In a class action law suit involving Microsoft, a U.S District Court judge ruled that IP addresses are not personally identifiable information (PII).  This will undoubtedly contribute to the important, often passionate and sometimes controversial balance between online security and privacy.  There will be countless threads pointing out the legal and technical reasons that an IP address is not personal information.  There will be valid points here.  And there will be countless more threads on what can be done with IP addresses alone and how IP addresses can be used in combination with other types of information for target marketing, behavior analysis and even identifying specific individuals.  There will be valid points here too.

By themselves, very few individual data elements point to a specific individual.  Rather than debating whether or not a particular data element is PII, I think it’s more appropriate, and ultimately more productive, to think about data elements on a continuum from strongly-associated with identity to weakly-associated with identity.  While reasonable people could argue over the precise weight of individual data elements, there would be general agreement that biometric information is more strongly associated with unique individuals than physical address which is more specific than date of birth, etc.  Imagine the ‘fun’ in debating over the relative weights of validated email address versus non-validated email address, or cell versus home versus fax numbers, etc.

On this continuum, IP addresses are very weakly associated with identity.  Of all the information associated with one’s Internet activity, IP address is pretty innocuous.  IP addresses are often transitory, randomly assigned and very easily obfuscated.  With no additional information, it’s extremely difficult at best to associate an individual to an IP address with any degree of certainty.

Moreover, IP addresses are in the public domain and literally part of the fabric of the Web.  They are in every router, web server and internet appliance with audit logs.  Like the to and from addresses on snail mail, IP addresses are an integral part of every TC/IP packet flying around the globe.  Every time you visit a website, post to a message board, or send an IM, tweet or email, you are sharing IP addresses.  It’s not reasonable or practical to treat IP addresses like credit card numbers or other data elements that are more closely associated with unique individuals.

With respect to the balance of security and privacy, there’s another very important aspect to all of this.  Privacy advocates and consumers should consider the potential ramifications of treating all data elements the same, regardless of strength of association to identity.  Online businesses have a right, and shareholders might argue an obligation, to know their customers, understand behavior, and protect themselves and their users from fraud and abuse.  Using IP addresses, session IDs, cookies, tokens, device IDs and similar data elements that are very weakly associated with identity actually protects the identity and privacy of consumers.  As businesses protect themselves with information that is more closely associated with identity, identity and privacy are more at risk.

This ruling is a step in the right direction.  I hope it is the signal of a trend toward a rational view of the value of an IP address.

This entry was posted on Monday, July 13th, 2009 at 3:42 pm and is filed under Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.