Monday, February 25, 2008

Europe - Google IP addresses not private

EU Decision on IP Addresses Could Hurt Search Engines

Google is telling European regulators that IP addresses are not personal information. A decision by the EU that IP addresses fall under privacy rules could force changes in how search engines track Internet users. Google argues that IP addresses change regularly with users and so cannot be personal information to be regulated by the EU.

European regulators are considering whether to categorize IP addresses as personal property. Their decision could throw a monkey wrench into the methods that search-engine operators like Google, Yahoo and MSN use to track the online habits of Web surfers.

"As the use of search engines becomes a daily routine for an ever-growing number of citizens, the protection of the users' privacy and the guaranteeing of their rights remain the core issues of the ongoing debate," the European Commission's data-protection working group said earlier this month.

The group said it expects to release a final report in the months ahead. Its recommendations will have worldwide implications because any search engine with at least one establishment in any European Union country will be required to comply with EU privacy policies.

Not Personal?

Google has been trying to convince the regulators that IP addresses aren't personal. Given that not everyone is connected at the same time, each Internet service provider assigns a different IP address to each connecting computer, and then reassigns it when users disconnect, noted Google software engineer Alma Whitten.

"Because of this, the IP address assigned to your computer one day may get assigned to several other computers before a week has passed," Whitten said.

For example, as laptop Relevant Products/Services users move from home to work or operate from temporary locations, they are changing IP addresses constantly. "And if you share your computer or even just your connection to your ISP with your family, then multiple people are sharing one IP address," Whitten said.

Still, Whitten admits that each ISP knows the name and address of the person who holds the subscriber account to which a specific IP address has been assigned.

"On the other hand, the IP addresses recorded by every Web site on the planet without additional information should not be considered personal data, because these Web sites usually cannot identify the human beings behind these number strings," Whitten said.

Legal and Policy Implications

Google stresses that it has already moved to protect online privacy by voluntarily agreeing to make anonymous the IP addresses and cookies stored in its log files after 18 months. The search giant also gives its registered Gmail users the ability to delete their IP-based logs from Google's servers.

"At Google, we know that user trust is fundamental to our success" and "users will stop choosing to use Google products and services if they can't trust us with their data," Whitten said. "For this reason, we have made moves to safeguard that privacy."

Any further actions to restrict the retention of IP addresses would have a major impact on the Internet search industry, said Google's Global Privacy Counsel Peter Fleischer.

No Web site can comply with all the legal and policy implications of having to treat every IP address connection as "personal data," Fleischer told The New York Times. "Nor does that outcome make sense when Web sites have no way of identifying a user based solely on the IP address."

The better solution may be to regard IP addresses as "bits of data that can be personal under certain circumstances," Fleischer said. "Indeed, some leading privacy thinkers have been advocating for just that."

No comments: