Warning for geeks, techies and others - I am taking some minor technical liberties here to describe the use of IP addresses in a way my mom would understand and hopefully stay interested. You probably know the technical details already, so skip to the end. I spent several hours last night at my father-in-law's home, uninstalling dozens of programs that were bogging down his computer. They weren't nefarious programs and were all listed in add/remove via the control panel. But he has never clicked on start, other then to shut down, and does not know how to uninstall a program. He is widely considered one of the most brilliant lawyers in the country, but didn't grow up or spend most of his career using a computer. Most people don't know what you do, so I beg your indulgence while I try to communicate these details in an accessible manner!)
IP or Internet Protocol addresses have become one of the hotly debated areas in the privacy arena. I thought it might be useful to describe what I understand about the ways AOL, Platform A (our advertising business) and many others use this information.
I like to think of an IP address as an address on the internet. This might be a fixed address that is assigned to a particular Web site so that consumers can request the content of the site. For example, when a consumer uses their Web browser to request AOL.com or PrivacyGourmet.com, your computer queries a table that holds the IP addresses assigned to these names and then actually sends a request to that IP address. In order for the Web site to send anything back to your computer, your computer needs an address on the internet. Your Internet Service Provider (ISP) provides you with that address so that you can "connect" to the internet.
When a Web site gets a request for content from a consumer, it "sees" the IP address of the computer making the request. In addition to sending back the homepage requested to the IP addresses, it can use the IP address for a number of purposes including geo-targeting and analysis, fraud, audit and law enforcement support.
Geo-targeting: Some companies have mapped, often to zip code level, the geographic areas where IP addresses have been allocated. Before it sends back content (or an ad) to a certain IP address, a Web site can quickly look up a table that indicates that this IP address belongs to a block used by an ISP in Southern Florida. It could decide to display to the consumer an ad for a convertible rather than one for a snow-blower. Or it might simply log the IP and later prepare a report that showed that 30% or visitors to the site came from the South, 10% came from outside the U.S. and so on. Geo-targeting isn't completely accurate, for example many dial-up AOL users from around the country may appear to be assigned Dulles, Virginia IP addresses because of how we route customers through our proxy servers. But it is certainly useful enough that companies find the information useful.
It is also common knowledge that certain blocks of IP addresses belong to certain businesses, organisations or universities. As a result a Web site or ad server can "know" that certain IP addresses belong to IBM or to MIT and target an ad to presumed tech company employees or university students and faculty.
Fraud: There are criminals who control thousands of computers belonging to unwitting victims who may have downloaded malware. These crooks often try to profit by generating "fake" clicks on ads in order to get paid. Security experts at search engines or ad networks can analyze the logs of IP addresses over time to detect patterns and eliminate the false results.
Audit: An advertiser may want proof that the banners it has paid to have placed on a Web site are actually displayed the number of times promised. Auditors rely on retention of log files that include IP addresses to verify ad delivery.
Law Enforcement: If the FBI believes that child porn has been posted at a Web site or that a criminal used the site to find information used in the crime, it might issue a legal demand for the IP address the Web site has logged. The FBI will then go to the ISP that IP belongs to and issue a legal demand for the name of the ISPs subscriber who was assigned that IP at a certain time. Indeed this happens regularly and criminals are tracked down in this manner.
This last point creates a fair amount of the privacy concerns raised by some. Unless you register, most of the other information a Web site logs when you visit (a "cookie", information about your computer and web browser) is very unlikely to ever be linked to your name. Your IP address is unlikely to ever be linked to your name by a Web site - but an ISP may have a record of which of its users it assigned a certain IP address and thus the government or litigants could possible force the creation of a link to your Web activity. So although most U.S. Web companies firmly maintain that IP addresses are "anonymous" because the data is anonymous to the Web site, the IP address is certainly qualitatively different in that there are circumstances where someone could force an "identification" to take place. And although the courts haven't always agreed, many of the data protection commissioners in Europe have repeatedly advised that in their opinion IP addresses are personal information.
Cognizant of this concern, and as we noted in our comments to the Federal Trade Commission last week, my team has kicked off an effort to examine options for limiting how long AOL retains IP addresses in certain circumstances. I don't think that all of the rules or committments made about personal data are 100% technically or practically relevant to IP addresses, but I do think that is important to recognise the greater sensitivity of this data element and to take steps to examine were more limited retention is feasible.
One additional point to clarify is about the use of IP addresses by Web sites or ad networks to track users over time - to create a profile or for other purposes. I am not aware of anyone in the industry doing this, because IP addresses are just not reliable enough to use in this manner for state management. Despite the fact that many users are on broadband and may use the same IP address for longer than dial-up users, a recent study found that the typical home averages 10.5 IP addresses assigned to a computer in a month. Rather than IP addresses, Web sites and ad networks rely heavily on cookies for most tracking, analytics or behavioral activity. Despite the frailties of cookies (they get deleted, overwritten, removed by anti-spyware programs or users opt-out) they are the common tool used for correlating user data and the privacy debate over tracking is better focused on improving controls and standards for cookie use.
Here are some useful links about IP addresses:
For a quick look up of your IP Address and demonstration of geo-targeting check out
http://whatismyipaddress.com/
Note: Although this tool shows an exact point on a map to illustrate the point, the exact location is actually an approximation. Estimated location information is usually at best available at zip code level.
For information about how an IP address can be used to show the business, university or organization you are coming from, see http://en.wikipedia.org/wiki/List_of_assigned_/8_IP_address_blocks
UPDATE: Just added a video with similar information on IP use. Click Here to go to video.
