Are IP Addresses Personally Identifiable Information?

Since we specialize in DNS, DHCP, and IPAM, BlueCat tends to get a lot of questions about data protection. Managing and securing basic network services…

Since we specialize in DNS, DHCP, and IPAM, BlueCat tends to get a lot of questions about data protection. Managing and securing basic network services involves handling information which could reveal a lot about one or a companies.

Many of our customer questions boil down to whether internet protocol (IP) addresses constitute Personally Identifiable Information (PII). The legal boundaries and technical requirements involved in safeguarding PII are relatively clear. Connecting general data protection regulation, causes many to lump IP address information into this category by default. But does it truly belong there?

Sadly, there appears to be no consensus about whether IP address information constitutes PII or not.

What’s in an IP?

By itself, an IP address merely indicates which computer sent a query,These pieces of information which is not very useful if you don’t know where that computer is and who’s using it. Only when correlated with information like user logs, query patterns, and other contextual information does the picture become clearer. Even then, the use of proxy servers and VPNs can be used to throw trackers off the scent. DHCP also re-assigns IP addresses on a frequently, making it difficult to track a single computer or user over time. So does it act as an online identifier or contain your personal information?

This was the logic behind a 2009 court ruling in Johnson v. Microsoft. The judge declined to provide PII-level protection for IP addresses by themselves. The ruling states that “[in] order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer.” 

Yet not everyone agrees that this is the end of the story. Recent guidance from the FTC is more nuanced, saying “we regard data as ‘personally identifiable,’ and thus warranting privacy protections when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test.” A 2008 court ruling in New Jersey agreed that the bar for correlation of IP addresses with other data sources was so low that IP address information forms part of the “reasonable expectation of privacy” users are entitled to when using a commercial ISP.

And then there’s Europe. The EU’s Directive on personal data has a broader scope, defining PII as data which can identify an individual “directly or indirectly”. This raises the question of how the term “indirectly” would be applied. In 2016, the Court of Justice of the European Union provided an answer. Ruling in Breyer v. Germany that IP addresses can be considered PII – in certain circumstances.

The case was brought against an ISP, and the court ruled that the company had enough correlating data at its disposal to make an IP address de facto PII for any of its customers. The court limited its ruling, saying that with just an IP address alone, the protections associated with the Directive wouldn’t apply. This essentially splits the difference in the same way that US courts have ruled.

What about compliance?

All of this nuance isn’t very helpful for compliance officers and network engineers, both of whom are used to dealing with more concrete standards.  Many engineers and officers default to the stricter PII privacy standards for IP address information simply because they’re easier to navigate and provide clear guidance.

At BlueCat, we strive to protect IP address information while using it in the service of network security and efficient management. BlueCat customers assign a wide variety of controls and restrictions to IP address information. Our software has complied with these requirements even as they shift beneath our feet. Our enterprise-level DNS platforms protect IP address information through anonymization, encryption, and restricted forms of access. These methods ensure that how your organization views of IP address information – PII or not – the data remain well-protected.


Critical conversations on critical infrastructure

Find out how your peers are managing their networks through profound change. Watch this series of live interactive discussions with IT pros & join the debate in Slack.

Join the conversation

Read more

Six non-hype network automation lessons from IT pros

Five IT pros get real about network automation during the first Critical Conversation on Critical Infrastructure hosted in the Network VIP community.

Read more
BlueCat’s DDI Adaptive Plugins and Applications help IT teams better leverage ServiceNow, Ansible, Microsoft, and more

A growing suite of Adaptive Plugins and Applications will help automate existing BlueCat capabilities along with adjacent customer technologies.

Read more
BlueCat appoints Stephen Devito as Chief Executive Officer

BlueCat, the Adaptive DNS Company™, today announced that Stephen Devito has been named Chief Executive Officer effective September 11, 2020.

Read more
To better see the threats on your network, try DNS

DNS is a vector used in most cyber attacks. When it comes to DNS, BlueCat can enhance visibility, detection, and containment of threats to your network.

Read more

Subscribe to our blog

Products and Services

From Core Network Services to multicloud management, BlueCat has everything you need to build the network you need.

Learn more