In the US, law enforcement authorities treat ‘basic subscriber information’ differently than the content of a phone call or email. The basic subscriber information is treated as equivalent to that publicly available in a phone directory and therefore accessible with little or no constraints. A similar approach has flowed into other countries, including New Zealand.
An excellent report from the Office of the Privacy Commissioner of Canada called What an IP Address Can Reveal About You shows just how wrong that thinking is in today’s world.
In the POTS days, the phone directory had a subscriber’s name, address and phone number. Over the years, laws have extended this list to cover electronic communication as if it was equivalent. For example, our own Telco Spying Bill defines “number” to include not only the traditional landline and mobile phone number but also the MAC address, user account identifier, IP address, and email address.
In turn, information about a “number” can be accessed as “call associated data” as distinct from the “content of the telecommunication”.
The question of what constitutes subscriber information is critical from a privacy angle. It defines the information that law enforcement authorities can seek with little or no barriers. The definition also has implications for how businesses and government treat IP addresses, including if it is personal information and therefore covered by the Privacy Act.
The conclusion of the report from the Office of the Privacy Commissioner of Canada in relation to IP addresses and other ‘new’ elements of what constitutes the equivalent of the traditional phone directory is:
In general, the findings lead to the conclusion that, unlike simple phone book information, the elements examined can be used to develop very detailed portraits of individuals providing insight into one’s activities, tastes, leanings and lives.
The report has examples of the information publicly and easily retrievable about a given IP address. These illustrate just how much personal information is indexed against an IP address.
What the report does not cover in any detail is the issue of static vs. dynamic allocation of IP addresses as well as the ability of skilled people to hide or modify their IP address.
Nevertheless, the argument that an IP address (or others, such as the MAC address) should be treated the same as traditional subscriber information and therefore less deserving of privacy protection than the content of a phone call or email does not work any more.
For businesses and government, if they don’t already do so, it makes sense to treat IP addresses as personal information and give it the full protection and security that the Privacy Act requires.