Notes on the Viacom ruling [LWN.net]

Notes on the Viacom ruling

Posted Jul 5, 2008 12:00 UTC (Sat) by NAR (subscriber, #1313) [Link]

IP address is just like regular address in a sense - it's public, because you have to give it
to others in order to communicate with them, but it's private, because one can't store your
name and address without your permission. At least in Hungarian law, the definition for
private data is "data related to a person or data that could be used to draw a conclusion
about a person" (my translation from Hungarian legalese to English is probably not that good).
According to the Hungarian privacy ombudsman, the IP address is private data and according to
the law, private data can be transfered only if the person, whose data is affected, permits
this. 

However, I wouldn't draw the conclusion that this transfer of TBs of Google data would be
illegal under Hungarian law, because I'm not a lawyer.

Notes on the Viacom ruling

Posted Jul 5, 2008 15:51 UTC (Sat) by kirkengaard (subscriber, #15022) [Link]

The grey area is private as in secret, private as in personally-identifying and individual,
public as in not secret, public as in un-owned, public as in generally available.  I'm sure
there are more.  Which do you mean when you say "private" or "public"?  More, how do you
define secret?

Fingerprints: not secret -- left everywhere; private as in uniquely identifying and linked to
the person.  Personal in a permanent sense.  Not logged in a database by default, because the
assigning authority is unregulated.

Street address: not secret.  Anyone can find out addresses.  Temporarily linked to a
person/family (presumably for longer time values).  Not personal like fingerprints,  but a
unique identifier for the given domicile, and by extension the people living in it.  One might
argue a distinction between the address as such, public data, and the private association of
that address with a person, but in practice it is public-register information.

Telephone number: not secret.  Oh, you can unlist your number, making it harder to find, but
just like fingerprints, you leave it everywhere you call.  Besides which, the phone companies
and the government know it.  US courts have ruled, for competitive business reasons, that a
phone number, once assigned, is property of a sort, and may be retained across carriers.
However, while more personal because of that, it is still like the street address in being
hardware-defined, not user-defined.  In practice, it is still personally-identifying
information, with variable granularity in the case of landlines.

IP address: not secret.  More capable of being secured than street or phone system addresses,
provided tight routes and recipient and assigning authority are both secure and not talking to
anyone else.  However, most of the time you leave it everywhere you visit, and at every point
in between.  Assigned, just like the phone number, but with more variability.  For its
assigned span of time, unique to the hardware, not the user.  Just like street and phone, may
generally be assumed to be under the control of the person who is accounted owner of the
hardware or contracts for the service.

Now, any of these four may commonly be considered personal (YMMV based on jurisdiction and
laws), but your value of public ("you have to let people know what your IP address is to do
anything") is more properly "non-secret".  So, for that value of "private"="secret", nothing
truly is private.  Fingerprints are the only ones not logged on issue, and even that can be
changed, if your government decides to log your issue as they are born.  Someone else knows
your "private" information, if it is identifying, because true secrets have remarkably limited
ID potential by nature.

The fact that multiple users may be assigned to a piece of hardware, be it telephone/NID,
residence, or computer, makes those UIDs problematic as definite personal identifiers.  For
that purpose we have, in the US, SSN/taxpayer ID numbers and driver's license numbers, which
are user specific, not hardware specific.  Those the government has, and you have, and may be
secured by relatively simple expedients (on the user end -- your government screwing up should
not be discounted).

Be more specific, please, in discussions like this, and encourage your lawmakers to do the
same.

Notes on the Viacom ruling

Posted Jul 7, 2008 7:40 UTC (Mon) by kleptog (subscriber, #1183) [Link]

The term I tend to prefer is "personal data". Whether its secret or not is irrelevent. An IP
address could be used to identify you which makes it perfectly reasonable to place legal
limits on the distribution of that information.

It's on a need to know basis, and you don't need to know...

Notes on the Viacom ruling

Posted Jul 7, 2008 19:18 UTC (Mon) by martinfick (subscriber, #4455) [Link]

  So, if you punch me in the face I shouldn't be allowed to tell my friends about it?
Personal data retention is not evil and it is here to stay no matter how hard you or any
government tries to prevent it.  Get over it and adapt your behavior accordingly or forever be
sulking in your misguided (but probably well meaning) view of how things should be.  Once you
do, you will be much happier and you might eventually realize that you are better off because
of it too.

Notes on the Viacom ruling

Posted Jul 7, 2008 19:51 UTC (Mon) by kleptog (subscriber, #1183) [Link]

I'm afraid you'll have to explain this a bit more. Since an action (in this case punching) is
by definition not personally identifying information it has nothing to do with this at all.
Attributes might be, actions never.

Also, the point is not that the data is retained, ofcourse it is, by those who need it. The
point is that it should not be sold or distributed to companies for whom it is not relevant.
In this case there is nothing wrong since a judge apparently decided it's relevent information
to Viacom. You might disapprove that Google kept the data, but they broke no laws.

Notes on the Viacom ruling

Posted Jul 7, 2008 21:22 UTC (Mon) by martinfick (subscriber, #4455) [Link]

"I'm afraid you'll have to explain this a bit more. Since an action (in this case punching) is by definition not personally identifying information it has nothing to do with this at all. Attributes might be, actions never."

What would be the point of saving actions if I cannot relate them to a person? For every action that I log I need to log personal information. Why else would you be worried about your personal information being logged, because it will be associated with your actions right?

"Also, the point is not that the data is retained, of course it is, by those who need it. The point is that it should not be sold or distributed to companies for whom it is not relevant."

Well, your opinion of relevance is not related to mine if I am the one keeping the data. You may decide that it is not relevant that you "punched me in the face" and feel that I should expunge such data, but my friends (or business associates) may appreciate me keeping AND sharing that data, both the action and the personal identifying data. Surely you should see that in these cases my right to share (your personal) data (which does not directly affect you) is more important to and less imposing on society than your desired right to privacy (which if it could be enforced, would unjustly directly affect me).

Notes on the Viacom ruling

Posted Jul 8, 2008 9:33 UTC (Tue) by kleptog (subscriber, #1183) [Link]

I think you're making this unnecessarily complicated. Names are personal but not private and
the accepted means of referring to a person, so if you feel like telling all your friends, go
right ahead. You just don't have a reason to tell them his tax file number, bank account
details or credit card number. There may be restrictions on publishing his name in the
newspaper also.

I think you're referring to the idea that personal data should never be shared (which I never
said), which is obviously absurd... It's just not a free-for-all either. Like most of the real
world it's a nice shade of grey.

Notes on the Viacom ruling

Posted Jul 10, 2008 10:30 UTC (Thu) by lysse (guest, #3190) [Link]

Someday everyone will know what it is to love Big Brother.

Love Big Brother

Posted Jul 10, 2008 16:58 UTC (Thu) by pr1268 (subscriber, #24648) [Link]

> Someday everyone will know what it is to love Big Brother.

Agreed. George Orwell was a visionary and a prophet. :-\

Back to the topic, I'm genuinely curious about privacy (or lack thereof) in a historical context: When the telephone became commonplace and the phone companies started publishing directories with subscribers' phone numbers, was there an uproar over privacy concerns?

Love Big Brother

Posted Jul 11, 2008 0:45 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

When the telephone became commonplace and the phone companies started publishing directories with subscribers' phone numbers, was there an uproar over privacy concerns?

No. It was so normal that phone companies sold the "unlisted number" as a product. Today, most people would consider that blackmail. And before telephones, there was a practice that people today would find even more shocking: cities published directories with everyone's home address.

Even in my lifetime, driver licensing information was considered public and anyone could get my address, birth date, and driving record. I can also remember when everyone in a doctor's office could easily overhear other patients' health problems. When reverse-charge telephone service was invented (1970's?) no one questioned for a minute that the company you called got to know your phone number. By the 1990s, that was a huge issue with Caller ID.

Information privacy per se (as opposed to keeping certain things secret because of specific threats) is a recent phenomenon. Part of the reason may be that there is more power available now to process and exploit that information. But I think a lot of it just might be social evolution, like you see attitudes toward sex change with the times.