Leaking IP address information is illegal in UK
IP address legality in Europe
It is important to note that unlike the US, under European Union law IP Addresses are considered to be personal data as defined by article 2(a) of Directive 95/46/EC " 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; " Also see Directive 2006/24/EC.
In association with Time Codes, IP Addressing information will always identify unique ISP account holders unless there is translation of that information.
It is important that this significant difference in legal status is appreciated, since Websites that provide for third party interception of IP addressing information and Traffic Data, without Website visitor consent, are committing a criminal offence in the UK by virtue of the Regulation of Investigatory Powers Act 2000, where through the requirements of European Council Decision 2005/222/JHA such Website owners face serious sanctions, including the winding up of their businesses, being debarred from running a business, and more than 2 years imprisonment.(emphasis added)
IP addresses do not always identify specific individuals (e.g., my AOL proxy's static IP address is shared with many other AOL users), but the potential is certainly there. If I had a static IP address uniquely associated with my personal computer, I would be afraid that some blogger with a grudge against me would try to use that address to invade my computer. Also, there is the danger that a particular IP address will be blacklisted.
These European laws are a great deterrent to blog services that might try to help bloggers use IP address blocking. Since the Internet is so highly internationalized, blog services may be cautious about the potential of getting into legal trouble anywhere.
The "By details" webpage of a Site Meter (click on the Site Meter icon at the bottom of the left sidebar, then click on "By details") lists some visitors by IP address but does not give the last three digits, e.g., 76.171.246.#. That gives out some unnecessary information but at least shows some respect for the privacy of the visitor.
Here are some excerpts of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995:
Object of the Directive
1. In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data . . . . .
For the purposes of this Directive:
(a) 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity . . . . .(emphasis added)
1. Member States shall provide that personal data must be:
- - - - - - - - -
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed . . . . .
Member States shall provide that personal data may be processed only if:
(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
(d) processing is necessary in order to protect the vital interests of the data subject; or
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).
Section 2 (8) of the UK's Regulation of Investigatory Powers Act 2000 says,
(8) For the purposes of this section the cases in which any contents of a communication are to be taken to be made available to a person while being transmitted shall include any case in which any of the contents of the communication, while being transmitted, are diverted or recorded so as to be available to a person subsequently. (emphasis added)
Leaking IP addresses is also contrary to Amendment IV of the Bill of Rights:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Labels: Internet censorship (1 of 2)