washingtonpost.com
IP Addresses Are Personal Data, E.U. Regulator Says

By Aoife White
Associated Press
Tuesday, January 22, 2008

BRUSSELS -- IP addresses, strings of numbers that identify computers on the Internet, should generally be regarded as personal information, the head of the European Union's group of data privacy regulators said Monday.

Germany's data-protection commissioner, Peter Scharr, leads the E.U. group, which is preparing a report on how well the privacy policies of Internet search engines operated by Google, Yahoo, Microsoft and others comply with E.U. privacy law.

Scharr told a European Parliament hearing on online data protection that when someone is identified by an IP, or Internet protocol, address, "then it has to be regarded as personal data."

His view differs from that of Google, which insists an IP address merely identifies the location of a computer, not who the individual user is. That is true but does not take into consideration that many people regularly use the same computer and IP address.

Scharr acknowledged that IP addresses for a computer may not always be personal or linked to an individual. For example, some computers in Internet cafes or offices are used by several people.

These exceptions have not stopped the emergence of a host of "whois" Internet sites, which allow users to type in an IP address and will then generate a name for the person or company linked to it.

Treating IP addresses as personal information would have implications for how search engines record data.

Google was the first last year to cut the time it stored search information to 18 months. It also reduced the time limit on the cookies that collect information on how people use the Internet from a default of 30 years to an automatic expiration in two years.

A privacy advocate at the nonprofit Electronic Privacy Information Center said it was "absurd" for Google to claim that stripping out the last two figures from the stored IP address made the address impossible to identify by making it one of 256 possible configurations.

"It's one of the things that make computer people giggle," the center's executive director, Marc Rotenberg, said. "The more the companies know about you, the more commercial value is obtained."

Google's global privacy counsel, Peter Fleischer, said Google collects IP addresses to give customers a more accurate service because it knows what part of the world a search result comes from and what language is used -- and that was not enough to identify an individual user.

"If someone taps in 'football,' you get different results in London than in New York," he said.

The way Google stores IP addresses meant that one address forms part of a crowd, giving valuable information on general trends without infringing on an individual's privacy, he said.

Google says it needs to store search queries and gather information on online activity to improve its search results and to provide advertisers with correct billing information that shows that genuine users are clicking on online ads.

Internet "click fraud" can be tracked by showing that the same IP address is jumping repeatedly to the same ad. Advertisers pay for each time a different person views the ad, so dozens of views by the same person can rack up costs without giving the company the publicity it wanted.

Microsoft does not record the IP address that identifies an individual computer when it logs search terms. Its Internet strategy relies on users logging into the Passport network that is linked to its popular Hotmail and Messenger services.

The company's European Internet policy director, Thomas Myrup Kristensen, described the move as part of Microsoft's commitment to privacy. "In terms of the impact on user privacy, complete and irreversible anonymity is the most important point here -- more impactful than whether the data is retained for 13 versus 18 versus 24 months," he said.

Neither of the search engines received a pat on the back from Spain's data protection regulator, Artemi Rallo Lombarte, who criticized them for not trying to make their privacy policies accessible to normal people.

Their privacy policies "could very well be considered virtual or fictional . . . because search engines do not sufficiently emphasize their own privacy policies on their home pages, nor are they accessible to users," he said, describing the policies as "complex and unintelligible to users."

View all comments that have been posted about this article.

© 2008 The Washington Post Company