Will The European Union Decide IP Addresses Are Personal?

The head of an EU group looking into search privacy issues said yesterday that Internet Protocol addresses assigned to computers should be treated as personal information. Below, more about that plus a look at some comments about how the search engines have been reported to the European Parliament to be dealing with privacy.EU Official: IP Is Personal from the Associated Press covers the testimony by the head of the EU privacy group, Peter Scharr:

He said at a European Parliament hearing on online data protection that when someone is identified by an IP, or Internet protocol, address “then it has to be regarded as personal data.”

His view differs from that of Google, which insists an IP address merely identifies the location of a computer, not who the individual user is – something strictly true but which does not recognize that many people regularly use the same computer terminal and IP address.

Scharr acknowledged that IP addresses for a computer may not always be personal or linked to an individual. For example, some computers in Internet cafes or offices are used by several people.

But these exceptions have not stopped the emergence of a host of “whois” Internet sites that apply the general rule that typing in an IP address will generate a name for the person or company linked to it.

I like the “strictly true” part. It is absolutely true. An IP address only identifies that a particular computer (or actually, a particular device of sometime, like a router) is connected to the web. IP addresses are indeed reused by various computers. WHOIS lookups can be used to track an IP address back to a particular company and, in some relatively rare cases, a company might even resolve the IP address to match an employee’s name. To learn more, see our Google Anonymizing Search Records To Protect Privacy article that goes into more depth about IP addresses.

If IP addresses are treated as personal data, then potentially search engines and others might face more stringent rules over how they are logged or kept in the EU. The article gets into this more with some background on how they are used, but then it hits this part that I simply don’t believe:

Microsoft does not record the IP address that identifies an individual computer when it logs search terms. Its Internet strategy relies on users logging into the Passport network that is linked to its popular Hotmail and Messenger services.

The company’s European Internet policy director, Thomas Myrup Kristensen, described the move as part of Microsoft’s commitment to privacy.

“In terms of the impact on user privacy, complete and irreversible anonymity is the most important point here – more impactful than whether the data is retained for 13 versus 18 versus 24 months,” he said.

Bull. OK, I’ll check with Microsoft on this to make certain. But web servers typically log IP addresses as a matter of course. I simply don’t believe that the majority of those coming to Microsoft — who are not using Passport — are somehow not having IPs logged.

See also related discussion on Techmeme here and here.

Postscript: Heard back from Microsoft, and they said AP didn’t get their statement correct nor ran a correction. You can read Microsoft’s statements here, here and here (all PDF). In the first, Microsoft notes that it does log IPs but as part of the 18 month data destruction plan it announced last year, it will wipe the entire IP address (rather than losing just the end portion, as Google plans).