[LINK] Psych department web stats

Richard Chirgwin rchirgwin at ozemail.com.au
Tue May 27 10:31:55 AEST 2008


Roger Clarke wrote:
> At 10:09 +1000 26/5/08, Rick Welykochy wrote:
>   
>> Does a publicly available list of consumers IPs (as one example) who accessed
>> a given web server constitute a breach of privacy?
>>     
>
> The OECD Guidelines refer to "an identified or identifiable individual".
>
> The expressions in particular laws vary considerably, but generally 
> data is personal data if the person's identity is known.
>
> The Clth Privacy Act is one of the weakest forms:
> http://www.austlii.edu.au/au/legis/cth/consol%5fact/pa1988108/s6.html
> "personal information" means information or an opinion ... about an 
> individual whose identity is apparent, or can reasonably be 
> ascertained, from the information or opinion.
>
> (Most definitions adopt the sensible approach that it doesn't matter 
> whether the identity is apparent from the data alone, or from the 
> data in combination with other data).
So: it can be argued that a server log constitutes a breach of privacy, 
since if you have sufficient data to associate an IP address with a user 
you can identify the user. That's enough relating to static IPs.

With dynamic IP addresses, I would argue that server logs don't 
constitute a breach of privacy. The server log as published is only 
showing accesses over a period of time, not at a given instant. So the 
203.153.201.253 accessing a site 43 times in a (say) month probably 
won't refer back to the same individual user for that month.

RC



More information about the Link mailing list