Since we specialize in DNS, DHCP, and IPAM, BlueCat tends to get a lot of questions about data protection. Managing and securing basic network services involves handling information which could reveal a lot about one or a companies.
Many of our customer questions boil down to whether internet protocol (IP) addresses constitute Personally Identifiable Information (PII). The legal boundaries and technical requirements involved in safeguarding PII are relatively clear. Connecting general data protection regulation, causes many to lump IP address information into this category by default. But does it truly belong there?
Sadly, there appears to be no consensus about whether IP address information constitutes PII or not.
What's in an IP?
By itself, an IP address merely indicates which computer sent a query,These pieces of information which is not very useful if you don’t know where that computer is and who's using it. Only when correlated with information like user logs, query patterns, and other contextual information does the picture become clearer. Even then, the use of proxy servers and VPNs can be used to throw trackers off the scent. DHCP also re-assigns IP addresses on a frequently, making it difficult to track a single computer or user over time. So does it act as an online identifier or contain your personal information?
This was the logic behind a 2009 court ruling in Johnson v. Microsoft. The judge declined to provide PII-level protection for IP addresses by themselves. The ruling states that “[in] order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer.”
Yet not everyone agrees that this is the end of the story. Recent guidance from the FTC is more nuanced, saying “we regard data as ‘personally identifiable,’ and thus warranting privacy protections when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test.” A 2008 court ruling in New Jersey agreed that the bar for correlation of IP addresses with other data sources was so low that IP address information forms part of the “reasonable expectation of privacy” users are entitled to when using a commercial ISP.
And then there’s Europe. The EU’s Directive on personal data has a broader scope, defining PII as data which can identify an individual “directly or indirectly”. This raises the question of how the term “indirectly” would be applied. In 2016, the Court of Justice of the European Union provided an answer. Ruling in Breyer v. Germany that IP addresses can be considered PII - in certain circumstances.
The case was brought against an ISP, and the court ruled that the company had enough correlating data at its disposal to make an IP address de facto PII for any of its customers. The court limited its ruling, saying that with just an IP address alone, the protections associated with the Directive wouldn’t apply. This essentially splits the difference in the same way that US courts have ruled.
What about compliance?
All of this nuance isn’t very helpful for compliance officers and network engineers, both of whom are used to dealing with more concrete standards. Many engineers and officers default to the stricter PII privacy standards for IP address information simply because they’re easier to navigate and provide clear guidance.
At BlueCat, we strive to protect IP address information while using it in the service of network security and efficient management. BlueCat customers assign a wide variety of controls and restrictions to IP address information. Our software has complied with these requirements even as they shift beneath our feet. Our enterprise-level DNS platforms protect IP address information through anonymization, encryption, and restricted forms of access. These methods ensure that how your organization views of IP address information – PII or not – the data remain well-protected.