IP addresses and personal information (was Re: [LINK] Fwd: On Line Opinion - 16 February 2007)

Fri Feb 23 22:48:17 AEDT 2007

On Fri, Feb 23, 2007 at 03:33:40PM +1000, Irene Graham wrote:
> On Thu, 22 Feb 2007 16:11:47 +1100, Howard Lowndes wrote:
> > On Thu, 22 Feb 2007 15:52:38 +1100, Marghanita da Cruz wrote:
> >> The talk I went to by Hitwise was pretty compelling see
> >> <http://www.hitwise.com.au/products-services/how-we-do-it.php>
> >>
> >
> > Tell me where this doesn't breach either or both of the Privacy Act and
> > the Telecommunications Act:
> 
> EFA would like to know that as well. 

they give a few perl scripts (so source is provided, and the scripts are
auditable by the ISP) to ISPs which process the ISP's proxy log files,
summarise and anonymise the results, and send them back to hitwise.

i've seen the code. it was obviously written with the idea of preserving
anonymity in mind. we (the ISP i was working for at the time) decided
not to bother participating - not for privacy reasons but because we saw
little or no benefit in it.

at least, that's how they were doing it a few years ago.

> > "The network-centric methodology employed by Hitwise enables the most
> > efficient way of monitoring of how more people visit more websites than
> > any other way of measuring Internet usage.
> >
> > Hitwise has developed proprietary software that Internet Service
> > Providers (ISPs) use to analyze website usage logs created on their
> > network. The anonymous data sent to Hitwise from the ISPs include a
> > range of industry standard metrics relating to the viewing of websites
> > including page requests, visits and average visit length."
> 
> EFA raised the Hitwise issue in a submission to the Senate Legal and 
> Constitutional References Committee's Inquiry into the Privacy Act 1988:
> Sect 4.3(a) Businesses covertly surveilling Internet users
> http://www.efa.org.au/Publish/efasubm-slcrc-privact2004.html#52_9
> or
> http://www.aph.gov.au/senate/committee/legcon_ctte/privacy/submissions/sub1
> 7.pdf
> 
> The Committee subsequently invited Hitwise to lodge a submission which they 
> did:
> http://www.aph.gov.au/senate/committee/legcon_ctte/privacy/submissions/sub4
> 7.pdf
> 
> According to that submission, apparently Hitwise holds the opinion that IP 
> addresses are not personal information (and I gather that they therefore 
> consider disclosure, collection and use of IP addresses without consent of 
> individuals does not breach any law.).

most of the time(*) IP address are NOT personal information and can not
be used to identify any particular individual.

most ISP customers have dynamic IP addresses, they change every time
the log in. furthermore, hitwise only have access to an anonymised
summary of the proxy logs (i.e. even IP addresses stripped) - and even
if they did get the IP addresses, they have no access to any of the
ISP's systems which might be able to identify which customer was using
that particular IP address at that particular time.

finally, many proxy servers (including squid, which is probably the one
most commonly deployed at ISPs) have the option of anonymising the IP
address *before* it is logged. hitwise's scripts, IIRC, worked just as
well on those logs.

(*) the exceptions are statistically insignificant people, like me, who
own their own IP addresses and use them rather than an ISP-allocated
address. even that is no guarantee of identifying an individual (e.g.
me) because there's no way for anyone not physically present in my home
at the time to know who was using one of the computers here.

> The Hitwise submission stated:
>
>       "IP addresses are not considered to be 'personal information'
> as they do not identify a person. However, EFA appears to be claiming
> that an IP address can be said to identify 'some individuals' and that
> it should be regarded as 'personal information'. It is not clear why
> EFA has formed this view."

frankly, i can't fathom why EFA has formed that view either. have you
been suckered by snake-oil merchants selling webstats software?

(as any decent tech knows, the ONLY thing that web stats can tell you
is what load the server is under. they do not and can not tell you how
many actual visitors you've had - any "data" beyond simple server load
stats is just pure guesswork and extrapolation based on mostly erroneous
assumptions)

> EFA then lodged a supplementary submission to Committee explaining in
> detail why EFA has the view that IP addresses are personal information
> (in part because that is precisely what law enforcement agencies use
> to find/identify individuals):

so, EFA's reason is "law enforcement have a broken idea of what's
possible, so we'll just adopt that rather than help to correct their
mistake".

that's very disappointing. i would have expected much better than that
from the EFA. more of a clue, somehow.

IMO, the EFA would be doing a greater service to electronic freedom by
pushing the *FACT* that IP addresses do not and can not identify an
individual and should never be used for that purpose by law enforcement.

btw, even when an IP address can be traced back to a particular customer
account, there is no way of proving that that person was the one
actually using the computer at the time - unless they're actually caught
in the act.

craig

-- 
craig sanders <cas at taz.net.au>

Currently listening to: Entheogenic - Sideways

BOFH excuse #397:

T-1's congested due to porn traffic to the news server.