UK Home >  OUT-LAW News >  OUT-LAW Radio >  OUT-LAW Radio archive 2008

IP addresses and privacy

OUT-LAW Radio, 31/01/2008

Can your internet address be protected under privacy law? We talk to the leader of the EU's privacy watchdogs about the controversial question. Plus we hear how social networking sites are failing disabled users.

 

A text transcription follows.

This transcript is for anyone with a hearing impairment or who for any other reason cannot listen to the MP3 audio file.

The following is the text spoken by OUT-LAW journalist Matthew Magee.

Hello and welcome to OUT LAW Radio, the weekly podcast that keeps you up to date on all the twists and turns in the world of technology law.

Every week we bring you the latest news and in depth features that help you to make sense of the ever-changing laws that govern technology today.

My name is Matthew Magee, and this week we talk to the leader of Europe's privacy regulators about the difficulties he faces in trying to protect your internet address from abuse, and we hear about a major failing of social networking sites.

But first, the news:

ICANN closes cybersquatter loophole; and

European court won't force disclosure of file sharers

ICANN, the organisation in charge of the internet's addressing systems, will change the way domains are paid for closing a loophole abused by the multimillion pound cybersquatting industry. ICANN will put an end to the five-day grace period after which registered names could be handed back at no cost.

So-called 'domain tasters' have been registering names in their thousands at a time to see which received enough traffic to make advertising profitable. Any that would not cover the $6 a year fee were handed back at no cost.

ICANN will now keep its 20 cents portion of that fee even if a domain name is returned after five days. Returned domain names will still avoid the rest of the $6 charge. The plan must be approved by the ICANN board at a meeting in June.

"This is excellent news for brand owners," said John MacKenzie, a brand protection specialist at Pinsent Masons, the law firm behind OUT-LAW. "This has been the cybersquatters' market research vehicle – for pretty much zero cost they have been able to find out which domain names will make them money and which won't."

The European Court of Justice ruled that countries can decide for themselves whether or not their laws should force ISPs to give the details of suspected file sharers to courts.

The Court had been asked to rule that EU directives would force all countries to pass laws forcing disclosure in civil cases. The Court refused to do that, and said that countries are allowed to have such laws, but don’t have to.

Some EU countries, including the UK, already have disclosure in civil cases whereas others, including Germany, only allow disclosure in criminal cases.

The ECJ said there were some basic rights involved in the case, and there was a fundamental clash between one person's right to privacy and another's right to protect their intellectual property. Countries' laws must balance these, it said.

That was this week's OUT LAW news

A simple set of numbers is at the centre of a political storm that pits European regulators against the biggest technology companies in the world, that raises some interesting philosophical questions and that goes to the heart of how our online privacy is defended.

It's all about internet protocol addresses. Are they personal to you? If so they gain all the protection of Europe's privacy laws. If not, companies can be far freer with what they do with that information.

So what do they do with it? Plenty, is the answer. Companies use the numbers to track our use of their sites and services, to recommend other services based on past behaviour and, ultimately, to deliver advertising to the most valuable users.

German Federal Data Protection Commissioner Peter Schaar walked straight into this storm last week at a European parliament hearing on privacy and the internet. Schaar is also the Chairman of the group of European Data Protection and privacy watchdogs, the Article 29 Working Party.

Press reports pinged around the world saying he told the parliament that IP addresses were personal data. In fact his argument is more nuanced than that, but his basic stance is that they should be treated as such, just in case, as he told OUT LAW radio this week.

Peter Schaar: In the most cases IP addresses have to be seen as personal related and therefore the European Directive on Data Protection covers also the use of IP addresses. I understand that under specific circumstances IP addresses are not personal related but in general we would say as data protection authorities IP addresses are personal data because they identify indirectly the user of computer systems connected to the internet.

Matthew Magee: Not so, say opponents, who argue that an IP address only identifies a computer, not the person using it. This is the biggest argument against a claim that IP addresses are always personal data, and it's one that Schaar recognises. But he says that ISPs or online content companies can't know at the time whether or not an address belongs to a computer used by many people, so they must treat all of them as personal data, just in case.

Peter Schaar: If a lot of persons use the same computer system and the provider cannot identify the person who uses this specific system the data might be not personal related. But on the other hand the service provider or the content provider who provides a service in the internet cannot decide whether the IP address is related to a specific person or not and therefore it must be handled as personal data because it could be personal.

Matthew Magee: There is another front to this battle. Schaar says that companies must delete this information as soon as it has been used for the purpose for which it was collected. In most cases that's almost instantly.

Content companies such as search engines, though, say that they have to keep the information or else they will breach the Data Retention Directive. Schaar says that the directive doesn't mean this at all because it only applies to telecoms companies, not content providers.

Peter Schaar: The access provider, the Directive refer to them – and they have to follow the provisions. But a service like Google search and other search engines are not covered by the Directive; by this Retention Directive. This only covers internet access, services and telecommunication services like email providers. So the general obligation from the European data protection law is that the date must be deleted as soon as possible and that means that after the end of the use the data should be deleted.

Matthew Magee: Google, for one, disagrees, and strongly. It says that the data retention directive applies to it, so it will keep a log of activity tied to potentially identifying IP addresses for 18 months.

It went further. Let's remind ourselves what global privacy counsel Peter Fleischer told OUT LAW radio last summer about the right of Schaar and his colleagues to decide whether or not the directive applies.

Peter Fleischer: Remember the data retention directive comes out of the security side of government, not out of the data protection side. So, it’s interesting for me to hear what an official from the data protection world thinks about data retention. But it’s like asking somebody who works for the railway what they think of airline regulation, it just not their field.

Matthew Magee: Despite the set-to, Schaar said that he's negotiating with Google and still hopes for a positive outcome.'

Peter Schaar: Well we are discussing the item with Google. I'm not sure what would be the outcome. I'm optimistic.

Matthew Magee: So you think that they might change it then?

Peter Schaar: Well they already changed in reaction to our argument and I think we are not at the end of the street.

Schaar and the Article 29 Working Party are about to publish a report on search engines and their compliance – he won't say what he found, but he does hope to publish in February.
So the question of the status of this little set of numbers looks as though it will soon once again be the subject of heated dispute.

The internet has always been hailed as the ultimate democratiser, the leveller of some economic and social hierarchies, a place where otherwise unheard voices can find an audience.

That, though, has never really been true for one group: disabled users, who often find sites barred to them because of poor design or carelessness. What has been true of traditional sites appears to be sadly true, too, of the social networking boom.

Abilitynet, a charity that helps disabled people use computers, has just published findings from its research into the sites. The group's Kath Moonan said that people often can't even get into the sites in the first place and once they get there problems are legion.

Kath Moonan: People had huge difficulties just registering on the sites. This is mainly because of the CAPTCHA graphics. Most of them couldn't even register to use it. If you browsing through MySpace you might hear music over the content - the text content - of the page by the screen reader; the content of the page and then music will play at the same time. You literally can't - you can't hear either of them because they're both outputting at the same time.

The problems are all the more frustrating because social networking could be a massive boom for people whose disabilities might leave them feeling socially isolated.

Kath Moonan: When we conducted the research overwhelmingly users came back and said: we really want to use these websites.

Matthew Magee: Abilitynet says that the problems could breach the Disability Discrimination Act, and that all are solvable by, for example, letting people email customer services to bypass the inaccessible registration process, or by making audio versions of it available.
But it's not all gloom. For those people who can make the services work they're proving useful in all sorts of innovative ways.

Kath Moonan: For example on Bebo there's lots and lots of deaf users use Bebo and it's because (a) that social network can [unclear] amongst that group of users but also because it's really easy to upload video contents so it means that you can share BSL information really. easily. BSL is British Sign Language video so you can basically video yourself, signing and upload it onto your profile.

Matthew Magee: So Bebo has proved how valuable these networks can be, if they just put a little more effort into accessibility.


That's all we have time for this week, thanks for listening.

Why not get in touch with OUT LAW radio? Do you know of a technology law story? We'd love to hear from you on radio@out law.com.

Make sure you tune in next week; for now, goodbye.

OUT LAW radio was produced and presented by Matthew Magee for international law firm Pinsent Masons

OUT-LAW Recommends

This week's podcast
Bribery law extended

Advert: Pinsent Masons works with forensic accountants to help you to manage the costs of litigation. Our approach is called Reaching Solutions.
OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility Logon
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.