Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: The privacy hodgepodge and IP Addresses - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
The privacy hodgepodge and IP Addresses

A comment on one of the articles earlier this week prompted me to dig around privacy legislation from various part of the planet, only to realise what a mess it is and I should probably just have mowed the lawn instead. It would have been easier on the brain.  So just to give you something to think about over the weekend, or discuss at a BBQ. Is an IP address personal data? If you are in a rush, the conclusion I came to was "it depends".    

Just before we go on I will start all of this with "I am not a lawyer" (IANAL), just a security guy trying to make sense of things and likely getting some of it wrong. So if you have a need to know for sure, I suggest you ask a lawyer.

Before we get to IP addresses we'll need to define what personal data is. This seems to be fairly consistent between countries. This is likely because most privacy legislation is based on the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data  first adopted in 1980 after almost 10 years of discussion.  Generally the definition of Personal data boils down to any information that can identify a particular individual.  Some countries expand this by explicitly stating things such as race, religion, sex and other information that most of us would consider personal. 

From an IP address perspective, do IP addresses fit that definition? This is where it starts getting very muddy. It appears that in some countries the answer is yes and in others it is no. To add a third option, some countries go with, only if it is combined with other items that identify a person. 

When we started discussing this Swa, one of the other handlers pointed out this document "Study of case law on the circumstances in which IP addresses are considered personal data"   It is a study of the various laws in the EU and how they relate to the EU directives regarding privacy (page 16 especially).   The rest of the document is a good read, but the table on page 16 makes it very clear how confused privacy laws can be.  The table shows, for example that in Austria there is no doubt, IP addresses are personal data. In the Netherlands they are not. In Bulgaria it is when combined with other information. In Italy it most certainly is. As for the rest of the world? In the US the answer seems to be no it isn't.  In AU, the approach tends to be, when combined with other personal data it is. If you happened to know your local situation add it to the comments.

When I read the study from Timelex other questions popped into my head. So if IP addresses are Personal Data can I have web logs? Can I use a third party to track visits? Probably not, at least not if I'm based in those countries that say IP Addresses are personal data. Mind you many countries do have exemptions for research and security related activities, so sharing log extract, etc is still OK (remember IANAL so check if you need to be certain).

Other questions that popped in. Can I outsource to other countries? Maybe I can share the data with them, but can they give it back? Whose laws apply when I place stuff in the cloud? For example the ammendments to India's laws, according to informationweek.com,  applies to data collected in India, but also data provided by overseas companies. What if you are a multinational? Which privacy laws apply?

Plenty to think about and I'm not suggesting that we should all become privacy experts or international privacy lawyers. What I am suggesting, however, is that you may need to point out that it needs to be thought about. After all our job is to help protect the organisation from risk. 

If you want more info Wikipedia has some good links from their Privacy Law page.  Some of the other resources around:

If you have some resources, preferably from official bodies, that you think others should know about, add them to the comments or send them in.

Enjoy the weekend.

Mark H

Mark

392 Posts
ISC Handler
Thank you, Mark! This was a real eye-opener -- not all that suprising, but very interesting, and with some potentially very significant consequences. My "Alias" above is "personal data" because it is connected (by way of google, etc.) to other personal information, and if you cared to go to the trouble, you could easily get my IP address from it, along with my name, address, phone number, etc. But then isn't the license plate I am required to publicly display on my car?
Moriah

133 Posts Posts
@Moriah: afaik, here in Austria the license plate is not considered a PII because the average person is typically not able (or should not be able) to resolve a plate to its owners name. If you could Google for my license plate number and come up with my name, according to local legislation my plate might well be private PII.
Anonymous
Posts
In Denmark, web server log files with IP addresses can not be made public, as that is personal data. That is a comment from the Data Protection Agency.
Anonymized log files are fine.
Povl H.

70 Posts Posts
@Moriah: I totally see your point. If, in the US, a SSN is PII, and a DL# is PHI in most states, why wouldn't your license plate number be considered PII. I get your point @Joe about not being able to Google it and trace it back to you, but wouldn't being able to Google it make it public domain (hopefully anyway) and therefore not PHI in the first place?
Anonymous
Posts
If IP addresses are PII and protected then what about those of web servers that are being rouge? Are you not allowed to publish the IP addresses of servers serving up malware if you are in Denmark or similar countries? This could have some very serious repercussions depending on what level of enforcement is applied. Definitely one to make a security person nervous in those places.
BGC

23 Posts Posts
@PHI_NUT : Regarding drivers license number, some states use a system called "Soundex" to encode the name, along with other reversible techniques. Regarding SSN, there is a long history of tracking individuals with this number and private records are available in many places in addition to public records.
Anonymous
Posts
@Gabriel: In Washington state, the first seven characters of your driver's license number are the first five characters of your last name, followed by your first and middle initials. If your last name is too short it's padded with stars. This is followed by two digits, a letter, and another digit; the letter encodes your birth month, as I recall. I've wondered about the lack of collision protection in this scheme.
Anonymous
Posts
ERr, that should say it's followed by *three* digits, a letter, and another digit.
Anonymous
Posts
The license plate issue makes me think about the clash of disclosure requirements. For example if you have an amateur radio license in the US, you are required to keep all your contact info current with the FCC and this information is public. You can go to a site like qrz.com and type in a call sign and get their info. Now think about that the next time you see somebody using their radio call sign as their vanity license plate on their car!
Skip Carter

4 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!