Wednesday, January 23, 2008

On IP and PII: Merely the Location of a Computer? Non!

A recent AP article entitled "EU Official: IP Is Personal" shows that some people still don't understand, or are prepared to willfully misconstrue, one of the basic privacy concepts: personally identifiable information or PII.

On the one hand you have the head of the European Union's group of data privacy regulators stating that "IP addresses, string of numbers that identify computers on the Internet, should generally be regarded as personal information." He is correct.

On the other hand you have Google insisting that "an IP address merely identifies the location of a computer, not who the individual user is." Google is incorrect.

An IP address does not merely identify the location of a computer, just as your street address does not merely identify a physical location and your year of birth does not not merely identify a year. All someone needs is a few 'mere' facts about you and your identity can be established. That's why it is called personally identifiable information.

There are plenty of simple experiments you can conduct to prove this.

The one I like involves Wyoming. If you are looking for someone in Wyoming there is a good chance you can identify them with just a few pieces of data. Suppose the person you are looking for was born in 1960 but you have forgotten her name. You met her in graduate school. If you know that person's Zip code you can probably find their name. There just aren't that many women of that age in any particular Zip code of Wyoming, and if you factor in college education you will narrow it down even more.

(Note: I am not saying Wyoming is short on college-educated women; in this context that education is merely distinguishing data--it would work just as well if you know for sure the person does not have a college education, thus allowing you to exclude those who do).

And how would you do this search? Try Geoselector.With Geoselector you don't even need to know the Zip code. Just pick a point on the map and find all the people inside a specified radius that meet your demographic parameters. Warning: Doing this can feel a little creepy. And I am not, repeat not, suggesting that Geoselector is designed for stalking (and you cannot see the results unless you pay). This is just one way of showing how mere data adds up to a personal identity in the real world and not just in some academic argument.

While it is obvious that an IP address directly identifies a machine and not a person, it is entirely disingenuous of Google to make this distinction in the context of PII because Google would not be interested in the IP address if it did not relate to a person.

Up next, why Google's use of IP addresses can be counter-productive, even for Google. [See this post.]

1 comment:

  1. [...] in light of Google’s divergence from the norm as far as PII is concerned (see previous post On IP and PII: Merely the Location of a Computer? Non!). The debate over what exactly constitutes Personally Identifiable Information is not merely [...]

    ReplyDelete