Can I ask you a personal question? What is your computer's IP address?

Posted on September 22, 2010 by Brendon Tavelli

In a September 8, 2010 opinion, Switzerland’s highest court announced that Internet Protocol (IP) addresses are personal information protected by the country’s data protection laws. The Swiss Federal Supreme Court’s ruling in In re Logistep AG, BGer, No. 1C-285/2009, 1C_295/2009, 9/8/10, adds to the longstanding debate over whether such information is personal information despite the fact that a single IP address can be attributed to more than one computer user. While the debate is far from over, the Logistep decision makes clear that businesses collecting information about individuals’ Internet activities, particularly those with operations in Europe, must treat IP addresses with care, as they may be protected by privacy laws in some jurisdictions.

The Logistep case involved a service provider that collected information about peer-to-peer filing sharing activity and sold this information to copyright holders who used it to identify and sue potential copyright infringers. In January 2008, Switzerland’s data protection authorities (FDCIP) asked Logistep to stop its peer-to-peer monitoring activities. The FDCIP alleged that Logistep’s activities violated the Swiss Data Protection Act since they were unknown to computer users and circumvented certain telecommunications privacy rights that could only be waived in criminal proceedings. Logistep ignored the FDCIP’s request, and quickly became the subject of an FDCIP enforcement action. The administrative court overseeing the FDCIP’s enforcement action ruled that IP addresses did constitute personal information. Nonetheless, the court allowed Logistep to continue its monitoring activities because, in its view, the interests of copyright holders outweighed the interests of computer users seeking to have their IP addresses protected.

On appeal, the Federal Supreme Court affirmed the lower court’s conclusion that IP addresses are personal information. But the Supreme Court reversed the lower court’s conclusion regarding Logistep’s monitoring activities, finding that the contested conduct should be stopped because it involved a major invasion of privacy and could not be justified by any overriding interest. Consequently, as the FDCIP announced on September 9, 2010, Logistep may no longer “collect or pass on any further data” in furtherance of its contested copyright enforcement activities.
Tags: , , , , ,

Consumer Advocates Target Online Behavioral Advertising: Broad Regulation Threatens to Impede Delivery of Relevant Advertising and Business Models for Free Online Content

Posted on March 27, 2008 by Proskauer Rose LLP

In the wake of the December 2007 FTC statement proposing self-regulatory principles for businesses that are engaged in online behavioral targeting (click here for earlier blog post), that activity has continued to provoke consumer groups who advocate for government regulation. The legislature in New York has taken notice and is considering a first of its kind bill, the Third Party Internet Advertising Consumer's Bill of Rights Act of 2008, to regulate third parties Internet advertisers’ tracking activities. The New York legislature’s activity coincides with significant opposition in the European Union to online behavioral advertising practices.   

Online behavioral targeting is the process of tracking online users’ behavior and serving ads tailored to that behavior. While the methods vary, the primary methods used online are cookie-based, conveying to advertisers web pages a user visits. Companies may also use search data. This information is sometimes combined with demographic data such as geographic location, to help further personalize advertisements. Glossed over by consumer groups is the fact that tracking usually is conducted anonymously with data collected linked only to a computer’s Internet Protocol (IP) address, not name or other personally identifiable information. In addition, responsible Internet companies are expected to provide clear notice and opportunities for consumers not to participate in such programs. Still, consumer groups have seized on reports of Internet Service Providers contracting with companies such as Nebu-Ad, Phorm and Adzilla who use so-called “deep packet inspection” to collect data on every page a user visits rather than just those that are part of an online advertising network. 

The ongoing debate over online behavioral targeting is significant not only because such targeting enables consumers to receive ads that are more relevant and useful to them, but as the FTC has recognized, restrictions that inhibit companies’ ability to obtain advertising revenue may fundamentally affect the ability of the Internet to continue to offer valuable content for free.

The New York Bill

The New York bill, with versions in the Assembly and Senate (A. 9275 and S. 6441) is based on the Network Advertising Initiative (NAI) self-regulatory principles. The NAI is a group of online advertising firms and it adopted its principles in 2002. The bill would create an extensive regime of consumer notice and choice for third party tracking of different types of consumer online activity. Absent obtaining a consumer’s prior affirmative consent or opt-in, third parties would be prohibited from collecting personally identifiable information online in some situations (when merged with certain other previously collected data). Consumers would have the right to opt-out of any online tracking involving non-personally identifiable information. The bill would require clear notice by third party advertising companies on their own sites of their profiling activities, the types of data they collect, how they use the data, the opt-out process, and the length of time the data is retained. And, it would require third party advertising companies to contractually require the sites to whom they provide services to include notice and opt-out options.  

Notably, the bill would prohibit a third party from tracking information from websites when it does not have a contractual relationship with the website owner. This provision could have major implications for the companies described above that contract with Internet Service Providers to monitor surfing activity across all websites a consumer visits. The bill is also significant because it would effectively create a national law – companies with a national online presence would necessarily be doing business in New York as well.                    

The European Union 

The press has recently reported about controversy in the U.K. concerning reports that the country’s three largest ISPs, BT, Talk Talk, and Virgin Media, had contracted with Phorm for behavioral targeting services. A U.K. think tank, the Foundation for Information Policy Research (FIPR) submitted an open letter to the U.K Information Commissioner charging that Phorm’s activities violate British privacy law and the European Union’s Data Protection Directive by not affording consumers opt-in choice for the tracking. Phorm is claiming that it uses a cookie with a random number assigned to track information so that it does not collect personally identifiable information. 

The issue of online monitoring continues to draw the attention of European Union regulators with more activity expected in the near future. Although the E.U. approved the Google-Doubleclick merger, the E.U. Article 29 Working Party comprised of data privacy regulators from each of the E.U.’s member states has stated that even search engines based outside of the E.U. may fall under the E.U. Data Protection Directive. In addition, the Chairman of the Article 29 Working Party has asserted that IP addresses standing alone constitutes personally identifiable information. This stands in contrast to how IP addresses are viewed in the U.S. The Article 29 Working Party is expected to issue a report in April concerning the privacy implications of Internet search engines, which should further address these issues.     

Industry and Interest Group Guidelines        

In addition to the activity discussed above, industry and consumer interest groups continue to propose new guidelines. The NAI announced late last year it is planning to revise its guidelines while just last month the Interactive Advertising Bureau – an organization comprised of many leading Internet companies – issued self-regulatory guidelines similar to the FTC’s but designed to give companies more flexibility in their approach to notice and choice. Earlier this month, the Center for Democracy and Technology issued its Privacy Principles for the Development of User Controls for Behavioral Targeting, which focuses on allowing consumers to express their preferences for behavioral targeting, having those preferences remain in place until altered by the consumer, and encouraging companies to have readily available and easily understandable policies.
Tags: , , , , , , , , , , , , , , , , , , , , , , , , ,