In a class action lawsuit involving Microsoft, a U.S District Court judge ruled that IP addresses are not personally identifiable information (PII). In response to my first post,  few people actually read the order by Judge Richard Jones. I received an email from someone stating that the judge was dead wrong in stating that IP addresses identify computers.

The judge wrote,

“In order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer, and can do that only after matching the IP address to a list of a particular Internet service provider’s subscribers.”

The second sentence could definitely be more clear. It is not accurate to say that an IP address identifies a unique computer. While you could say that for a moment in time an active IP address is associated with a specific Internet device, and the next moment, the same IP address could represent a completely different Internet device that may or may not be associated with the first device.

I don’t think this distinction changes the point the judge was making. It does, however, bring up an important point for online businesses using IP addresses to identify fraud and abuse.

Few consumers have static IP addresses. Some of the largest ISPs don’t even offer this service.  It’s typically more expensive and few consumers have any real reason for having one.  Most consumers are assigned an IP address from their ISP through DHCP and every time their router is powered on they will be assigned a new address. Bad guys are obviously even less likely to use a static IP address. And most businesses of any size, to help extend the public IP address range and for various security and network management reasons, translate a smaller number of external/public IP addresses into many internal/private email addresses.

The point is that IP addresses are transitory in nature, and therefore have a shelf life. Fraud management systems that utilize IP address to build associations between accounts, profile behavior and screen out bad actors need to be used with caution. If one of your best customers conducts business with the site on Monday from a particular IP address, it isn’t necessarily the same customer or internet device connecting from the same IP address on Tuesday. Conversely, if you get a chargeback notice for a transaction that occurred weeks ago from a particular IP address, blocking that IP address going forward my well deny business from a good customer that has absolutely nothing to do with the previous fraud.

If your fraud management team relies heavily on IP address, use time to weight associations. Different transactions coming from the same IP address within minutes are very likely related, whereas transactions from the same IP address separated by weeks should be considered very weakly associated, if at all. In either case, manual review will help make sure you don’t negatively impact a good customer.

Unfortunately, manual review processes are expensive and not scalable. Layering complementary fraud management approaches can help you reject and accept more transactions with confidence and significantly reduce the need for manual review.

This entry was posted on Thursday, July 16th, 2009 at 4:23 pm and is filed under Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.