MediaPost reports on a case where the lack of data retention made individual privacy more secure. “Federal authorities recently attempted to subpoena the IP addresses of Web visitors to the left-wing news site Indymedia.us.”
I’ve said it before: If companies don’t keep personal data on their customers beyond the time necessary to complete a transaction, then there would be little trouble protecting that data from prying eyes of government, hackers, or others.
Not only did the government attempt to obtain all IP addresses of people who visited on a particular day — June 25, 2008 — but authorities also ordered site administrator Kristina Clair to keep quiet about the subpoena. “This overbroad demand for internet records not only violated federal privacy law but also violated Clair’s First Amendment rights,” the EFF states in a new post about the case. […]
As it turns out, Indymedia.us destroys IP logs after five weeks, so Clair wasn’t able to comply with the subpoena, which was issued in January. The EFF also convinced the government to back off its demand that Clair keep quiet about the subpoena.
Nonetheless, this incident marks more than just an example of government overreaching. It demonstrates that one sure way to guarantee Web users’ privacy is to destroy information that could be used to identify individuals.
Earlier this year, a decision (pdf) from a federal district court in Washington ruled that IP addresses are not considered “personally identifiable information.” This decision comes a year after Google and Viacom faced a huge uproar after a federal judge ordered (pdf) the search engine to turn over to Viacom every record of every video watched by YouTube users worldwide, including users’ names and IP addresses. In the end, the companies agreed to mask the IP addresses and user IDs. An IP address is a unique 32-bit numeric address that identifies a computer on a network.