Amid the news that the U.S. government has subpoenaed from Twitter data about WikiLeaks founder Julian Assange and others thought to be tied to the group is the issue of IP addresses. An Internet Protocol address is a unique 32-bit numeric address that can identify a specific computer on a network. IP addresses, generally assigned by an Internet Service Provider (ISP), can be temporary (called dynamic IP addresses) or permanently (called static IP addresses).
Reuters reports: “The information sought by the government includes all connection records and session times, IP addresses used to access Twitter, e-mail and residential addresses plus billing records and details of bank accounts and credit cards.”
There has been substantial debate over whether IP addresses are personally identifiable data. I believe they are, as they can easily link specific computers to individuals. There is also the expectation among users that personal data such as IP addresses will be kept private. In 2008, the New Jersey Supreme Court unanimously ruled, “citizens have a reasonable expectation of privacy … in the subscriber information they provide to internet service providers — just as New Jersey citizens have a privacy interest in their bank records stored by banks and telephone billing records kept by phone companies.” State v. Reid, 194 N.J. 386, 954 A.2d 503 (N.J. 2008). However, a year later, a decision (pdf) — Johnson v. Microsoft Corp., 2009 WL 1794400 (W.D. Wash. June 23, 2009) — from a federal district court in Washington ruled that IP addresses are not considered “personally identifiable information.”
Concerning the WikiLeaks subpoena. the Associated Press reports:
The main target of the prosecutors’ document demands is most likely the IP addresses of the Twitter users, said Stanford University law professor Larry Lessig, founder of the Center for Internet & Society, Stanford.
Getting a list of IP addresses — specific numerical address that can identify individual computers as they interact over the Internet — could help prosecutors an effort to draw specific connections between individuals, their computers, and the information they share.
“It’s not very hard for an investigator to put these things together and come back and identify a specific individual,” Lessig said.
Web sites, such as Twitter, can easily collect IP addresses. The best protection would be for the web sites to expunge the data after a short period, as news site Indymedia.us showed in a 2009 case. In January 2009, U.S. attorneys issued a subpoena to Indymedia.us for “all IP traffic to and from www.indymedia.us” for June 25, 2008. This could have identified all the site’s visitors — every person who read a single story on the news site. However, the subpoena was withdrawn, says site administrator Kristina Clair, because Indymedia.us deletes the IP address info it gathers after five weeks. Because the site did not keep long-term logs of its visitors’ IP addresses, Indymedia.us was able to protect its readers.
I’ve said it before: If companies don’t keep personal data on their customers beyond the time necessary to complete a transaction, then there would be little trouble protecting that data from prying eyes of government, hackers, or others.
To anonymize your IP address, you can use anonymization service Tor — learn more at the Electronic Frontier Foundation’s page on Tor in its Surveillance Self-Defense manual.