly have them rectified.
It means that a website should not keep tracks of your IP address forever, for example to profile the frequency of your connections, your subjects of interest… It also has to have a specific and legitimate goal when collecting and keeping your data and you should be made aware of what it is.
5. Why should it matter to me ?
You use the internet every day for a growing number of uses. Your IP address appears in all your communications, when you browse through a website, when you send an email, when you buy a book online… A lot of people can collect it and use it for a lot of purposes, to store them because the law forces them to or to analyse it for a marketing campaign.
This type of profiling is all the more effective when your address is static. It is more and more often the case today with IPv4 addresses and it will be the case tomorrow with IPv6 ones. What are the implications ?
5.1. Tomorrow your use of peer-to-peer networks could be tracked without you knowing. Representatives of French artists and producers have set up automatic systems to monitor peer-to-peer networks, and collect, amongst other things, users IP addresses. However such systems had first to be authorised by the CNIL which set boundaries to prevent an arbitrary and all out monitoring system.
5.2. Tomorrow marketers could know what you’re doing on the Internet. When you connect to a website, when you make a query in a search engine, the tracks that you leave behind can be used to profile you. It is a good thing if it aims to provide you with a better service, not so much if it aims to pervert this knowledge to try and sell you all sorts of things.
However not every use of your personal data is dangerous.
5.3. Some tracks have to be kept to prevent bad behaviours. When an internet user connects to a bulletin board to leave a message, the person in charge of the bulletin board has to keep the IP address used to comply with French regulations. Later on, it can be used for identification when a user has posted hate or racist messages. Therefore keeping these data is necessary for justice to be served.
5.4. IP address can allow websites to provide you with a better service. Some websites remember your previous set of preferences when you connect to them again, offering you a higher user experience. « Cookies » or IP address recognition tools are used to do so. This is something really beneficial to you everyday experience of the internet.
- .doc file
- IP addresses as personal data
- .odt file
- IP addresses as personal data
- .pdf file
- IP addresses as personal data