What's In An IP Address? Not Personal Information, Says The Court.
What’s in an IP address? Apparently, not everything—-or so says a federal judge in Seattle. In my opinion, the recent decision in Johnson et al. v. Microsoft Corp. (No. 06-CV-0900-RAJ, W.D. Wash. Seattle Div. June 23, 2009) is right on target—IP addresses are NOT personally identifiable information. But the case reminds us that the lines between privacy and information technology are getting blurrier.
The Johnson case involved a class action lawsuit against Microsoft in which it was alleged that an update to Windows XP violated Microsoft’s user agreement because the update collected and sent users’ IP addresses to Microsoft. Microsoft’s user agreement specifically stated that no “personal information” was collected in the course of the updates, so the question was whether the collection of IP addresses amounted to the collection of “personal information".
The plaintiffs argued that IP addresses are unique, and could be used as a basis to subpoena information from Internet service providers, which in turn could lead to the discovery of a user’s personal information. (That, by the way, is an entirely correct argument. IP address collection, coupled with subpoena power, is the number one way that investigative agencies and would-be plaintiffs acquire personal information about online users.)
Microsoft argued that IP addresses don’t identify users because the addresses don't include people's names or physical (i.e., postal) addresses. (Also a correct argument). Microsoft also claimed that it didn’t combine or cross-reference the collected IP addresses with other information that could be used to identify users.
Of course, it didn’t help Microsoft’s case that back in 2002, Microsoft published a security glossary that defined “personally identifiable information” as “any information relating to an identified or identifiable individual”, and specifically included a user’s IP address under that definition. We lawyers call that an “oy vey” moment…
Nonetheless, the Court found in favor of Microsoft and held that IP addresses were not “personally identifiable information.” “In order for ‘personally identifiable information’ to be personally identifiable, it must identify a person,” the judge wrote in his ruling. “But an IP address identifies a computer, and can do that only after matching the IP address to a list of a particular Internet service provider's subscribers. Thus, because an IP address is not personally identifiable, Microsoft did not breach the [end-user license agreement] when it collected IP addresses.”
The Court got it right—IP addresses simply aren’t “personally identifiable information.” No doubt, they can be used to obtain personal information—but IP addresses, standing alone, don’t identify you to the outside world.
Yes, I know, some people out there will say, "Hey—the court's decision is not consistent with EU law." (Well, my European clients will certainly say that.) The EU Directive that covers data privacy for EU member countries (specifically, EU Directive 95/46/EC ) includes IP addresses under its definition of “personal data.”
So here's the situation: European laws are different than U.S. laws—nothing new there. But if you're collecting IP addresses from your European customers, you need to comply with the EU Directive with regard to those customers' information—email me for more information on that issue.
A final thought: the nexus between IP addresses and personally identifiable information is simply too thin to support any holding other than the one the Court came to. Disagree with me? I'd like to hear from you.....
Comments