This post was also written by Chris Cwalina and Frederick Lah.
In VPR Internationale v. Does 1-1017 (C.D. Ill.), Judge Baker opined that Internet Protocol (“IP”) addresses do not — by themselves — qualify as personal information, capable of accurately identifying an individual. While this decision is a landmark ruling for the mass-BitTorrent lawsuits in that it may spell the end of the “pay-up-or-else-schemes”, it may have broader data privacy implications.
In VPR, plaintiff sought to sue over a thousand alleged copyright infringers. The plaintiff did not know the name of these Doe defendants. The plaintiff only knew the defendants by the IP address from which each defendant came. Plaintiff sought to subpoena the Internet Service Providers (ISPs) associated with each IP to learn the identity of each defendant. The court rejected this demand for expedited discovery.
Plaintiff VPR insisted that the ISP’s records would tie every IP address to a flesh-and-blood defendant. Plaintiff drew an analogy to a car rental context. If someone was injured by a rental car, that injured party would be able to take the license plate number and date of time of injury, and demand from the agency the name of who had rented the car. Judge Baker disagreed. He stated, “without access to the agency’s records, all the plaintiff has is the identity of the rental agency, but not who was driving the rental car.” He cited the recent well-publicized MSNBC story where U.S. authorities raided the wrong house because the real offenders were piggybacking on their Wi-Fi connections. Using this example, Judge Baker posited that several of the defendants in VPR may have nothing to do with the alleged offense either. “The list of IP addresses attached to VPR’s complaint suggests, in at least some instances, a similar disconnect between IP subscriber and copyright infringer … Where an IP address might actually identify an individual subscriber and address the correlation is still far from perfect, as illustrated in the MSNBC article. The infringer might be the subscriber, someone in the subscriber’s household, a visitor with her laptop, a neighbor, or someone parked on the street at any given moment.”
In the data privacy context, this ruling may have even broader implications, particularly if it gains momentum and is followed by other judges. Several pieces of draft privacy legislation are making their way around the Hill right now. One of the major issues that policymakers are struggling with is how to define Personally Identifiable Information (“PII”) and what to include as “Covered Information.” Getting this definition right is crucial. What information is covered by legislation will dictate what companies have to do to protect that information, what disclosures they need to make, and what kind of consent companies need to obtain before collecting and using the data. Some of the draft bills define PII very broadly and in such a way that could or actually do include IP addresses. In Senator Kerry’s “Commercial Privacy Bill of Rights” (S.B. 799), PII is defined as, “unique identifier information that alone can be used to identify a specific individual.” In Congresswomen Speier’s “Do Not Track Me Online Act of 2011” (H.R. 654), the definition of “Covered Information” expressly includes IP addresses. In Speier’s bill, specific obligations are tied to the collection and use of IP addresses.
Companies need to think about how they collect and use IP addresses. Indeed, every Internet transaction includes the transmission of IP addresses. While drafters continue to mark up draft privacy legislation and while policymakers contemplate what information can “identify a specific individual,” perhaps the VPR decision lends steam to the argument that IP addresses cannot identify a specific individual. Certainly there are instances where IP addresses may be helpful in identifying a specific individual or coming close to identifying a specific individual, but as Judge Baker points out, trying to do so is far from a perfect science. Policymakers should note Judge Baker’s comments and the problems with trying to fit IP addresses into a definition that should be much narrower and focused on the ability to identify a specific person.