Yes, but that is a special case. It should be also treated as such in the regulation. Usually one can only access one source of information.
It will likely register that the IP address visited, let say, a profile page in an edit mode. And, for the bug reporting purposes, it might have recorded the DOM tree of the page.
“Usually” is a weak claim when considering security. With security you need to consider a motivated actor, not a rando lurking around.
If it did, you can ding the code repository site for sharing the name and have a very good case to go after them. THAT is a pretty clear violation of privacy, but has nothing to do with the IP anymore.
But it doesn’t matter, the judge specifically ruled that it doesn’t matter whether the third party can actually resolve the IP to an identity. So the approach of accepting the sharing of IP only in these scenarios is out of the window anyway. I just don’t know how I feel about that quite yet.
Under GDPR, sure. In the US or Australian jurisdiction… uh, probably depends on a thousand factors.
Your example goes into the opposite direction of what we were talking about. I was talking from the point of view of a service provider. As such one can only get information that has been entered by a user and a small part which can be inferred by user behavior on the provided platform. Security is important, but that was not the topic. A malicious actor can always optain and combine information from different sources, no regulation will stop him.
My point was why single items are branded as personal information, when they only work in conjuction.
Yes and when we apply this to Storj the argument could definitely be made that storage node operators don’t have an ability to gather additional information.
Going back to the text in the ruling:
It is sufficient that the defendant has the abstract possibility of identifying the persons behind the IP address. Whether the defendant or Google has the specific opportunity to link the IP address to the plaintiff is irrelevant.
I actually wonder about the nuances of this. Do storage nodes have the abstract possibility of identifying the person? I think it could be argued that they do not. But the exact wording of a ruling like this matters. Any German speaking person want to see if they can pull more details from the original German text?
Funny enough, they state exactly my questions for why IP is personal information in their first paragraph.
Dynamische IP-Adressen stellen für den Betreiber einer Webseite ein personenbezogenes Datum dar, denn er verfügt abstrakt über die rechtlichen Mittel, die vernünftigerweise eingesetzt werden könnten, um mithilfe Dritter, und zwar der zuständigen Behörde und des Internetzugangsanbieters, die betreffende Person anhand der gespeicherten IP-Adressen bestimmen zu lassen (im Anschluss an BGH VI ZR 135/13).
Translated: For a website owner dynamic IP addresses are personal information because he can, with help of a third party (lawyer and ISP) optain the personal information of a person.
That is theoretically true, but in reality one needs a plausible cause and a court order. You can’t just optain that information because you want to.
EDIT: Just read the ruling. Wow. What a garbage.
Both of you keep forgetting that from GDPR’s perspective, a node operator is not an independent entity. A node operator must follow the laws of their jurisdiction, and apparently in some cases these laws require handing over data to a centralized entity, which does have ability to gather additional information. That’s really enough.
A node operator has no means to gather additional information, beside the IP address and which encrypted part was down or uploaded.
Also in the case of google fonts. Google also has no idea which page you have been visiting. It also only has your IP downloading a font.
There are plenty of regimes where that unfortunately isn’t the case.
But a nation state sure can.
So yeah, this is a valid argument.
This is a link to the full text: https://openjur.de/u/2384915.html
Considering the IP address personal data is not the idea of (this) court. This idea comes from the GDPR law. But this does not make it unlawful to process IP addresses. You’ll just need justification, which means legitimate interest, technical requirements or consent.
Of course. Rules don’t apply to the rulers.
I’m aware of the law, but it’s the legitimate interest part that makes the law itself vague, so that’s why I’m interested how that was interpreted in this case specifically.
That was done here:
Es liegt auch kein Rechtfertigungsgrund für den Eingriff in das allgemeine Persönlichkeitsrecht vor. Ein berechtigtes Interesse der Beklagten i.S.d. Art. 6 Abs. 1 f) DS-GVO, wie von ihr behauptet, liegt nicht vor, denn Google Fonts kann durch die Beklagte auch genutzt werden, ohne dass beim Aufruf der Webseite eine Verbindung zu einem Google-Server hergestellt wird und eine Übertragung der IP-Adresse der Webseitennutzer an Google stattfindet.
Translation:
There is also no justification for the encroachment on the general right of personality. A legitimate interest of the defendant within the meaning of Art. 6 Para. 1 f) DS-GVO, as claimed by it, does not exist, because Google Fonts can also be used by the defendant without a connection to a Google Server is established and the IP address of the website user is transmitted to Google.
The defendant had claimed technical reasons as legitimate interest, which the court has denied.
The browser may send a “referrer” header to Google. Or, the font may be accessed by a different URL for each site.
I haven’t read the case and am not familiar with the vagaries of GDPR…
However…
- tracking individuals via Google Fonts is possible.
- connecting an individual with a particular IP address within a particular timeframe to a particular Internet location is possible.
- tracking individuals across the Internet via browser fingerprinting is possible.
Since we are discussing a global network of devices, addresses, and users, we are never actually discussing singular data items as if they existed in a vacuum. Also, any discussion of LEO requiring a court order to obtain xyz items is kind of moot considering the Snowden data dump along with other controversial persons and secret court orders.
In short:
- Criminals don’t abide by the law, whether those criminals are Nation States or regular individual humans.
- Pretty much the only thing that any of these privacy laws do is make it harder for honest entities to function.
- Big Business, whether tech or any other, make the rules via political influence.
Randomly found examples of privacy issues related to IP addresses, browser fingerprinting, and Google Fonts:
1 Like
Ahh thanks, so yeah, I would still argue that this wouldn’t apply the same way to the use of Storj. Unless they claim you can use Storj through the gateway MT. Which is technically true, but has a lot of other implications as this can serve as a bottleneck at large scales and prevents you from being able to benefit from the decentralized nature of the network. I think that would probably be enough for a legitimate interest exception.
However, technically some of these things can be claimed about Google Fonts as well as Google serves as a CDN for the font. Though the relatively small file size and the fact that the original server is already sending lots of similarly sized assets to the client is probably an argument that they do not have a legitimate argument there.
On the other hand, with Storj there is only very small metadata exchanged with the satellite and the vast majority of data comes from storage nodes. So a similar argument can’t be made there.
True, but again, then the discussion wouldn’t be just about the IP. And it’s trivial to prevent doing this.
uhh, do I want to know? 
One of the big things it has done is limit the spread of data. Within organizations and outside. A lot of these rules don’t just apply when communicating with the outside world. Even inside a company, when a marketing department wants to build a marketing database, they have to abide by a lot of the same rules. Which means they simply don’t get access to data they have nothing to do with. This is a massive change and does a lot to limit the attack surface criminals can abuse.
It’s incredibly inconvenient, I agree. But it isn’t entirely without merrit.
1 Like
Size doesn’t matter…
Pixel tracking is a standard method of putting together logged out user profiles for visitors to web locations… there are also zero length space tracking method…
Pixel Tracking:
https://en.ryte.com/wiki/Tracking_Pixel
And of course, there’s always the Facebook profile that one hasn’t created:
https://www.makeuseof.com/tag/facebook-tracking-stop/
Literally, the like button on pages is tracking you, whether or not you have a FB account or even visited the website at all.
Google Fonts is a giant privacy risk… that’s just true.
If anyone doubts that, install EFF’s Privacy Badger and watch as the web gets uglier and suddenly Google error pages show up pretty much everywhere…
It doesn’t matter for tracking obviously. But it could be part of an argument for legitimate interest in using an external host for data rather than hosting the data yourself.
For context in most cases GDPR requires you to use the minimal amount of data to be able to use the required functionality. With the Storj use case you could argue that you didn’t share more than was absolutely necessary for the network to function. (assuming you don’t share more than IP and data sent back and forth)