UPDATE: Two Google officials, Matt Cutts, a top search engineer, and Peter Fleischer, Google’s global privacy counsel, wrote comments below reacting to this post. I wrote some thoughts responding to their comments in another post here.



Google has responded to European regulators who have suggested that Internet Protocol addresses of users be considered personally identifiable information.

Not surprisingly, it disagrees.

The issue matters because the standards for what companies do with data that can be traced back to an individual are subject to tighter rules than other information they use — as they should be. Google records the I.P. address associated with every search it handles.

In a post on the Google Public Policy Blog, Alma Whitten, a software engineer, points out that often the I.P. address assigned to any one computer is changed on a regular basis by the Internet provider that services that computer.

Google, she writes, strongly supports “the idea that data protection laws should apply to any data that could identify you. The reality is though that in most cases, an I.P. address without additional information cannot.”

True enough. But it’s also true that if someone has your I.P. address, it makes it much easier to gather the additional information needed to identify you.

Think of an I.P. address as one of two keys needed to unlock a door. Just because the second key is needed too, doesn’t mean the first key shouldn’t also be protected.

In the case of dynamic I.P. addresses — those that are periodically changed — the other key is held by the Internet providers themselves. And they are routinely forced to provide information about which customer was assigned what I.P. address at a given time in response to legal proceedings.

Technically, fixed I.P. addresses — those that are permanently assigned to a given computer — are also not personal information, because a Web site doesn’t know who is using that computer. But once the site, or a partner, convinces a user at that site to reveal his or her identity — to register for a service, make a purchase, or even enter a sweepstakes — that information can be associated with everything else the users of that computer do.

Yes, there may be more than one person who uses a computer, just as there is often more than one person who uses a home telephone. Few people would say that this means phone numbers aren’t personal

Google is right to say that an I.P. address isn’t exactly the same thing as your Social Security number. But its blog post also skips over all the ways that having your I.P address can help someone unlock information about what you do online. And doing so doesn’t help the debate over what the right protections for personal information should be.