Why IP Tracking Is A Bad Idea

By
  • Facebook
  • Google Plus
  • Twitter
  • LinkedIn

The Debate"The Debate" is a column focused on the current debate around ad targeting and consumer privacy.

Today's article is written by Auren Hoffman, CEO, Rapleaf.

IP addresses are the fabric of the Internet— they are the “To” and “From” stamps that make delivering messages between computers possible.  While they are necessary to route information from computer to computer, they can -- in many cases -- be traced to a human or, at least, a household.  That means they can be used to track people’s online behavior in a way that eliminates their anonymity online, which bodes poorly for the future of the internet.

Users should be anonymous when they aren’t logged in

While new technologies that enable content personalization can provide substantial value, users must also be assured that their identity is protected for legal, ethical, and safety reasons.  Consumers should have the presumption of anonymity when they are surfing the Internet and not logged into a site, and they should not be tracked - either by the government or private sector – in a way that eliminates anonymity.

To ensure consumer safety and the Internet’s continuing growth, the presumption of anonymity is paramount.  In particular, third-party services like ad networks, widgets, and off-site platforms like Facebook Connect, should maintain individual anonymity. They should not be able to see someone’s cookie, IP address, or browser information and know exactly who the person is.

IP addresses are personally identifiable

IP addresses should be thought of as privileged information.  From our tests, IP addresses perfectly identify about 30% of U.S. households.  That means that from IP address, a site can know your exact address.  My home IP address, for instance, has been the same for over four years.  If consumers understand that their exact browsing habits can be tied to them individually, their wariness will slow their use of the Internet.

The EU took an active stance on IP addresses in 2008, declaring IP addresses as personally identifiable information (PII).  This is an important first step because IP addresses are PII.  That said, even the EU would admit that IP addresses do not always directly correlate to a given person.  Laptop users frequently change IP addresses as they move from an Internet café to work, for example, and ISPs often dynamically swap out IP addresses.  An IP address can sometimes only give approximate location, and may be shared across many members in an office, university, or café.

Many Internet companies use these examples to claim the IP addresses are not personally identifiable, that they are just broad representations.  But while IP addresses do not always identify households, they do so in a significant percentage of traffic (especially in Internet traffic outside work hours).

Of course, there are legitimate and even valuable uses of IP address tracking.  Tracking the IP address of suspicious ad clicking behavior often helps prevent unsophisticated hackers from committing click fraud.  Using an IP address as an additional piece of identity allows an efficient way of spotting when a credit card or identity has been stolen.  IP addresses can help understand the country of a user so you can customize the language displayed.  However, in the process of providing valuable services to its customers, many Internet companies are needlessly tracking a wide variety of data in their logs correlated directly to the IP address.

Cookies are safer for consumers

Fortunately, for companies interested in tracking user behavior for Internet personalization, there is a great consumer-centric alternative – the cookie.  Using cookies to track users and provide valuable services has several important advantages over using IP addresses:

  • Because cookies sit as plaintext on a user’s browser, they identify the party tracking user information clearly.
  • Since cookies are governed by browser security preferences, the user has complete control over the amount of tracking and can choose between anonymity or personalization.  Another benefit is that cookies can be cleared easily and at any time (unlike IP addresses).
  • Cookies can only be tied to one browser in one device (unlike an IP address, which is tied to all devices in a household). Most importantly, third party cookies should not include any personally identifiable information.  If used properly, cookies allow Internet services to improve their products and the consumer experience without fear of compromising an individual’s anonymity.

Despite these advantages, awareness of what cookies are and how they work continues to be a challenge for the average consumer.  Nonetheless, cookies represent the best technical compromise between personalization and a user’s control over online identity.

The IP address should be considered protected information.  As such, we should agree on a certain limited set of circumstances (e.g. fraud prevention) in which IP address tracking is necessary.  Even for these circumstances, we should agree that anyone collecting IP addresses should be held to a higher standard of security and consumer disclosure.  For the vast majority of Internet personalization cases, we should eliminate tracking of IP addresses and move more to a cookie-centric world in order to protect Internet users and promote more responsible growth and innovation.

  • Facebook
  • Google Plus
  • Twitter
  • LinkedIn

Email This Post Email This Post

By on at

14 Responses to “Why IP Tracking Is A Bad Idea”


  1. Rob Leathern says:

    I agree given that IP addresses (according to Rapleaf's data matching vs. personal information of US households) identify 30% of users there should be tighter guidelines and self-regulation through industry bodies like IAB/NAI at the very least. But I also think that the email address should be considered protected information. As such, we should agree on a certain limited set of circumstances in which email address retention is necessary (e.g. for existing client relationships, or for bonded/certified opt-in permission-based marketing applications). Even for these circumstances, we should agree that anyone collecting email addresses should be held to a higher standard of security and consumer disclosure. For the vast majority of Internet use cases, we should eliminate storage and retention of email addresses. Thoughts?

  2. Tim Wintle says:

    Reading your article has made me remember how difficult it is for non-technical users to fully appreciate all the intricacies involved in these issues.

    I think that this article suggests that cookies are far more of a magic bullet than they actually are though.

    (all targeting and mentions of data stored below are hypothetical, they don't relate to the data I/anyone in particular actually stores)

    It's important to recognise that although ip addresses are personally identifiable, storing them alone doesn't pose any risk (since they're in the public domain anyway) - but we in the ad industry attach non-public information to them (that an ip address viewed a specific site for example).

    That information is the sensitive part, which can pose a risk to users' privacy if not done carefully.

    Keying user data on some kind of random id (stored, for instance, in a cookie) would seem to avoid privacy issues when you first look at it, because there isn't immediately personally identifiable information attached to the sensitive information.

    It's important not to overlook the huge amount of data that carries quasi-identifiers with it though. For example, recording that user X viewed a site for baby clothing identifies the user as a new parent. Storing their location (by storing that they were shown ads targeted at specific regions) might show they live in a specific country village, but commute to a large city nearby.

    Those two bits of data alone may be enough to identify the user by their cookie - giving exactly the same privacy concerns as before - but possibly giving the company holding the data a feeling that they need to have less security over the data.

    This is why I'm still very cautious over the privacy issues (and legal issues) surrounding any kind of behavioural targeting.

    Regarding the specific point:
    "they identify the party tracking user information clearly"
    - but they don't identify what data is being stored - that's normally held on the party's servers, and the user has no access to the data.

  3. Alison says:

    Auren, this will probably mark me as incredibly naive, but I always thought that IP addresses just identified you by rough geographic location (like city). Are you saying they can in some cases link to your home address? Are you able to explain further or link to an article that does? Thanks!

    • Tim Wintle says:

      Alison,
      An IP address is a unique identifier, like a telephone number. It does count as personal information under at least UK law (and Europe-wide law IIRC).

      Like a home telephone number, there may be a few people who share the same IP address, or even a whole office.

      Unlike phone numbers, there isn't a single "telephone directory" for IP addresses though. You can think of them as all being unlisted.

      The IP address will either be registered to an individual, or more often to an ISP. That ISP will have records of what address the IP address is based at, or what the GPS coordinates of that IP address are (for mobile devices). That data is held by the ISP though, and (under UK law at least) needs an official request from an authorised party to get the data.

      So the IP address does identify the location of the user (and often identifies a specific user), but the actual data can't necessarily be legally accessed.

      Looking up geographical data from an IP address (for targeting) is done statistically using publicly accessible data the ISP or user has specifically shared.

      That data might not be available for a specific IP address, but it should be accessible for a group of IP addresses that that IP address belongs to (linking it to a local telephone exchange's location for example).

      Alternatively it can be done via statistical approximations based on where similar IP addresses are located - the key point being that it's a statistical estimate, and Geolocation is never 100% accurate (although it is around 99.9% accurate). For example, when I'm on a mobile device my IP address appears over 100 miles away from where I am ( It appears from where the main servers for my telephone provider are).

  4. Alison says:

    Very helpful, Tim, thank you! So it sounds like in order to pin down an IP address to a specific person, one would need a court order in most cases?

  5. Dan Scott says:

    The fact that IP addresses are personally identifiable mandates (in my mind) that they must be protected or, at the very least, offer the consumer the option to "disengage" their IP tracking to one or multiple sources.

  6. ranatalus says:

    Better remove our physical addresses from all letters, too, since they can perfectly identify 100% of households!

  7. Mike S says:

    I don't undersand how an IP address is PII. Maybe when IPv6 is used, but not the IP alone. In the world of computer forensics, you can not pin a crime on someone by IP address alone. In fact, the MAC address doesn't identify you either, it identifies the network card, nothing more, nothing less. It does not identify the user, the user's online alias, what kind of computer. The IP with subnet mask is much like a street address, it identifies which house you are in. The Physical/MAC address identifies the network card, the first 6 numbers are unique to the manufacturer, the last 6 are a serial number to the card. So I don't understand this argument.

    • Benny says:

      Generally IP Address lookup tool available to the public is designed to give you an idea of where your IP you lookup is located. This is not 100% accurate due to many different factors. Some of those factors include where the owner of the IP has it registered, where the agency that controls the IP is located, proxies, cellular IPs, etc. If you are in the US and the controlling agency of the IP is located in Canada, chances are the IP address lookup results will show as Canada. Showing a Canadian IP while in the US is very common among Blackberry users on the Verizon network.

      The results IP Address lookup may include the IP Address, City, Host Name, Region / State, Postal / Zip Code, Country Name, Country Code, Time Zone, city Longitude, city Latitude, ISP, Domain Name, Net Speed, and IP Decimal.

      Often, people think if they perform and IP address lookup, that they are going to find the physical mailing address of the user assigned the IP in question. This is simply not true. I not aware of any IP address database that will give you the exact physical postal address of the IP address you lookup. At best, you'll get the exact city in which the user of the IP is located. For an exact physical address you would need to contact the ISP of the IP address in question. However, without a police warrant, or some sort of legal document forcing the ISP to turn over the information, don't expect them to give you the mailing address of the user that was assigned the IP.

  8. Paulo Cunha says:

    Hi,

    Just would like to clarify the argument of the article.

    The article seems to suggest "IP address tracking" vs "cookie tracking".
    This is not a real argument.

    Let's make something clear, no one uses IP addresses for user identification in web applications or sites. It's too prone to miss-identification, and there's an easier alternative, cookies.

    The argument currently being discussed in the industry is if IP addresses can or should be stored *along* with cookie-based or view-based information, such as an anonymous user id or a page URL.

    The argument in favour of storing IP addresses are two-fold:
    - they help debug and resolve technical problems when they arise, for example when network latency is reported it's handy to have ip addresses stored with the requests in order to see if it affects only certain networks or the entire internet. Other uses are click-fraud prevention and identity theft protection (e.g. same user id cookie logging in or being seen in two different network locations typically triggers an alarm flag).
    - Geographical and other IP-based segmentation tools, such as differentiating users on a "dial-up" connection to those on broadband. The is a compromise here, where it may be possible to get "some" information about users Geo or connection types when IP addresses are not removed but only partially anonymised, e.g. removing the last octet. This is, for example, what Google released as their "anonymisation" function in part to appease the German Data Protection Authority.

    I do agree IP addresses can be considered PII in some circumstances, and it's storage should be avoided when possible.

    Nevertheless, no legitimate business that I am aware of is out there trying to identify people by their IP address. The reason store IP addresses is a technical one. Either because it's simply easier to do so (it's the default in most web servers configurations, for example) and / or because it provides great help for engineers to debug network problems.

    Cheers!

    Paulo Cunha

  9. Eric says:

    Never in the history of the internet has anyone ever been entitled to anonymity. All web servers observe user IP addresses. The responsibility lies with the user to know that everything they do can be easily tracked, and that's how it has been since day 1. Want to be anonymous? Use a proxy and stop crying. The proxy server, however, will have your real IP address. The ability to track IP addresses is a handy tool when you're dealing with "keyboard tough guys" who are abusive and threatening because they think they're safely hidden. Drop them their address and a smiley face and all the sudden they're a lot less abusive.

Leave a Reply