Ip Addresses and Anonymity Online
November 1, 2010
In September, the Swiss Federal Court ruled that an anti-piracy company in Switzerland, Logistep, must cease collecting the IP addresses of users sharing files on peer-to-peer networks.
IP addresses are used to route communications between computers connected to the internet, and could be said to work in a similar way to postcodes. A number of companies have previously engaged in the practice of tracking file sharers by their IP address, hoping to discourage piracy online, but the Swiss Court found that these details are personal information, and given that the data is generally collected without the consent or knowledge of the users this is in breach of privacy legislation.
It is important to note that this is not the final word on the matter, and that some jurisdictions disagree with this view, for example both Irish and French courts have in the past ruled that IP addresses are not necessarily personal information. Consensus will involve considerable collaboration on an international level, and when reached may have a significant impact on the way people use the web.
Your IP address on its own does not identify you, and in order to match an IP address to a particular internet connection it is generally necessary to obtain a court order forcing the relevant ISP to hand over the information. On the other hand, there are a variety of techniques which, in some cases, can shed a little light on the identity of a user from their IP address. These are for the most part more effective at identifying larger organisations, who may have been allocated a block of IP addresses, and so be identifiable through RIPE (one of five Regional Internet Registries) or by using similar methods. Other less accurate methods include geolocation, using online databases such as IP2Location. These approaches are often unreliable, and even where it is possible to identify a particular internet connection, it is not certain who was responsible for activity online as many different people might be using the same IP address by routing their communication through the same connection via a wireless network. It will be interesting to see how this issue is dealt with in future, as many more cases are likely to arise where connecting an IP address to a particular person is central to the outcome.
This is just one of a whole host of issues that have arisen in relation to online identity, which is of growing concern as people submit more and more personal information to social networks like Facebook, and as businesses pay more attention to their reputation on the internet.
On a related note, it is not just an IP address that can connect a person to activity online. Users of membership sites such as Twitter or YouTube are distinguished by their username – which they choose themselves, and which do not need to be their real name. Perceived by some as a significant problem with material online, much of it is posted anonymously using pseudonyms. If you find defamatory content online, there is more often than not no quick way to identify the culprit. In such cases, recourse to the courts is the only option; recently a US court ordered Google to release information connected with the identities of two YouTube users who had posted videos of a business consultant without permission, and incorporating offensive remarks about her. If cases like these are successful and well publicised, internet users may become more cautious when making comments online.
Finally, another issue bringing online anonymity into the spotlight recently is the offensive launched by the group Anonymous against proponents of intellectual property, called Operation Payback. The group have claimed responsibility for the bringing down of a range of websites including the UK Intellectual Property Office. One of the principal difficulties in identifying those who are culpable for the attacks lies in differentiating malicious connections from honest ones. The attacks are classed as distributed denial of service (DDoS), and rely on huge volumes of users connecting to the target website at once to overload it – finding out which connections are bona fide is far from a straightforward task.
There is a tension between protecting the privacy of internet users and enabling law enforcement online, and this debate is likely to rage on for the foreseeable future, so we plan to keep our eyes peeled.