Websites Can Store IP Addresses Without User Consent--To Improve Security, Says CJEU

The Court of Justice of the European Union ruled that websites in the EU are free to store IP addresses if it can help them improve the security of their websites. The websites can do it even without user consent, which is normally required by EU Data Protection laws when website operators want to store data beyond the information necessary for billing.

Anonymous Web Surfing

Patrick Breyer from the German Pirate Party launched a lawsuit against the German government for storing IP addresses of visitors arguing that users have a right to surf the web anonymously. The Federal German institutions were storing IP addresses to prevent cybernetic attacks and make it possible to bring criminal proceedings.

The right to surf anonymously may still be in place if users themselves take measures for surfing anonymously, such as using Tor or a VPN. However, according to the CJEU, the government and other organizations can still legally register and store the IP addresses they see connecting to their sites, if they can use them to stop cyber attacks.

The issue at hand was also about whether storing dynamic IP addresses, which is what Breyer was using, represents an infringement on privacy. By definition, dynamic IP address change automatically, so it wouldn’t be possible to easily identify a person through the IP address unless the government also requests more information from the user’s ISP.

Ensuring Continued Site Functioning

The CJEU believes that website operators can register and process user data without consent as long as there is a legitimate interest in ensuring the continued functioning of the websites. However, that interest should go beyond a specific use of their publicly accessible websites. In this case, the IP address data can be used to prevent cyber attacks, which is something all websites may have to do to ensure their continued functioning.

The Court also said that the use of data should not override the fundamental rights of users (from the Charter of Fundamental Rights). In other words, websites shouldn’t collect data for purposes of, for instance, mass surveillance, which the Court has said before is non-proportional and indiscriminate, violating the fundamental right to privacy.

Good News For Facebook?

A Belgian court ruled earlier this year that Facebook can’t track non-users through cookies (which is a little different than tracking by IP); Facebook responded by positing that the tracking is necessary to protect Facebook users against cyber attacks, among other things. Facebook ended up winning that case because of a jurisdictional issue, but it may have to face the same case again at a later time, whether in Ireland, where its data gathering happens, or elsewhere.

However, it's not clear whether this ruling by the CJEU will help Facebook in the future, because Facebook uses the tracking for other objectives, such as advertising, too. Further, cookies can’t be sent without consent from users, according to the (in)famous “EU cookie law." Therefore, it remains to be seen whether this ruling will help companies expand their user tracking for advertising or other purposes in the EU, without requiring user consent.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Mac266
    Um guys... "Consen"?
  • Morbus
    Well, doesn't google analytic store the IP of all the users? I haven't used it in a while, but I remember StatCounter doing it.
  • David Whapham
    What people need to understand here is that we don't own the IP addresses that is given to us by our ISPs.. I don't see how a website storing them is a violation of anyone's right to privacy.
  • 3ogdy
    18753896 said:
    What people need to understand here is that we don't own the IP addresses that is given to us by our ISPs.. I don't see how a website storing them is a violation of anyone's right to privacy.

    Your address is 96th Johnson Ave., 93930, California, Los Angeles.
    We know it, just because we want it...just in case somebody attacks us and we could possibly blame you. Of course, to stop thieves from getting in OUR house, we need your address.

    Next step: Now, please, write down your own address on a piece of paper and stick that piece of paper to your forehead. That way, even if it's a place reachable by basically everyone, they know when you're out, where you've been, at what time...etc.etc...and they'll know that forever.("store")

    As if an attacker couldn't be stopped without storing the addresses of every single visitor. Right, this is just not possible today. Not anymore, I mean. I support the need for open toilets in the middle of the street.
    Because our citizens deserve to be protected by law abuse enforcement agencies whenever they encounter problems with excrements coming out their anuses. (yeah, somebody's gotta lick that, NSA)
  • An IP address is just that, an address. If you sent a letter without a return address, you wouldn't expect to get a letter back. When you ask to see a website, they can't serve it to you if they don't have your IP.

    Now, about storing your IP, and all the data of every click you make on their website, an the aggregate analytics available of all your behavior, well, get over it. It's never going back. If you don't like it, don't use the internet.
  • abbadon_34
    "cybernetic attacks"

    Which sci-fi movie clip should I link?
  • cats_Paw
    First of all, this is pure propaganda BS at its finest.
    Any kind of hacker that can potentially be dangerous knows that the best way to stay hidden is to not use your own IP (in this case we are not talking about getting onto someone else's computer and using his IP but using a public IP like the one on the airport or so).

    Second, there are two types of IP: Static and Dynamic. If you have a Dynamic IP address, you will most likely be tracked down to about 150 users that have the same gateway.

    3rd, You dont protect yourself from hackers, thats a myth. There are two options: You attack the hacker back (if you are luck enough to be on your guard when the hack happens) or you do damage assessment after you know you've been hacked (what kinda everyone is doing right now, sony, dropbox, steam, hilary clinton... you get the idea).

    So knowing the IP from where an attack came is like knowing what gun shot the bullet that killed you. It wont stop the guy pulling the trigger, and you still dont know who the gunman is, only the gun model.

    4th, What this CAN be used for is more control over the masses. Target propaganda, ad revenue, blackmail material, etc.

    5th, Those who have that information are the ones that decide what they will do with it, not you. Personally I dont trust people I know nothing about too much.