Future Prospects of “Potentially” Personal Information
Written by Alissa Cooper
The Internet has been abuzz in recent days (see the New York Times, Ars Technica, and the Google Public Policy Blog) with the question of whether Internet Protocol (IP) addresses collected by online companies should be considered as "personal data" (in European Union terminology) or "personally identifiable information" (in U.S. terminology) that can be used to identify an individual. A central issue in the debate is whether the same IP address is assigned to the same computer every time the computer connects to the Internet. Some ISPs use "static" IP addresses which are fixed over time, allowing all the Internet traffic generated by a particular computer on the network to be associated with the same IP address. Others use the Dynamic Host Configuration Protocol (DHCP) to assign "dynamic" addresses that change each time a computer connects to the network. Although there are other reasons why a computer’s IP address may change over time, DHCP is certainly one of the most prominent. Curiously absent from the discussion thus far has been the prospect of transitioning from our current IP addressing structure – known as IPv4 – to the next-generation IPv6 standard. IPv6 was developed over a decade ago to deal with several shortcomings of the IPv4 standard, most notably a potential shortage of IP addresses (only about one third of the original pool of useable IPv4 addresses remain available). One of the new features in IPv6 is known as "stateless autoconfiguration," which allows a computer to generate its own IP address and eliminates the need for DHCP. In some implementations of IPv6, the same computer will always generate the same IP address for itself, much in the same way that static IPv4 addresses remain consistent over time. Although not all implementations will necessarily operate this way, from a technical networking perspective there are many reasons why maintaining the same IP address over time may be attractive. Thus, as IPv6 is rolled out on a large scale – which it most certainly will be at some point down the line, perhaps as early as this year in China – it’s possible that many more Internet users will have static IP addresses, and thus many more IP addresses will be more easily relatable to individuals. This is surely important to keep in mind as we navigate future questions about IP addresses as personal data. The debate about the privacy of IP addresses is far from over. As our thinking on this issue evolves, we continually find ourselves coming back to the EU’s Article 29 Data Protection Working Party opinion on the concept of personal data, issued last summer. As perhaps the most thorough exploration to date of what "personal data" means in an online context, we recommend that anyone interested in this topic give it a close read.