back to article Google mounts Chewbacca defense in EU privacy debate

Over at The Official Google Rhetoric Blog, the world's largest search engine continues to muddle the debate over the privacy of IP addresses. As the European Union questions whether IP addresses should be considered "personal data" - "personally identifiable information" in American parlance - Google software engineer Alma …

COMMENTS

This topic is closed for new posts.
  1. Solomon Grundy
    Boffin

    Technical Clarification

    I'm no networking expert so if anyone of you could help me understand this I would really appreciate it.

    If IP addresses are dynamic how can people like the RIAA track downloads back to users? Wouldn't that mean that "I" might not be the person doing the downloading - that it could be someone else that at some point used the same IP address as me?

    If IP addresses are static why do ISP's charge more for the option.

    I just don't get it.

  2. Wayland Sothcott

    Back in Freeserve days...

    I noticed that I was sharing the same IP address as one of my friends who was posting on the same forum. The forum was using IP addresses to tackle a problem with people posting under different names. It seems that we were somehow running under some kind of NAT with Freeserve being our 'Router'.

    If you use a service like email which identifies you then at least that server knows what your dynamic IP was at that time. An authority with a large enough reach to be able to look at all logs from all servers would easiliy be able to trace your path.

    Remember you have nothing to fear if you have nothing to hide, yeah I recon!

  3. Anonymous Coward
    Coat

    We Define IP Addresses as PID

    ...in our [tinfoil/black helicopter] privacy policy. If we store it, we store PID.

    It's ludicrous to think of them as anything else.

    Glad to see Google has a sense of humor.

    BTW: my IP address is 10.216.5.90 ;)

    It's the one with "Vote for Pedro" on the back...

  4. Scott

    @Solomon Grundy

    The reason the R I Ass. A can 'track' you is when you get assigned an IP address it's time/date stamped in a log.... along with a bunch of other useful info.....

    So they say at time/date blah, this IP address STOLE OUR MUSIC!!!! and then go to the ISP and see that at time that little.old.granny@isp.com was connected with that IP address...

  5. Anonymous Coward
    Pirate

    So how does

    one fake an IP? Is it easier to do in IPv6?

  6. Chris C

    re: Technical Clarification

    ISPs typically keep logs of when their DHCP servers assign addresses, and to whom those addresses are assigned. The RIAA can they say "Who was IP address 1.2.3.4 assigned to on 2/23/2008 at 03:57:24 GMT?". Their query likely would not be as lucid, but you get the point. If the address was changed very close to that time, the true lessee may not be accurately known because of time differences. Unless the DHCP server and the system making the query are synchronized (to an NTP time server, for example), it may not be possible to tell who the lessee was. But I suspect it's unlikely that many queries will match this time-too-close-to-assignment scenario.

    As for why ISPs charge more for static IPs, it's because when they assign a static IP address to you, they cannot use it for anyone else. And just like you, your ISP has to pay for their block of IP addresses. If everyone is using dynamic addresses, it's not such a big deal because everyone will not be online at the same time, so the ISP can oversell the address space (much like high-speed internet [broadband] providers oversell their bandwidth by claiming "up to" excessively high speeds and then cutting off people who use those speeds consistently).

  7. Anonymous Coward
    Anonymous Coward

    So Google defends it's privacy invasion?

    If the IP address didn't identify the searcher there's no reason to keep it. It would be a random number not related to the surfer, but rather to a random selection of surfers now wouldn't it! Can't have it bother ways!

    But it's much worse than that. Google tracks IP addresses of searches, the searches they perform (which as we saw with the AOL dataset can be used on their own to identify a person), and the IP addresses of visitors to the adverts it serves up, and IP addresses of visitors to sites using it's Google analytics code.

    They have to clean up their damn act, there's far far too much data kept with spurious reasoning like this. What happens when USA decides it can help itself to Google's data? Nobody will use Google and it will be their own fault for not tackling the privacy problem earlier.

    Google quit defending this bad situation and think, how can we anonymize all this data to protect our users!?

  8. Seán

    Google bullshit

    If the IP meant nothing then why are they so damn keen on keeping the information.

  9. SImon Hobson Silver badge

    @ Solomon Grundy

    >>> If IP addresses are dynamic how can people like the RIAA track downloads back to users? Wouldn't that mean that "I" might not be the person doing the downloading - that it could be someone else that at some point used the same IP address as me?

    Normally, they will need to get the information from your ISP - if they have date & time, the ISP can tell from their logs who (ie account name) was using an IP address at the time. Most ISPs now will require a court order before they will release the information lest they be sued by the user for breaching the data protection act.

    >>> If IP addresses are static why do ISP's charge more for the option.

    Simply because they can ! In the ADSL world, there is no reason for dynamic addresses as the ratio of users to addresses is quite high with so many accounts permanently connected. In the days of dial up, it would be normal to have many times more users than you had IP addresses or dial-in ports for.

    Most ISPs simply figured out that they can get away with charging extra - quite frankly, an extra £5/mo for a fixed address (as some ISPs charge) is simply taking the wee-wee !

  10. This post has been deleted by its author

  11. Anonymous Coward
    Anonymous Coward

    Of course it's PID!

    I use Zen Internet as my home ISP and when I set it up requested an 8 IP Address block (it was free actually). Now, if you use netcraft.net or robtex.com to check any server or IP address in my network it defines the netblock owner as me - not Zen Internet - by name; that's pretty personal!

    Do a reverse DNS on IP address and you'll get my domain name which, when you do a whois, gives you my name and technical contact details....

    How can that not be personal??? Come on, Google...

  12. Adam Williamson

    George

    One can't, unless one wants all one's packets going elsewhere (which isn't very helpful). What one can do is use a proxy, or a series of anonymizing proxies - like TOR - so that no can trace back through the chain to the actual originating IP address.

  13. Dave

    Longevity of IP Addresses

    Since I got my first dial-up account with Demon back in their first year, I've had exactly two static IPs with them, the switch-over occurring when I moved to broadband. That's a pretty personal piece of information. I also get to use a cable feed, so there's a dynamic one thrown in as well, but that's probably changed less than half a dozen times in at least that many years, so it's also fairly consistent and identifiable as me.

  14. Gilbert Wham

    @George Schultz

    "So how doesone fake an IP? Is it easier to do in IPv6?"

    http://anonymityanywhere.com/

  15. Anigel

    Clarifications.

    Dynamic IPs are not actually that dynamic. In this day and age of routers and cable modems, you keep the same dynamic IP addreses unless you leave the power off on your router / cable modem at the time the lease on the IP address runs out. Depending on the ISP's config the lease can last for days or hours. I personally have had the same Dynamic IP for well over a year. If you are on old skool dialup then you normally got a different IP every time you dialed in but in most cases now the same ip address shared by many people in the same day / week doe snot happen anywhere near as frequently as it used to.

    As for ISPs having to pay for IP addresses, well actually no they dont. There is an administration fee for each new assignment and there is the time taken to fill out the RIPE form showing justification for why a tiny company needs 10 million IP addresses (mainly to try and make the dwindling pool of IPv4 addresses last) but there is no X pound per IP fee imposed onto ISPs

  16. E
    Black Helicopters

    PID Aggregation

    "What happens when USA decides it can help itself to Google's data?"

    You mean like how they use ChoicePoint, et al., to slide around the Privacy Act?

    "Well, no, it's the *government's* system of records, it's a corporate database. They're not burdened with, er, covered under 552a USC, so don't have the same notification requirements... we're just another (biggest) customer."

    Kind of stomach turning how they weasel around the spirit of the law.

  17. Alex Howells
    Stop

    @Anigel

    As for ISPs having to pay for IP addresses, well actually no they dont. There is an administration fee for each new assignment and there is the time taken to fill out the RIPE form showing justification for why a tiny company needs 10 million IP addresses (mainly to try and make the dwindling pool of IPv4 addresses last) but there is no X pound per IP fee imposed onto ISPs

    ^^ That's not entirely correct: you must factor in the administration fee for each new assignment, the staff time to ensure IP ranges are administratively accountable in case RIPE wants to check you're actually using it. Expensive!

    Additionally you have an annual RIPE membership fee to pay - this amount is based on how 'big' (network wise) an organization you are, some of the factors taken into account when determining size are IPv4 allocations, IPv6 allocations and the number of AS numbers you're using for your network. :)

  18. Pierre
    Coat

    Tor or similar onion-type scheme can help

    But still. IP is actually the ONLY REAL personal ID you've got on the net. Not only personal, but the bloody only real personal reliable thing (unless you deliberately choose to show your "real" id in other ways, but that's up to you and therefore not really reliable...).

    You can change name and street adress. Most people share their street adress (and sometimes even their name) with others. So that's not personnal info. Right?

    Googlicious really. Are they trying to steal Microsoft's "world most hated corporation" title? More chair throwing to come I guess...

  19. Pierre
    Unhappy

    btw (@gilbert)

    The anonymityanywhere and other tor-based solutions do NOT provide absolute safety. Unless you use them from a totally free-access computer, far enough from any safety cam, that allows you to reboot it AND that boots from an external medium. Tell me if you find one.

    Also, to be safe, you won't want to log in any account that could be linked to you during your session. Which makes it quite useless actually.

  20. Anonymous Coward
    Paris Hilton

    privacy through idiocy?

    ironically then, it would seem that the best option (at least as far as muddying the IP waters goes) would be for all of us to use wifi on open routers. that way all that 'big brother' can prove was that 'someone' within wifi range of your router downloaded *whatever*

    BTW - why the 'chewbacca defence'?

    ----

    paris coz sometimes it pays to play dumb

  21. James Shepherd

    2 me, logically...

    ... recording my ip address is like recording my face on CCTV when I enter a shopping mall. Assuming my face is recorded when I'm at the till, then once could connect lots of info on me, including credit card number.

    What are the rules on CCTV? Are they sensible in this case?

  22. Anonymous Coward
    Anonymous Coward

    IP addresses are not personal identification

    IP addresses combines with a timestamp totally are however.

  23. Anonymous Coward
    Coat

    Dont use Google

    People wonder dont use google, and never say google it like people seem to be doing these days

    Google need to do searching on IP, etc as they seem to think that everyone is on a Dynamic IP and it cant be traced back to you

    these days Dynamic IP's aren't really Dynamic due to most people getting wireless routers that are connected 24/7 or on DSL modem but keep connecting with the lease time

    saying that all the time i have had ADSL i have had a static IP are no Extra charge, in fact the ISP am with now i can 4 or 8 IP's for free (cant remember if its 4 or 8)

    There is no reason for ISP's to charge for Static IP's

    one way not worry about googles data is not to use google, in fact the more people stop using it then more it might think about changing the way its stores the data, who knows

    Mines the one that says 'Dont Google it, Yahoo, altavista, etc it' on the back

  24. Andy Barber
    Unhappy

    What is...

    ... the Chewbacca defense?

  25. Anonymous Coward
    Alert

    Complete and UTTER NONSENSE

    "Yes, it's all true. Your IP address can change. "

    Wrong. It may be true for SOME people but for others the IP address will remain constant for months or even years.

    Besides, what has the ABILITY to change got to do with the price of eggs? I can change my home address, but while I'm living in it my home address is still very definitely personal information. Even if I share it with somebody else. And it remains personal information about ME, even when I stop living there. Its part of my personal information history.

    I could change my name (and if I was female, I probably would at least once) -- but any name I use or have ever used is part of my personal information.

    Equally, anything I've ever done in my life is personal information -- and even if I stop doing it, what I've done is still personal information.

    So stop talking nonsense and admit that IP adresses are without any shadow of doubt personal information.

  26. Anonymous Coward
    Anonymous Coward

    By using anonymous proxy

    Your IP is their IP and they don't save yours to begin with so no knows see.Tor, Bluecoat, Squid cache are proxy servers all kinds of things can be done with caches just ask Google. So when did you access the file becomes less and less certain which means among other things the IP address your ISP has assigned you temporarily is less discoverable.Slippery bastards thinking of this shit.

  27. Steven Knox
    Black Helicopters

    Actually, IP Addresses are NOT PID...

    ...but they are being treated as such by the courts, and THAT's the problem.

    IP Addresses identify a node on a network. When combined with ISP logs and accurate date/time information, they may even be able to identify an account with which that node is associated. But they DON'T indicate in any way what individual is using that node (or indeed, how that node was accessed.)

    The only consistent way to handle IP addresses would be to mark them as non-personal data AND make it illegal for any entity (public or private) to in any way claim that they do indentify an indivual.

    So what are the odds we get logically consistent action from a goverment?

  28. Anonymous Coward
    Anonymous Coward

    altenative to google ?

    So let's say I would like to stop using google.

    What are the alternatives ?

    Yahoo ? I don't think they are much better.

    Alta vista ?

    any solid recomendations for search engines ?

    thanks

  29. Lou Gosselin

    Some day ISPs will sell *dynamic* ip addresses, seriously

    The fact is that the IP address is the most effective UID for the household.

    It's more effective than cookies, since those can be deleted and can't track users having more than one computer. The two in conjunction reveals even more information and becomes more reliable.

    All web sites are capable of this and it is nothing new. The scary part comes when someone comes along and collects all this information into a giant central database, such as google's, so that users can be identified across distinct sites.

    The privacy concerns come not (so much) because of data collected collected by google through explicit submission like 'search' or 'gmail', as this are optional services. Instead the real concerns are from collecting this information across millions of sites (think 'google analytics' and 'doubleclick') without user knowledge or consent, even those deliberately avoiding google.

    The google maps service can give away user geography if a merchant site has a "find a store" feature that passes the users geography back to google. The user probably did not intend or realize that google got the information when locating the store.

    The pressure is clearly there for google to merge data from all these services (by IP and cookies). It paints a very detailed profile of the household, which is obviously personally identifiable, and there is no point in refuting it unless it's a PR stunt. Some people don't care one bit even if google can read their email (gmail), and that's fine. However what about people who never signed up for the Google-Boat(tm).

  30. JimC

    > Chewbacca defense

    Its googleable. It appears to relate to some kind of TV show. AIUI it eans thata lawyer spouts utter nonsense and claims it makes their client innocent. The distinction between that and normal lawyering is bit subtle fo me to understand.

  31. Nick Palmer
    Happy

    @Andy Barber

    http://en.wikipedia.org/wiki/Chewbacca_defense

    "Look at the monkey! Look at the silly monkey!"

  32. Sartorius
    Coat

    "None of this makes sense!"

    GIYF

    http://www.google.co.uk/search?q=Chewbacca+defense&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-GB:official&client=firefox-a

    Grabbing anorak ....

  33. Anonymous Coward
    Anonymous Coward

    Dynamic IPs

    A bit off topic, but:

    I was trying to setup an VPN with one of my friends, he has Tiscali broadband. He has a USB modem and dials up as and when required, I have fixed IP. We had a total nightmare, because every time he hung up (auto hangup after a couple of mins with no activity) and re-connected he got a new IP. We did a bit of an experiment - connecting and disconnecting several times in five mins and he got a different IP each time.

    I wonder if this is to enable them to charge of fixed IP, or just a tiny lease time and a small ammount of IPs meaning that they have to give a new IP each time?

  34. Anonymous Coward
    Boffin

    Chewbacca Defense...

    Let the Wookie win....

  35. KenBW2
    Thumb Down

    Seems pretty PID to me

    As someone who uses stats on my site, I manage to pin names to IP adresses that come to my site. Seems pretty identifiable to me...

  36. Jach

    Hmmm

    http://www.danasoft.com/ See how insecure you are while browsing any website...

    Given a phone number, which is just about the same thing as an IP address, one can find all sorts of useful information about an individual, and the phone companies keep logs of conversations. But you can always get your phone number to be unlisted, just like you can use a proxy or some other device to hide your IP online. The numbers might identify some personal information about the ones using them, but I don't think that the numbers themselves are personal.

  37. system

    Bad move.

    IPs have long been stored in all kinds of places. HTTPd log files, email headers, databases, firewalls, DNSBLs etc. If they are suddenly classed as personal information, we'll have to consider data protection laws anytime we want to firewall some asshat who likes attacking our servers. If you want to share your banlist with others, you'd better make sure you have permission from those who are on it first.

    Yes, it's a bad thing if google are combining IP lists with data from every single website using analytics code (including certain torrent sites of all places), but they will be targetting more than just google if they class IPs as PID.

    If IPs can reliably identify a person, then I expect to see someone locked up for "hacking" everytime my servers pick up an SSH brute force attempt. Those looking for compensation because of slander on the net should be able to sue the owner of the IP. Anyone caught participating in a botnet (because IPs apparently identify people and not code) should be banned from ever owning a computer.

    Obviously, the above examples are ridiculous, because an IP is not enough to identify a person. I use an 8 IP block for my home connection, and you still couldn't identify which of my family was using a certain IP, despite the IPs being fixed and every person having their own.

  38. Anon

    "Ladies and gentlemen, this is Chewbacca...."

    http://vids.myspace.com/index.cfm?fuseaction=vids.individual&videoID=2032664380

  39. Anonymous Coward
    Flame

    google does as it pleases

    F**k the legalities, or lack thereof, they're currently the 350 kilo gorilla at the moment... They'll use the legal card when it works to their benefit and then they'll plead ignorance, or my personal favorite, "shareholder equity" when the law gets in their way... Anybody remember the Yahoo! collusion with the government of the PRC and the gentleman who's rotting in a Chinese jail?

    Personally, I'm tired of the likes of Google, Yahoo, eBay, doubleclick, 2o7, and all the other bastards who claim privacy advocacy but they're just sticking it to us behind our backs.

  40. Anonymous Coward
    Anonymous Coward

    @anon

    google is still the best functioning search engine IMHO. if you're bothered about them harvesting your IP, do your 'googling' through a proxy site

  41. Gabor Laszlo
    Black Helicopters

    anon proxy

    Depends how paranoid you are. If you _really_ want to go stealth, buy a used wifi laptop, slap Tinfoil Hat Linux on it, browse only with FFox+AdBlock+NoScript+JAP, create a hushmail account and only go online through open relays. It's perfectly doable, but not very practical.

  42. Ian Peters

    Since i've had Broadband

    I've had same IP address even though i do not have a static IP. When i was on dial up, i always got a different IP.

    My connection has a contention of 50 so i am guessing that that the 49 other users also have the same IP and that we are behind a NAT router.

  43. Alex
    Alien

    its not just the site your looking at

    if you don't hit "log out" of anything you are logged in as then that original site can be collecting data of your web usage, google have a great new tool that was automatically enabled on my gmail account called "Web history", there is the option to turn it off, which I did....

    ...I wonder if that turned it off or just disables the control panel?

    ...hal, is that you?

    ...hal? can you hear me??

    apparently google are also watching you as you sleep.

  44. Dr. Mouse

    RE: Chewbacca Defense

    The Chewbacca defense was shown in South Park, used by a high paid lawyer in the case of the record industry versus Chef. Chef wanted to be acknowledged for his earlier work, a song called "Stinky Breeches", which was being sung by Alanis Morrisette. The boss of the record company has him sued. The lawyer argues "Why would Chewbacca, a 6-foot wookie, live on Endor with the Ewoks? It does not make sense! Why am I arguing about Chewbacca when a mans life is at stake? It does not make sense! if it does not make sense, you must find in favour of my client!"

    Put simply, it was all about confusing a jury, bamboozling the stupid people who weren't even smart enough to get out of jury duty.

    Anyway, back to the real topic in hand, Google's argument doesnt make sense in todays day and age. A broadband supplier must have enough IPs for all customers, as it is an "Always On (tm)" connection. The only reason they dont supply free static IPs is that they CAN charge for them. An IP address does, for the majority of people, identify them, as their IP is unlikely to change for weeks, if not months or even years. Also the number of people with static IPs is increasing, and they are then definately uniquely identifiable. Unless of course someone is using an anonymising technique. But why should it be up to the user to anonymise their IP?

    Also, if the EU find in Googles favour, that throws a lot of the record industries techniques out of the window. If the EU say it is not a unique ID of the user, how then can the record indistry say "Your IP downloaded this file, I'm gonna sue you"? For this reason I hope that the EU makes the stupid descision on this one.

  45. Dan
    Stop

    Dynamic IPs

    IP addresses don't change these days. As stated in other comments, if you have 24x7 connection then it retains the IP address. Even when the address ages, well before expiry the server checks to see if the client still requires the address. If so, the lease is renewed, and NO OTHER NODE EVEN GETS A LOOK IN. Therefore, you could keep the same address for years. Hell, depending on the lease period set by the ISP, this can even happen on dialup, assuming the user signs on with sufficient frequency to respond affirmatively to the renewal requests.

  46. Anonymous Coward
    Black Helicopters

    re: its not just the site your looking at

    Apparently

    "To add the pages you visit to your web history, you'll need to install the Google Toolbar."

    So don't add Google modifications to your browser, and you're safe from that particular problem.

  47. Anonymous Coward
    Anonymous Coward

    Googling safely

    http://www.scroogle.org/scraper.html

    Consider a donation.

  48. Karl Lattimer

    chewbacca defense

    http://en.wikipedia.org/wiki/Chewbacca_defense

    the wikipedia article is useful :)

  49. Sartorius
    Go

    These are not the Answers you are looking for

    http://en.wikipedia.org/wiki/Search_engines

    http://www.readwriteweb.com/archives/top_100_alternative_search_engines.php

    They think it's all over .....

    http://www.shibumi.org/eoti.htm

    It is now.

  50. John A Blackley

    Aggregated data

    IP address, plus timestamp plus account id - aggregated together - are assumed, by the court system, to be PID. The assumption is based on another assumption - that you and only you were using your account id and password, from that IP address, at that time.

    And we all know what happens when you assume.

  51. Tim Robson
    Boffin

    @ Dynamic IPs

    >>IP addresses don't change these days. As stated in other comments, if you have 24x7 connection then it retains the IP address. Even when the address ages, well before expiry the server checks to see if the client still requires the address. If so, the lease is renewed, and NO OTHER NODE EVEN GETS A LOOK IN. Therefore, you could keep the same address for years. Hell, depending on the lease period set by the ISP, this can even happen on dialup, assuming the user signs on with sufficient frequency to respond affirmatively to the renewal requests.

    Not entirely true. There is a packet called a DHCP release packet which a client sends to the server to relinquish the IP and cancel the remaining lease time. So, for Dial-up, part of the disconnect process involved the computer at the other end of the phone line sending a message saying that it no longer needed that address.

    In addition, it is possible for a provider to temporarily blacklist an IP address just to keep people from having a truly static IP. For example, my old cable modem used to do this every three months- knowing what I know now, the provider seemed to just toss a handful of addresses onto its exclusion list every now and then, effectively forcing those connections that corresponded to the exclusion list to get new addresses when their leases expired. To balance this, all they would have to do is pull the ones that were on the exclusion list before when they put the new ones on.

    Voila, you're forced to get a new address every so often.

  52. Anonymous Coward
    Anonymous Coward

    RE: Aggregated data

    Assumption is the mother of all f***ups

  53. Anonymous Coward
    Alien

    I have a bad feeling about this.

    The Force is strong in this one, let's try the Google Ray Blaster!

This topic is closed for new posts.

Other stories you might like