Saturday, February 14, 2015

You are your metadata: When the government stores your IP address to 'make the site more useful for you'

A Dutch traveler to the U.S. recently received some additional scrutiny as reported here (in Dutch).

The media reports said this: The man had filled out his ESTA Visa Waiver application, and the system that records it had examined the IP address used and determined he was located in Jordan.

The ESTA web site, however, gives the impression that the IP address is not tracked or recorded for this purpose. See the last sentence of the subsequent privacy statement.

The ESTA website's privacy statement says this [our italics]:
When you browse, read pages or download information on The Department of Homeland Security's websites, we automatically gather and store certain technical information about your visit. This information never identifies who you are. The information we collect and store about your visit is listed below:
  • The Internet domain (for example, “xcompany.com” if you use a private Internet access account, or “yourschool.edu” if you connect from a university's domain) and IP address (an IP address is a number that is automatically assigned to your computer whenever you are surfing the Web) from which you access our website
  • The type of browser (e.g., Netscape, Internet Explorer) and operating system (Windows, Unix) used to access our site
  • The date and time you access our site
  • The pages you visit
  • If you linked to the Department of Homeland Security website from another website, the address of that website
This information is only used to help us make the site more useful for you. With this data we learn about the number of visitors to our site and the types of technology our visitors use. We never track or record information about individuals and their visits. 

There is probably a national security exception for that, too.

It does not matter what exactly went on in the case of this traveler. Nor would we dare to suggest that the web site is changed to include a question like: Hey, your current IP address is XXX.XXX.XXX, and the country is YOURCountry, If this is not correct, please enter a message below.


We are using this example only to make one point: You are your meta data.

You may have heard the snappy You are the product in the context of free internet services, be it Google mail, Facebook, Twitter, etc. 
While helpful, the You are the product quip leave out a couple of aspects. One: even if you pay for a service, your data are more often than not used to make more money.
Two: You are the product gives you a false sense of knowledge, because you know who you are. But "your" data go far beyond the generic "you".


The point is that data are created without you having any control over them. The IP address is a great example of this type of administrative data that can then be used to help define who you are.

Originally intended to be nothing but a series of numbers to allow you to connect to other computers and services on the internet, the IP address has been turned into something like an internet social security number, with sometimes expensive or surreal consequences.
As you read this, someone may be sued over alleged copyright infringement purely because an IP address is allegedly assigned to a computer used for illegal movie or audio downloads.

Yes, you "have" an IP address right now, otherwise you would not be able to read this. But using an IP address against you relies on two things:
1) At any given point in time, the IP address should uniquely identify you.
2) Your computer skills are not good enough to fake an IP address.

Item 2 is almost assured, few people have the skills and the resources to spoof an IP address.

Item 1 has been subject to legal battles for the simple reason that IP addresses change and that records of such changes are often presented as 100% reliable - which they are not. In countries like Germany, the simple legal solution for a time was an abstraction layer: the person who owned the internet connection was held liable for any abuse.

And the IP address issue is only the beginning. Think about identity theft. We are rightly worried about inexplicable charges on a credit card or cybercrimes committed with our online credentials but there are more devious doppelgaenger issues out there.

A small time whistleblower, for instance, who seems to turn into a stalker? The malicious boss who signs up a hated employee to an extremist web site, to a bunch of porn sites? You have not heard of such a story? These things tend to not make it into the news, but they exist. And there will be more in the future.

So, the internet is a lot like driving. You have no idea what really goes on under the hood, the roads are what they are, the other drivers include road raging ones, and you are likely to have an accident at some point.

Just hope it won't be a complete wreck.

And be nice to those around you, not just on Valentine's Day or on Christmas.








No comments:

Post a Comment