[legitster]

This is a world I am very familiar with in my day job.

IP address is pretty definitively regulated as PII under GDPR rules. Our lawyers consider that any sort of hash or other derivative would still be PII, and thus require consent.

(While it's theoretically possible to do analytics on someone without an IP address, browser fingerprinting alone has a half life of ~24 hours. It's not a reliable enough indicator for any business purposes.)

But it's all kind of moot anyway. It hasn't been extensively tested by case law, so no corporate lawyer is going to tell you to go with the innovative black box solution.

In our industry, we all await for the completion of the ePrivacy directive. But I suspect regulators have put themselves into a bit of a corner. At the end of the day, TCP/IP is inherently a non-anonymous protocol. Your identifiers are baked into the architecture of the internet as fundamentally as your home address is known to the mail system and your license plate is to the transit system.

[raverbashing]

> At the end of the day, TCP/IP is inherently a non-anonymous protocol, as fundamentally as your home address is known to the mail system

Yes. And the irony is that the German "privacy purists" use the non-private system of having your actual name in post boxes instead of apartment numbers

It would be so funny if they shot themselves in the foot with it, but it's not going to happen unfortunately

[hnbad]

An address is already PII, whether you pseudonymize it with apartment numbers or not.

Also I think in practice the bigger concern with IPs is that the IP itself is PII at the time you collect it, so you're always processing PII even if the hash or other such "anonymized" data you store may end up not technically being PII if there's no way to correlate it to an actual person after the fact (which wouldn't be the case for a simple hash which can be deanonymized with rainbow tables).

[raverbashing]

> An address is already PII, whether you pseudonymize it with apartment numbers or not.

The full address is PII. But a street level address isn't necessarily, if it points to an appt block.

The problem with the mail boxes is that you're leaking that a "Mr. Smith" is living at that address. Now with Mr. Smith this is not such a big problem but if you're looking for "Mr. LessUnique" then it is

[hnbad]

If you're arguing that landlords should have to get written consent to post a tenant's name on the mail boxes and door bell, then I agree. If we're talking about tenants doing it themselves, then there's no privacy issue unless someone else collects that information and uses it for other purposes.

[3s]

Curious to know why browser fingerprinting has a “half life” of 24h? I always assumed it would be more static compared to an IP address and therefore a more powerful tracking mechanism (albeit more shady / less legally understood compared to using IPs).

[legitster]

Most of the non-IP components of fingerprinting are pretty goofy things like browser version, device, screen size, etc. If you are dealing with web traffic in any meaningful number, you have to dip into really minute details to tell apart visitor 10,001 from 10,002.

More often than not, the details that make your device unique on one day will not stay unique by day two. Your browser might change versions, you might resize your viewport, install a font, etc.

I believe phone apps can get more conclusive device IDs via the SDK, but for web traffic cookies and IP addresses are still the only reliable identifiers. I would take any study or hypothetical about fingerprinting with a massive grain of salt if they don't keep a stable match for 30 days.

[fingrprintr]

There’s actually a site to test this… https://fingrprintr.pages.dev (i made it)

It routes you to a chat room based on your browser fingerprint. You can check back every so often and see that your room has changed. If your hardware/fingerprint is generic enough, you’ll see other people’s messages in “your” room.

[iamacyborg]

> IP address is pretty definitively regulated as PII under GDPR rules. Our lawyers consider that any sort of hash or other derivative would still be PII, and thus require consent.

Probably more helpful to phrase this as Personal Data instead of “PII” as the latter does not appear in the GDPR once and the former is much broader in scope than pii data.

[victorbjorklund]

Personal data (while being what GDPR uses) is not as precise. Key is "identifiable".

For example "likes french fries" is "personal data" in the general sense but not gdpr since it is not identifiable since you cant figure out who it is talking about. Your name, address, etc is identifiable because it can be tied to a physical person.

[iamacyborg]

GDPR is not concerned with whether or not the data is identifiable. If it is linked to an individual, it is personal data.

In the context of an analytics package, a pageview would be considered personal data because it is associated with an individual user.

Article 4 is pretty clear.

> ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

https://gdpr-info.eu/art-4-gdpr/

[legitster]

Sorry! PII is still the industry shorthand.