back to article IP addresses in server logs not personal data: Ruling

A German court has ruled that website operators are allowed to store the internet protocol (IP) addresses of their visitors without violating data protection legislation. Without additional information, IP addresses do not count as personal data, it said. The issue has never been tested in a UK court but the view of the German …


This topic is closed for new posts.
  1. John
    Paris Hilton

    I'd like to know..

    Oh, so my static IP address that is locked onto my account and subsequently my landline's adsl isn't capable of identifying me personally or my shopping/browsing habits... I was worried for a minute...

    Paris because her homemovie making bears a striking resemblance to my browsing habits. (I will download and take a look, or cheggit out .. wonder if anyone will 'get' that ;))

  2. Simon

    I partly agree...

    ... with the ruling but a few points to make.

    1 - like BT and the Phorm debacle an ISP can pretty much, without legal backing, use this type of data for other uses.

    2 - what and internal marketing that the ISP may do i.e. profile their customers

    3 - Dyanmic IPs, in my experience, dont necessarily change each time you connect, especially with the advent of home broadband where the router at the punters location connects to the ISP and keeps the connection live for days/weeks/months. (Mine is slightly different cos I turn mine off when I am not using it to make sure that no-one can jump onto my WiFi, WEP/WAP/Whatever I dont trust it - paranoid? Yes....) So what to do with thes "semi-static" IP's?

    4 - Illegal gaining of this information is highly possible. Without adequate precautions by the ISP, anyone into a bit of industrial esponage or just wanting to make a quick buck could put a LOT of info on a usb key (or similar)

    Apart from that, I agree with the ruling and see it as, generally, fair. If the ISP wants to track things like "dont massively download on your 'unlimited' package" or "dont download illegal stuff" then that is up to them as long as its defined nicely in their T&C's and the punter can choose to be bound by those rules or not - as should be the notification that this info IS stored and WILL NOT be used for anything else blah blah blah. Dont try and hide it, that will just rile people. If you make it clear people can make the choice if they want to live with it or not, you may be suprised!

    Meh.... whatever!

    Aliens cos like big brother... they are watching us!

  3. Anonymous Coward
    Thumb Up

    Great News!!

    It seems our German courts are beginning to see sense in the privacy field.

    This is superb news.

    I have always wondered how nutters see an IP address as 'personal'. Obviously with other information it can contribute to assisting in identification, but so can your urine in the public toilet - yet you pissed that away without concern for your privacy!

    We all know it (your piss) could be used to identify you if somebody put their mind to it and had sufficient background information, time, and money.

  4. Anonymous Coward


    so my phone number cant be personal data either then as some times i phone from work and that number could be one of many people but when i phone from home its static just as my ip address is.

  5. Col

    Urine denial

    The difference is that your pee isn't being sampled and stored every time you flush.

  6. Anonymous Coward
    Anonymous Coward

    It's not hard to track dynamic addresses

    If a website sets a cookie when I visit and records my IP address each time I visit, the owners of that website can easily track changes in my dynamic IP address over time - so they can link together all my visits to their site (assuming I use the same computer, user account on that computer and the same browser and also assuming I haven't disabled cookies).

    Hence owners of well used websites (e.g. search engines, webmail sites, news sites, blog sites etc) can build up a history of my dynamic IP addresses over time. And let's face it, your dynamic IP address can only change after disconnect/reconnect, and most ISPs use DNS leases that mean you get the same IP address on reconnect anyway - but possibly forcing a change periodically so you have to pay extra for a static IP if you want to run services from your home connection.

    So we have lots of different organisations who potentially have a complete (or mostly complete) picture of my dynamic addresses, and who are allowed to share this information - neatly making it more accurate as they increase the information known about you as they share it with each other.

    This means the difference between static and dynamic IPs is very small in terms of privacy, and hence there really should be no legal difference ascribed to the protection afforded for either.

  7. Gulfie

    As if...

    All you need are a few cookies and bob's your uncle. Or Bob ist Ihr Onkel as they say in Germany...

  8. Sarah Bee (Written by Reg staff)

    Re: Urine denial

    Well, NOT YET IT'S NOT.

    It had to be done. And it had to be done by me, too.

  9. Ash
    Black Helicopters

    Not a problem


    Bob's my uncle, and he's watching me browse.

  10. Anonymous Coward
    Anonymous Coward

    So ...

    Does this mean that the MPAA/RIAA and their European cousins have no way of linking a download to any particular user ?

    Either it links you to the service (identifiably) or it doesn't.

    Which is it ?

  11. Tom

    personal information

    IP address alone maybe not. I don't see a problem with a typical web server log as long as they don't plan to keep it beyond the time it's useful to manage the web server.

    But add a cookie and you have more info, log on to an account and they have more, buy something and they know who you are.

    Do you really think that Google will not be tempted to take your IP address and link it with your cookie + gmail logon + google checkout + all your search data?

  12. Justabloke
    Thumb Down

    I guess an IP address isn't personal

    in the same way that [42 + <postcode>] isn't personal... both can still be used to bring you to my door.

  13. Tezfair


    "Investigators tracked the alirla account to Brown using the internet protocol address for his home computer."

    ...and they say you can't be tracked hahahahahaha

  14. stranger on the road

    IP address is as personal as your car plate number

    and that is a fact, get over it

    if someone track your car plate number they will know which shop you visited, but they will not know what you actually bought. They will know that you went to the liberally but they will have no idea what you searched for. Only the people in the place you visited will know what you did, people outside will have no idea. The same apply to your IP address.

    P.S. your account with the shop you visited (or credit card number) is the equivalent to your cookie. It doesn't matter what car/transportation you use, as long as you use the same credit card number, you are in books. But unlike your cookie you can't just delete then replace your credit cards. (are you still with me?)

  15. F Cage

    So static is better?

    So having a static IP address, and therefore personally identifiable via a whois, means they're not allowed to keep a record of a web access.

  16. Anonymous Coward
    Anonymous Coward

    No it's not personally identifying data

    Neither are the letters of your name of the letters and numbers in your home address. The problem is that the sum total of the data stored is entirely personally identifying.

    Next time someone should take a case that the IP address and timestamp together are personal data.

  17. Anonymous Coward
    Anonymous Coward

    No one is guaranteed anonymity online

    Why would anyone expect anonymity when going online? Are people really that clueless? Do people really believe they can hide behind their PC monitor? If so I have some ocean front property in Arizona that I will sell for a very reasonable price.

  18. James

    Possible to track is another matter

    Much like a drop of blood, really: it's possible for relevant authorities to track down the owner of a drop of blood by DNA fingerprinting, but if I see a drop of blood on the pavement outside, it could be anybody's. An e-mail address, like a telephone number, can actually be used to contact you without additional information - an IP address, like a car registration number, cannot.

    The clown who brought this case whining about a website logging visitors' IP addresses - like virtually every web server on earth has done since HTTP was invented - really needs a beating with the cluestick. If he really wants to keep his IP address secret, he should switch to using an address in the range and leave those of us in the real world to communicate sensibly.

  19. Ken Hagan Gold badge

    Some proportion, please

    I'd like to see a functional network stack that didn't remember the IP address it was supposed to reply to. Clearly the server has to retain the IP address somewhere for some period of time. Retaining it for longer makes sense if it helps the server operators with things like intrusion tracking, or if it helps law enforcement (suitably warranted) track other misdeeds. As long as the information is not phormed off into a larger dataset, it is no more a breach of your privacy than me remembering that I saw you in the street the other day.

    That's pretty much what the judge said. IP addresses alone do not identify you without some subsequent investigative work. As long as *that* is restricted by some legal framework, there's no problem here. Perhaps Phorm and similar mischief has left us over-sensitive on this point.

  20. Anonymous Coward
    Paris Hilton

    German justice...

    ...has clearly taken a turn for the würst.

    Paris 'cos she surely loves a bit of Knabberspaβ!!

  21. Pali Gap

    Do you think your email address is "personal data"? Wrong! (probably...)

    I have a written ruling from the Information Commissioner that an email address is NOT personal data (unless the part before the domain name is your exact name e.g.

    So MOST email addresses do not count as personal data and can be harvested and abused at will.

    Counter-intuitive? Welcome to the new scholasticism of the ICO! ("How many angels can dance on the head of a pin"). They're confused; We're confused; The bad guys run rings around them.

This topic is closed for new posts.

Other stories you might like