|
|
|
|
|
|
by origin_path
1421 days ago
|
|
|
But, you can't map to "identities" in most of these cases. That's why these laws don't seem to make any sense. An identity is a powerful thing but, an IP address is not an identity. Just knowing one doesn't tell you anything, nor does it let you look anything up unless you happen to have multiple sites that the user is browsing - and even then, not really, due to IP address re-use. |
|
|
An IP address limits the location of a person significantly, unless they use VPN or so, which most people do not, so it cannot be assumed, but rather one must assume, that they do not use VPN.
Add one more attribute and through correlation you might already be able to map to an actual identity. It can happen very easily and you don't want to be an organization, which suddenly realizes, that some of their data has accidentally become personally identifying, when the next data protection audit happens.
Data also does not stay in one place only. It travels from department to department, often from organization to organization even. It has these tendencies, unfortunately. Each actor might have some data as non personally identifying, but when they sell and combine, suddenly it becomes personally identifying data.
An IP address is a very critical part in the data about users and ISPs are not to be trusted to never give their data to another actor. Many ISPs are shady businesses.