Do Websites Keep Your Ip Address
IP addresses and the Data Protection Act – Pinsent Masons
This guide is based on UK law.
An IP address in isolation is not personal data under the Data Protection Act, according to the Information Commissioner. But an IP address can become personal data when combined with other information or when used to build a profile of an individual, even if that individual’s name is unknown.
What is an IP address?
Computers and other devices that are connected to the internet are assigned unique identifiers known as Internet Protocol (IP) addresses to identify and communicate with each other.
The internet’s authority for names and numbers is ICANN, based in California. It delegates authority for the management and creation of IP addresses to a body called the Internet Assigned Numbers Authority (IANA). IANA allocates blocks of addresses to one of five Regional Internet Registries, including RIPE in Europe. In turn, these regional bodies allocate smaller blocks of addresses to ISPs and organisations.
The most common type of IP address is displayed as four numbers between zero and 255, e. g. 83. 29. 144. 255. This format – known as IP version 4 – will accommodate a maximum of 4. 3 billion addresses. The growing number of devices connected to the internet is driving the adoption of IP version 6 – a format that will accommodate more devices (it displays an IP address as eight groups of four hexadecimal digits, e. 2001:0db8:0000:0000:0000:0000:1428:57ab), though it is not yet widely supported.
When an individual connects his computer to the internet it is either with the same IP address each time, known as a static IP address; or with a different number each time, known as a dynamic IP address. Some ISPs allocate dynamic IP addresses, others allocate static IP addresses. Visiting an IP lookup site will tell you what IP address you are currently using. You can determine whether it is dynamic or static if you disconnect your internet connection, reconnect and then check your IP address again.
What can be determined from an IP address?
As soon as you visit a website your IP address will be available to that site. It is common for websites to keep a record of all IP addresses that visited with the data and time of the visit, even if this record is never used. Your ISP also has a record of your internet activity. Even if your IP address is a dynamic address – i. e. it changes every time you connect to the internet – your ISP will be able to identify your browsing activity because it knows what number was allocated to which customer and when.
Limited information is freely available about any IP address. Because IP addresses are allocated in batches, your IP address, be it static or dynamic, will be in a particular range that typically reveals your choice of ISP and your geographic location – though at best this will identify a city, not a street, and it won’t always identify the right city or even the right country, depending on your ISP and its system for allocating IP addresses.
When accessing a website from an office computer, you might share one IP address with numerous colleagues. It is likely that your office can identify which computer on its network accessed a particular site, though, even if that site’s access records show a shared IP address.
Data protection and IP addresses
The Data Protection Act regulates the collection and use of personal data. If data is not personal data it is not caught by the Act – but it is not always obvious whether data is personal data or not. An IP address in isolation is not personal data because it is focused on a computer and not an individual. This reasoning was applied by the Hong Kong Privacy Commissioner in a complaint about Yahoo! ‘s disclosure of information about a journalist to Chinese authorities (Hong Kong clears Yahoo! of privacy breach over jailed journalist, OUT-LAW News, 15/03/2007). The Commissioner wrote in his report: “an IP address per se does not meet the definition of ‘personal data'”.
In the hands of an ISP an IP address becomes personal data when combined with other information that is held – which will include a customer’s name and address. In the hands of a website operator, it can become personal data through user profiling.
Most sites do not profile their users using IP addresses. They typically use IP addresses for demographic purposes such as counting visitors, their countries of origin and their choice of ISP. Their organisation might also be identifiable.
Sites typically gather statistical data about the path that users take through a website and the page from which they left the site. Banking websites might also use IP addresses as a security measure – for example, if a customer regularly accesses his account from an IP address in London, access to that customer’s account from an IP address in Moscow might indicate fraud.
The most common privacy concern surrounding IP addresses is their use in marketing. A visitor’s path through a website could be followed and any adverts that are clicked can be identified. On the next visit, that user could be shown ads that are similar to those he clicked on the previous visit. But this fails when the user has a dynamic IP address: the user will be unknown.
Accordingly, most websites prefer to use cookies to track users for personalised marketing purposes in preference to IP addresses. A cookie is a small text file that is sent from a website to a visitor’s computer. The cookie file can be used to identify an individual and a website operator can build a detailed profile of that person’s activity at its site. Users can set their web browsers to refuse cookies but most users accept them, often unwittingly.
The Commissioner on IP addresses
In 2001, the then Information Commissioner, Elizabeth France, acknowledged the difficulty of using IP addresses to build up personalised profiles. “It is hard to see how the collection of dynamic IP addresses without other identifying information would bring a website operator within the scope of the Data Protection Act 1998, ” she wrote.
She continued: “Static IP addresses are different. As with cookies they can be linked to a particular computer which may actually or by assumption be linked to an individual user. If static IP addresses were to form the basis for profiles that are used to deliver targeted marketing messages to particular individuals they, and the profiles, would be personal data subject to the Data Protection Act 1998. However, it is not easy for a website operator to distinguish between dynamic and static IP addresses. Thus the scope for using IP addresses for personalised profiling is limited. ” This approach has now been incorporated into guidance on the Information Commissioner’s website, entitled, ‘Collecting Personal Information Using Websites’ (June 2007).
France concluded: “If dynamic or static IP addresses are collected simply to analyse aggregate patterns of website use they are not necessarily personal data. They will only become personal data if the website operator has some means of linking IP addresses to a particular individual, perhaps through other information held or from information that is publicly available on the internet. ISPs will of course be able to make this link but the information they keep will not normally be available to a website operator. ”
Similar guidance came from an independent EU advisory body called the Article 29 Data Protection Working Party. It wrote in November 2000: “The possibility exists in many cases, however, of linking the user’s IP address to other personal data (which is publicly available or not) that identify him/her, especially if use is made of invisible processing means to collect additional data on the user (for instance, using cookies containing a unique identifier) or modern data mining systems linked to large databases containing personally-identifiable data on internet users. ”
The Article 29 Working party is currently working on a report into how well the privacy policies of internet search engines operated by Google, Yahoo, Microsoft and others, comply with EU data protection law. As a result, a debate arose in the EU Commission as to whether IP addresses can amount to personal data. Initially it seemed from reports that the outcome of the debate indicated that, going forward, all IP addresses should be considered to be personal data, rather than just those that can be considered with other information to identify a particular individual.
However, Peter Scharr (the German Federal Data Protection Commissioner and Chairman of the Article 29 Working Party, whose comments were the subject of various articles on the debate), has confirmed that his comments were misconstrued by the press and in fact, the position in the UK in relation to IP addresses remains as per the Information Commissioner’s guidance above (subject to the Courts taking a different view). However, he also stated that all IP addresses should be treated by companies using them, as personal data, as ultimately only the Courts can decide for certain whether they amount to personal data and therefore, companies should exercise caution.
This reflects a 2007 opinion of the Article 29 Working Party on the concept of personal data, commenting on its earlier 2000 opinion. The Working Party notes that where identification is possible an IP address will be personal data (an example of an exception being a computer in an internet café where the ISP has no means of identifying the user) and that in any event as ISPs would find it difficult to distinguish where identification is possible, all IP addresses should be treated as personal data “to be on the safe side”.
How this affects your web operations
If you collect IP addresses and analyse them collectively – e. identifying the number of visitors from Japan or the most popular ISP – you should disclose this in your privacy policy, e. “When you visit our site we may automatically log your IP address, a unique identifier for your computer or other access device. ” To reassure visitors, you could add: “We will not use your IP address to identify you in any way. ”
If you wish to use IP addresses to identify or build a profile on each of your visitors as an individual, even if they are never identified by name, you should assume that the Data Protection Act applies. Only a court can decide for certain whether or not this is a processing of personal data to which the Act applies and there have been no court rulings on this point to date. The safest course is to assume that the Act does apply in these circumstances. A court will be influenced by the Information Commissioner’s guidance on this point. Therefore you should make visitors aware of your intentions to use IP addresses at the earliest opportunity.
See:
EU Data Protection Working Party Guidance (99-page / 510KB PDF)
EU Article 29 Working Party Opinion on the concept of personal data (26-page PDF)
Information Commissioner’s guidance – Collecting Personal Information using Websites
Please note: The UK Commissioner’s guidance appeared in a set of Website FAQ published in 2001 and no longer available at the Commissioner’s site.
Contacts
Do Websites Track and Record IP Addresses? (with pictures)
An IP or Internet Protocol address is a unique numerical address assigned to a computer as it logs on to the Internet. The IP address can be mapped back to a specific individual with help from Internet Service Provider (ISP) records. Virtually every website on the World Wide Web (Web) will track and record IP addresses as visitors click through the site’s pages. Two primary reasons for this are security and site improvement.
Visitors are tracked by a website even when they don’t register or log in.
Every website is hosted on a server. When a visitor clicks his or her way to a website, the user’s browser sends a request to the server for a webpage at the location. The server returns the webpage to the IP address on the request. The page subsequently loads on the visitor’s computer screen.
Gauging the popularity of webpages is a common reason to track IP addresses.
If the server is bogged down by traffic (handling many requests at once), pages might load slower for visitors. In the case of an overload of simultaneous requests, the server will “crash” or go down, leaving the site temporarily unavailable. This can be a form of attack, called a Denial Of Service (DoS) attack. If the attack comes from a network of infected computers called a botnet, it is referred to a Distributed Denial of Service (DDoS) attack.
A malicious hacker might infiltrate a Web server in an attempt to gain information from protected databases that hold customer data such as credit card numbers. So-called “script kiddies” might simply want to malign a site by uploading images or text to the website.
For these reasons and more, websites track and record IP addresses as a matter of course, storing the numerical addresses in server logs. Each request from the IP address is recorded, along with a time stamp. Older data is routinely purged from logs to make room for newer data. The length of time a website holds on to IP logs is variable, configured by the site’s administrator, and dependent upon many factors.
Websites also track and record IP addresses to learn which pages are most popular. The site can build on popular pages to increase site traffic. Tracking IP addresses across the site can also reveal traffic leaks. For example, a page that provides information about a product might have a link to a remote site with additional information. If server logs reveal that a large amount of traffic is clicking through to the other site, the administrator can improve the page’s content or design to keep traffic longer.
Website policies generally refer to IP addresses as “anonymous” data. However, with the help of computer cookies there are many ways for websites to link identities to IP addresses, even when the address is dynamic, or changes with each Web session. Many websites also contain “Web bugs” or a few pixels linked to an advertising firm that can track and record IP addresses across the Web, from one site to another, surreptitiously compiling detailed surfing profiles of individuals over a period of months or years.
A visitor need not register at a website to be tracked and profiled. Typically all visits to a site are time-stamped and recorded to a cookie, if cookies are enabled in the Web browser. All pages and links visited within the site are commonly added to the cookie (in addition to the sever logs). While server logs are purged, cookies are commonly retained. Deleting a cookie from a user’s computer does not remove the duplicate cookie on the Web server. Upon a subsequent visit to the site, the server might “recognize” the surfer by various system and software data that browsers routinely hand over; even when the surfer is careful to allow temporary cookies only, or no cookies.
Due to these concerns, many savvy netizens prefer to surf anonymously. In this case a proxy server stands between the surfer’s computer and the Web. All browser requests are sent to the proxy which relays them to the Internet. Web servers return pages to the proxy’s IP address, logging its address instead. The proxy receives the page, forwarding it on to the surfer, acting as a go-between. Web servers have no record of the surfer’s IP address, (however, the proxy server will track and record IP addresses).
If using a proxy service, it is important to know if it is truly anonymous. Some proxy servers forward the requester’s IP address in their headers, defeating the purpose. Only anonymous proxy servers hide this information. Some proxy’s claim to be anonymous but are not, so personal checking through available proxy tools is advisable. Using international proxies can also increase anonymity because the proxy’s logs will not be subject to jurisdiction of the netizen’s home country. That said, proxy services are designed to help maintain freedom and privacy for legal activity, not protect illegal activity.
The Firefox™ browser has an add-on plug-in called FoxyProxy which allows users to keep a list of proxies and easily switch between them to keep records from accumulating on just one proxy server. One can also link proxies, placing two or three proxy servers in a chain, however, this slows surfing. Also, if one of the proxies is down requests get lost. Additionally, there are various shareware programs for proxy surfing.
Web-based anonymous services allow visitors to surf the Web through an onsite interface. Surfing from the site, requested pages appear in a window. The only IP address revealed to the Internet is the website’s own address. But once again, the website itself will record and track IP addresses of those who use its services.
There are many ways for websites to link identities to IP addresses.
How Long Does Your ISP Store IP-Address Logs? – TorrentFreak
Home > Piracy >
The ongoing avalanche of mass-BitTorrent lawsuits reveal that IP-addresses can get people into a heap of trouble and it’s not unusual for Internet subscribers to be wrongfully accused of sharing copyrighted material. This begs the question, for how long are these IP-addresses stored? To find out, TorrentFreak asked some of the largest Internet providers in the US about their logging practices.
Currently there are no mandatory data retention laws in the United States. Unlike in Europe, Internet providers are not required to track IP-address assignments so these can be linked to specific subscriber accounts.
The question is, for how long will this remain the case, especially considering SOPA author Lamar Smith’s introduction of a new bill last year. Under his Protecting Children From Internet Pornographers Act, ISPs will be required to keep IP-address logs for a minimum of a year.
For now, however, no logs are required by law.
Earlier this week the CEO of Sonic called on fellow ISPs to protect the privacy of subscribers and purge logs after two weeks like his company does. One of the reasons cited was the massive amount of civil subpoenas that are, ironically enough, often sent by “Internet pornographers” in mass-BitTorrent lawsuits.
A refreshing stance, and one that makes users of other providers curious about the logging practices of their ISPs. Unfortunately, nearly all providers are very secretive about their data retention policies. Unlike VPN providers, all admit to logging IP-addresses, but how long they retain them remains a mystery.
In an attempt to find out more, TorrentFreak contacted several large ISPs with the seemingly simple question; How long does “company X” store IP-address assignment logs? Our findings are detailed below.
Those who value their privacy and hide their IP-address can of course always sign up with a VPN provider, one that doesn’t keep logs.
—
Time Warner Cable
Time Warner informed us that they store IP-address logs for up to 6 months.
Interestingly, the company is the only ISP we contacted that also posts information regarding its data retention on its website.
Comcast
Comcast did not respond to our inquiries but has mentioned a 180 day retention policy for IP-addresses in BitTorrent-related court documents. On some occasions cases have been dismissed because logs were no longer available, meaning that alleged infringers could not be identified.
The 180 day policy is also mentioned in the Comcast Law Enforcement Handbook that leaked in 2007.
Verizon
Verizon’s Privacy Office informed TorrentFreak by email that information about IP address assignments is retained for 18 months, the longest of all ISPs who responded to our request.
Qwest/Century
The Qwest/CenturyLink Law Enforcement Support Group informed us that IP-address logs are kept for approximately 1 year. As is also the case with other Internet Providers, Qwest/Century noted that personal details are only disclosed when the company receives a subpoena.
Cox
Cox failed to reply to our inquiry, but previously it has mentioned a 6 month retention policy for IP-address assignments in the press. In Cox’s “Lawful Intercept Worksheet” the company also mentions that logs are kept for “up to 6 months. ”
AT&T
AT&T’s IP-address logging practices are not public. Initially the company did not reply to out inquiry, but upon publishing AT&T’s Privacy Policy Team promised to get back to us as soon as they find out how long logs are kept. We will update this article as soon as their response arrives.
Update (2014): AT&T has never responded but this document posted by ACLU suggest that they retain data for about a year.
Charter
Charter lists no information about their IP-address retention in its privacy policy. However, a reader alerted us to an answer on Charter’s website where it states that residential IP-addresses are retained for one year.
Update 2021: Charter currently retains IP-address logs for six months, unless it’s legally required to keep the data any longer.
The ISPs below were added after publication.
– DSL Extreme says they retain radius IP logs for two weeks on their DSL service.
– Teksavvy (Canada) keeps IP-assignment logs for two years 90 days.
– Eastlink (Canada) keeps IP-assignment logs for one year
– Start Communications (Canada) keeps IP-assignment logs for 90 days
As far as we are aware, this is the first overview of IP-logging practices of the largest U. S. ISPs. However, we need help to make the list more complete as not all the providers we contacted replied.
We encourage all readers to tweet, mail or phone their Internet providers to get a more complete overview, including ISPs not listed above. This is not limited to providers in the U. Feel free to forward us the answers so we can expand this article.
Frequently Asked Questions about do websites keep your ip address
Do websites keep IP addresses forever?
The IP address can be mapped back to a specific individual with help from Internet Service Provider (ISP) records. Virtually every website on the World Wide Web (Web) will track and record IP addresses as visitors click through the site’s pages. … Visitors are tracked by a website even when they don’t register or log in.
How long do websites keep your IP?
The Qwest/CenturyLink Law Enforcement Support Group informed us that IP-address logs are kept for approximately 1 year. As is also the case with other Internet Providers, Qwest/Century noted that personal details are only disclosed when the company receives a subpoena.Jun 29, 2012
Can a website see your IP address?
When you connect to a website, that website then sees your IP address. … Packets are transmitted through network routers, and the IP address on those packets tells the routers where they need to go. However, websites can’t trace that unique IP address to your physical home or business address.Dec 1, 2020
