# Judge Rules IP Addresses Not "Personally Identifiable"



## lotuseclat79 (Sep 12, 2003)

Judge Rules IP Addresses Not "Personally Identifiable".



> "Online Media Daily reports that a federal judge in Seattle has held that IP addresses are not personal information. 'In order for "personally identifiable information" to be personally identifiable, it must identify a person. But an IP address identifies a computer,' US District Court Judge Richard Jones said in a written decision. Jones issued the ruling in the context of a class-action lawsuit brought by consumers against Microsoft stemming from an update that automatically installed new anti-piracy software. In that case, which dates back to 2006, consumers alleged that Microsoft violated its user agreement by collecting IP addresses in the course of the updates. This ruling flatly contradicts a recent EU decision to the contrary, as well as other cases in the US. Its potential relevance to the RIAA suits should be obvious to anyone who reads Slashdot."


Note: Further story links at above posted link.

-- Tom


----------



## wiley8425 (Nov 11, 2007)

lotuseclat79 said:


> Judge Rules IP Addresses Not "Personally Identifiable".
> 
> Note: Further story links at above posted link.
> 
> -- Tom


Just goes to show how the legal system in the US sides with whoever has the money. It's not about right or wrong. It's all about the dollar.


----------



## tomdkat (May 6, 2006)

I agree with the judge. IP addresses are not personally identifiable. 

Peace...


----------



## wiley8425 (Nov 11, 2007)

tomdkat said:


> I agree with the judge. IP addresses are not personally identifiable.
> 
> Peace...


I agree also. Funny how the judges don't seem to think so when they're handling a case dealing with a lawsuit for the RIAA, MPAA, or the other conglomerate corporate groups seeking damages.


----------



## tomdkat (May 6, 2006)

wiley8425 said:


> I agree also. Funny how the judges don't seem to think so when they're handling a case dealing with a lawsuit for the RIAA, MPAA, or the other conglomerate corporate groups seeking damages.


That would depend on how the RIAA, MPAA, or other party presented their case to the judge. The fact that an IP address is involved doesn't mean ALL cases should be considered the same.

In the above case, Microsoft was collecting IP addresses and people considered that to be the same as Microsoft collecting "identities", and that's not the case.

In the case of an IP address being used to identify a subscriber to an ISP whose computer (or modem) was assigned that IP address, the records from the ISP would be the identifying factor, not the IP address itself. That's where the RIAA/MPAA/(fill in the blank) cases get tricky in that people with unprotected wireless networks connected to broadband Internet connections can be incorrectly identified as engaging in illegal downloading activity when they are innocent. In this case, the *ISP* provided the identity of the person whose computer (or modem) was assigned the IP address. In the case of Microsoft, *no* third party was providing these identities.

See the difference? 

Peace...


----------



## wiley8425 (Nov 11, 2007)

tomdkat said:


> the records from the ISP would be the identifying factor, not the IP address itself.


Bull. The party in question wouldn't even know to look at the ISP's records without the IP address, therefore the IP address is definitely the identifying factor. The IP address would tell them what ISP they were under, would it not? And at any rate, it still does not identify the person or incriminate them. It merely identifies a computer/modem/router under their name. Any Tom, Dick, or Harry could be the actual infringer, or an outside person who managed to connect to a wireless network under their name.



tomdkat said:


> See the difference?


Absolutely. If you are the liable party, your IP address can be used to personally identify you. If a corporation is liable, your IP address cannot be used to personally identify you. Makes a whole lot of sense to me. :down:


----------



## tomdkat (May 6, 2006)

Where is Microsoft liable, in this case? By virtue of collecting IP addresses? How did Microsoft link those IP addresses to the users to which they were assigned? What did Microsoft do to contact or even sue anyone identified based on the IP addresses they collected? I thought you said you understood the difference.

EDIT: Here is a quote from the article linked to in the Slashdot article:


> Jones issued the ruling in the context of a class-action lawsuit brought by consumers against Microsoft stemming from an update that automatically installed new anti-piracy software. In that case, which dates back to 2006, consumers alleged that Microsoft violated its user agreement by collecting IP addresses in the course of the updates. The consumers argued that Microsoft's user agreement only allowed the company to collect information that does not personally identify users. *Microsoft argued that IP addresses do not identify users because the addresses don't include people's names or addresses. The company also said that it did not combine IP addresses with other information that could link them to individuals.*


So, how is Microsoft liable? What have they done other than collect IP addresses?

Peace...


----------



## wiley8425 (Nov 11, 2007)

tomdkat said:


> Where is Microsoft liable, in this case? By virtue of collecting IP addresses? How did Microsoft link those IP addresses to the users to which they were assigned? What did Microsoft do to contact or even sue anyone identified based on the IP addresses they collected? I thought you said you understood the difference.
> 
> Peace...


They're not. You're missing the point, obviously.


----------



## tomdkat (May 6, 2006)

wiley8425 said:


> Bull. The party in question wouldn't even know to look at the ISP's records without the IP address, therefore the IP address is definitely the identifying factor. The IP address would tell them what ISP they were under, would it not? And at any rate, it still does not identify the person or incriminate them. It merely identifies a computer/modem/router under their name. Any Tom, Dick, or Harry could be the actual infringer, or an outside person who managed to connect to a wireless network under their name.


Somehow I missed this part of your post, not sure how. Anyway, additional information would be required to identify the party and that information won't come from the IP address. Can you tell me what my last name is by simply looking at my IP address? Of course not, therefore how can that be *the* identifying factor?

The judge is right. An IP address doesn't personally identify anyone. An IP address combined with other information certainly can identify someone. In fact, in the article linked to in the Slashdot article discusses this:


> Today, industry observers say that IP addresses can be combined with other information to determine people's identity. *In addition, even when IP addresses have been anonymized, it's possible to associate the account with a specific individual, given enough other information. The most famous example occurred in 2006, when AOL released search logs showing queries made by more than 650,000 members. The members' IP addresses had been changed, but the queries themselves contained enough clues to people's identities that The New York Times was able to find and profile one "anonymized" user, Thelma Arnold, within days. At the time of that incident, many companies took the position that IP addresses were not personally identifiable information.*


Those companies were correct since there was enough *other* information available for a supposedly anonymous user to be personally identified.

How can you contend the IP address is the identifying factor if that's not enough to identify anyone?

Peace...


----------



## wiley8425 (Nov 11, 2007)

tomdkat said:


> How can you contend the IP address is the identifying factor if that's not enough to identify anyone?


It's not the sole identifying factor, but you can't say it is not an identifying factor at all. Again, without an IP address, a plaintiff in one of these lawsuits wouldn't know who to get records from. My contention is that it is not an identifier of a person, even with the records from an ISP, since all it identifies is the account holder and not necessarily the actual person who should be liable.



tomdkat said:


> The judge is right. An IP address doesn't personally identify anyone. An IP address combined with other information certainly can identify someone.


Again, all it identifies is the ISP account holder. It does not necessarily identify the infringer. For example, one person may have five different PCs networked on a single ISP account. As far as the ISP is concerned, they only see the IP address of the router connected to the modem, not each individual PCs IP address which would be assigned by that router. Any one of those five computers (each with different users) may be used to infringe a copyright. No matter which one of those five were used, they would all show as the IP address of the same router to the ISP. Are you saying because the owner of the ISP account can be identified by the IP address of the infringing computer (via the router) and the ISP's records, the account holder is automatically liable for any infringement done under their account even if they aren't the infringer? I disagree. And that's the issue I have with your argument that its reasonable to use an IP address as evidence in an infringement lawsuit of wrongdoing. It proves no such thing since it cannot directly identify a person, even when it's combined with other "evidence" such as an ISP's account records.


----------



## tomdkat (May 6, 2006)

wiley8425 said:


> It's not the sole identifying factor, but you can't say it is not an identifying factor at all. Again, without an IP address, a plaintiff in one of these lawsuits wouldn't know who to get records from. My contention is that it is not an identifier of a person, even with the records from an ISP, since all it identifies is the account holder and not necessarily the actual person who should be liable.


 I have never held the position the IP address isn't an identifying factor _at all_ but only that it doesn't provide enough information to identify someone. It provides information on the computer/modem/router assigned the address and the organization or company which owns the IP address can be easily identified and that's about it.

If the IP address is owned by an ISP, the ISP's records certainly can identify someone but not necessarily the right person, which is something I already stated above.



> Again, all it identifies is the ISP account holder. It does not necessarily identify the infringer. For example, one person may have five different PCs networked on a single ISP account. As far as the ISP is concerned, they only see the IP address of the router connected to the modem, not each individual PCs IP address which would be assigned by that router. Any one of those five computers (each with different users) may be used to infringe a copyright. No matter which one of those five were used, they would all show as the IP address of the same router to the ISP. Are you saying because the owner of the ISP account can be identified by the IP address of the infringing computer (via the router) and the ISP's records, the account holder is automatically liable for any infringement done under their account even if they aren't the infringer? I disagree. And that's the issue I have with your argument that its reasonable to use an IP address as evidence in an infringement lawsuit of wrongdoing. It proves no such thing since it cannot directly identify a person, even when it's combined with other "evidence" such as an ISP's account records.


For the record, this is what I posted above:


> In the case of an IP address being used to identify a subscriber to an ISP whose computer (or modem) was assigned that IP address, the records from the ISP would be the identifying factor, not the IP address itself. *That's where the RIAA/MPAA/(fill in the blank) cases get tricky in that people with unprotected wireless networks connected to broadband Internet connections can be incorrectly identified as engaging in illegal downloading activity when they are innocent.* In this case, the ISP provided the identity of the person whose computer (or modem) was assigned the IP address. In the case of Microsoft, no third party was providing these identities.


Your example fits into my description above even though you didn't specify an unprotected wireless network as I did. It really doesn't matter but that's where the *tricky* part comes in. The RIAA/MPAA/(insert agency here) can use the IP address to identify the machine that appears to be engaging in the illegal downloading activity. Then the records from the ISP provide the info on the subscriber whose modem/router was assigned that IP. Now a person has been identified. The question then becomes, has the _right_ person been identified? In some cases, the answer will be yes. In other cases, the answer will be no.

In both cases, further investigation will need to be done to confirm the person identified is the actual person engaging in the questioned activity. It's this investigation that would ultimately prove if the person identified has engaged in the behavior the RIAA/MPAA/whomever believes they are engaging in and that investigation would contain more information than an IP address or ISP records. If the investigation that was performed provided solid evidence, the RIAA/MPAA/whomever has a good case. If the investigation that was performed doesn't provide solid evidence, the RIAA/MPAA/whomever doesn't have a good case even though they might proceed with it.

I think it's reasonable for the RIAA/MPAA/whomever to include the IP address identified as engaging in the downloading behavior as part of the evidence in their case but I think more evidence is also required to prove the party identified as engaging in the downloading activity is right person.

I have always had an issue with the way the RIAA/MPAA has chosen to address the downloading issue.

Peace...


----------

