IP Addresses, Privacy and the GDPR

It’s well-known that the General Data Protection Regulation says that IP addresses should be treated as personal data because they can be used to single out individuals for different treatment, even if not to actually identify them. In fact – as most organisations and network providers implement proxies, Network Address Translation (NAT) and other technologies to squeeze more networked devices into the finite and largely exhausted pool of IPv4 addresses – education institutions that benefitted from the generous address space allocations in the 1980s and 1990s may be one of the few places where that’s still true. Certainly, advertisers long ago stopped believing that a single IP address was associated with a single individual. For their targeting, they use cookies, browser fingerprinting and other much more effective techniques to track unique individuals.

Fortunately, having declared IP addresses to be personal data, the European ePrivacy Directive and draft ePrivacy Regulation both state that processing these addresses is an acceptable activity for those operating networks. Without this, the mere act of transmitting an IP packet containing source and destination addresses would be legally problematic! And those identifiers are very unlikely to be the biggest privacy risk that Internet users face. However it’s still worth considering whether there are services we can offer our users, or ways we can design our networks, that can provide improved privacy safeguards for those who want them.

For example reducing the period for which a workstation keeps the same IP address may reduce the possibilities for long-term tracking (non-sticky DHCP and IPv6 privacy extensions may be things to consider here; RFCs 4864, 7721 and 8065 have a more detailed discussion for IPv6). Routing traffic through a proxy or NAT device will mean that different users’ activities can no longer be singled out by source IP address alone. Tracking using application-layer techniques such as cookies will be unaffected by such measures, though, so privacy-sensitive users or activities need to be helped at those levels as well as, and probably before, relying on network configurations.

All of these options are likely to involve trade-offs. Changing IP address may break some old-fashioned authentication systems; middleboxes such as proxies and NATs break the end-to-end principle and thereby put some limits on your ability to send any packet to any destination. Vendors do a pretty good job of keeping up with complex innovative protocols (see VoIP, gaming, etc.) but these options may not be enabled automatically.

And few of them can eliminate the possibility of tracking: most just move that capability around. As I discovered 20 years ago when introducing the first web cache in Wales (anyone who can beat 1996 is welcome to get in touch), routing your traffic through any kind of proxy, NAT or VPN may make it a little harder for websites to track your activities but it makes it much easier for the proxy operator to do so. Ultimately, if you want to receive responses to the communications you send to the Internet, then there has to be someone out there who knows where to find you. The best you can do is make sure that is someone you trust.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *