IP Address as PII
New York Judge Gary Brown explains in great detail why an IP-address is not sufficient evidence to identify copyright infringers.
That decision, quoted from a Torrent Freak article, could end up as a watershed moment for those accused of copyright infringement since most complaints are based on evidence the connects the defendant to an IP address. If, all of the sudden, the RIAA and MPAA or studios can’t use that as primary evidence then many (most) of their ability to go after pirates dries up.
That, in and of itself, is interesting but it started me thinking about possible wider implications. Many information security specifications, frameworks and regulations require that we protect the end user’s IP address. Off-hand I know both HIPAA and some NIST frameworks explicitly state that IP addresses should be considered personal information and therefore require special protection. To that end I commented the following on Hacker News in regards to the story:
This is an important decision not only from a “piracy” perspective but from a “privacy” and “information security” view as well. Many US laws and regulations revolve around protecting personally identifiable information (PII). If this judge’s conclusions stick then we have some freedom from having to protect IP addresses, which show up in just about everything we log and collect.
That could be gigantic to those who deal with HIPAA, PCI, GLBA, etc. Although I guess this has no impact on the European Union regulations and what they consider PII – those are much tougher to deal with anyway.
However, when I started to poke around looking into how this judge’s conclusions could actually impact existing laws and regulations I came up short. In fact other than HIPAA I couldn’t find it explicitly stated the iP addresses alone required protection. (Although, to be honest, I didn’t look that hard). I did find that in back in 2008 European regulators specifically debated about whether IP address should be treated a PII but that looks like it went no where.
I guess, in the end, while this deals a blow to those chasing pirates it’s not quite as groundbreaking as I had originally suspected. It should be noted though that it is a gray area and doesn’t change the fact that while IP address is generally anonymous and not personally identifiable information by itself, when combined with other information it can become PII.