Google has found itself stuck between a rock and a hard place in its legal battle with Viacom over the question of whether IP addresses constitute “personally identifiable information,” as Jim pointed out yesterday. It’s worth noting, however, that EU regulators have left Google little choice but to stake out uncharted territory in order to defend its data collection practices.
Under the European Union’s strict privacy directive, websites are prohibited from retaining “personal data” for more than six months. What exactly constitutes personal data is up for debate. Google, which retains IP addresses for 18 months, has taken the position that IP addresses don’t constitute personal data and therefore are not subject to EU data retention limits.
That argument has placed Google in a double-bind in its legal proceedings with Viacom. In his recent ruling, Judge Stanton specifically referenced Google’s recent blog post which argued that IP addresses should not be considered personally identifiable information. If IP addresses aren’t private, Stanton reasoned, then what’s the harm in Google handing them over to Viacom?
Whether an IP address can identify an individual is a matter of context. Google stated recently, “Based on our own analysis, we believe that whether or not an IP address is personal data depends on how the data is being used.” That makes sense; an IP address alone is generally not enough information to identify an individual, absent a court order.
Yet while IP addresses are not capable of overtly identifying individuals in the same way as phone numbers and addresses, IP addresses combined with other details often make it possible to positively identify individuals with a high degree of accuracy. Anybody can run a reverse DNS lookup on an IP address, which usually reveals the city and state in which the user of that IP address is located, along with the service provider. The YouTube logs that Google has been ordered to produce include not just IP addresses but also usernames and specific viewing times, so it’s all but guaranteed that quite a few individuals could be personally identified given enough man-hours of data mining.
Surprisingly, Google is not arguing that usernames are personally identifiable. Sure, they’re self-selected and often completely pseudonymous, as Berin noted. But it’s fairly common for people to use the same username across online forums and instant messaging services. The same LobsterBoy1922 who spends his evenings watching Rick Astley clips on YouTube is probably the same LobsterBoy1922 who often posts using his real name on the AVS Forum.
Some people even use their real name as their username, but that still doesn’t mean that they’ve sacrificed their expectation of privacy. While I believe that users have no inherent of expectation of privacy online, Google has a robust privacy policy governing user data. Website privacy policies can go a long way towards establishing an expectation of privacy for users. Google admits its privacy policy is legally binding, so it seems reasonable for people to watch YouTube under the assumption that their viewing habits won’t be exposed to third parties.
I don’t see why Judge Stanton felt it necessary to grant such a broad discovery order in the first place. Why does Viacom need usernames or IP addresses of YouTube viewers to accomplish its objective of determining whether YouTube is “capable of substantial non-infringing uses?” Google’s (unanswered) request to hand over partially redacted viewing logs would protect user privacy without impeding Viacom’s ability to compare viewing statistics between infringing and non-infringing videos.
Some have even argued that Google should simply refuse to comply with the court order. Such a bold move would invariably trigger contempt penalties, but would also give Google a lot of favorable press and positive blogosphere credo. And Google might even overturn the court order on appeal, although any appeal wouldn’t be heard until after the discovery deadline passes.
While Judge Stanton’s ruling is a blow to the privacy of YouTube users, many in the media are vastly exaggerating the privacy implications of the court order. Viacom won’t have free reign to do as it pleases with the YouTube logs, despite what some bloggers have suggested. Remarkably, journalists continue to omit any discussion of the protective order that places narrow conditions on Viacom’s access to the YouTube logs.
As Berin explained last week, worries about the YouTube records being used to file lawsuits against viewers are similarly overblown. Suing viewers would likely run afoul of the protective order—possibly resulting in legal penalties—plus there’s no legal precedent for taking people to court merely because they viewed infringing video files. And due to the strict confidentiality provisions in the protective order, a data breach or accidental leak would expose Viacom (or its outside experts) to serious civil liability. Still, information is volatile, as Jim warns, and Viacom’s analysis will only endanger the secrecy of YouTube’s logs.