Newsletter IP, Media & Technology January 2015
IPv6 and data protection
The introduction of the IPv6 standard is in full swing. This should be of interest to more than just corporate system administrators. If this vision – for every device on the “Internet of things” to be assigned a unique IP address – becomes a reality, it will have legal consquences. Especially companies that are currently considering making their website IPv6-compatible should pay attention above all to the data protection law implications of this.
The end of the old IP address?
The IPv4 standard, introduced in the early 1980s has reached its limits. Since the Internet Assigned Numbers Authority (IANA) symbolically transferred the last IPv4 addresses to the continental awarding bodies in 2011, the approximately 4.3 billion conventional IP addresses have all been awarded, even if there is currently a sufficient number of addresses available at the local level. There are no more new addresses. At most, addresses that have already been assigned will become free again through bankruptcy or voluntary surrender.
The IPv4 address is still the most common form by far
Nevertheless, the conventional IPv4 address, consisting of four numbers from 0 to 255 (e. g. 157.134.2.57), is currently still the most common form of address. Lawyers have become accustomed to this form of address as part of their everyday work in the areas of criminal prosecution, enforcement of civil law claims on the Internet and data protection law. Even though not all Internet providers, including those in Germany, have converted to IPv6 thus far (German Telekom has been offering IPv6 addresses to new customers since September 2012) and both types of IP address will be valid during a lengthy transitional period under the so-called “dual stack” procedure, it is now time to consider the legal consequences of converting to IPv6.
The new standard: IPv6
The IPv6 address consists of 8 blocks of four digits and looks something like this: “2001:0db8:85a3:08d3:1319:8a2e:0370: 7347”. The 2128 possible addresses are sufficient to assign more than 600 sextillion addresses to each square meter of the earth’s surface. Therefore, it will actually be possible to contact every piece of technical equipment through the use of a unique global address. This El Dorado for public prosecutors and cybercrime forensic experts is more like Sodom and Gomorrha for data protection advocates.
Enforcement of rights on the Internet
Thus far, the introduction of IPv6 has provided very few opportunities to identify rights violators on the Internet, and the situation is not expected to change in the near future. This is primarily due to the low penetration of the new standard. Even if some providers are already issuing IPv6 addresses, the entire Internet traffic using IPv6 is currently under 1 percent. Even though other indicators show a significant increase in the number of IPv6 users this year (for example, Google has issued a statistic indicating that Germany is particularly far ahead in “IPv6 adoption” as compared to the rest of the world), website operators and file-sharing networks, which rightly fear warnings, will probably stay with IPv4 as long as possible. The operator of an internet service is free to choose whether or not it wishes to become IPv6-compatible.
Personal identification through IP addresses
If companies decide to use IPv6, this decision should be supported from a data protection law standpoint because the IP address can determine whether or not information is personal. Data protection law only applies if a piece of information can be so specifically attributed to a person that it constitutes a personal datum (Sec. 3 (1) of the German Federal Data Protection Act (BDSG)). Whether a dynamic IPv4 address – whereby a new address is issued to a user with each dial-up – refers to an identifiable natural person with sufficient specificity is disputed. While data protection supervisory authorities are predominantly of the opinion that every dynamic IP address constitutes a personal datum, the Berlin Regional Court (judgment of 31 January 2013 – 57 S 87/08) decided that sufficient personal identification can only be assumed under certain additional circumstances. However, this judgment is under review by the BGH, which recently referred this delicate legal assessment to the ECJ (decision of 28 October 2014 – VI ZR 135/13). The long overdue clarification of this question may already be irrelevant in many cases since it is now possible to issue a far greater number of static IPv6 addresses.
Personal identification despite dynamic IPv6 addresses?
IPv6 is likely to re-shuffle the cards with respect to dynamic addresses. With IPv6, there must be a more precise distinction than before between the prefix of the address, which is assigned to a household or a company, and the part of the address that can be assigned to a device, the so-called interface identifier.
Even if the prefix is dynamic, there may be a unique assignment to a device with the aid of the interface identifier, since the socalled MAC address is regularly used for this part of the IPv6 address. The MAC address uniquely identifies every device that communicates with the Internet, such as smartphones, modern televisions, PCs, wireless-controlled electronic shutters or game consoles. It is thus possible that, although no one knows in which WLAN a laptop was located (since every WLAN has its own prefix), a visited website, for example, can precisely attribute the IPv6 address to a certain laptop on the basis of the interface identifier.
Privacy extensions: Not pre-set in all operating systems
Of course, data protection activists worldwide were opposed to this, and, as a result, so-called privacy extensions can be activated in most popular operating systems. These use a randomly generated interface identifier instead of the MAC address. However, in particular the older operating systems generally do not have this ability, and with some of the current operating systems, the function is generally turned off. This means that, when a website with IPv6 access is offered, it must be assumed that many incoming IP addresses are personal data, since – unlike previously – it is possible, depending on the individual case, for a conclusion to be drawn as to the device and thus the person involved, if there are multiple logins to the same MAC address. In any case, this is the opinion of the supervisory authorities. However, since there is no official register of MAC addresses that records every individual device, one must examine whether it is possible for the responsible body to match the MAC address with a person through reasonable effort in every instance. The supervisory authorities’ admonition to always assume that personal identification is possible “in order to avoid data protection law problems” (Guidance on Data Protection with respect to IPv6, p. 12) may be too strict in many cases. To what extent this necessitates additional consents can only be decided on a case-by-case basis. However, it is clear that the “data protection notices” on websites must be revised, particularly when tracking tools, such as Google Analytics with its IPv6-functionality, are used. The extent to which the shortening of the IP address, which is customary with IPv4, will be transferred to IPv6, has currently not been sufficiently clarified.
Data protection supervisory authorities have their eye on IPv6
In any case, it is clear that German data protection authorities have already placed the topic of IPv6 on the agenda. This is attested to by the jointly authored “Guidance on Data Protection with respect to IPv6”. The very fact that there are still few IPv6-compatible commercial websites could mean that every company that ventures into this area will become the focus of the data protection authorities.
Conclusion: The introduction of IPv6 addresses throws a completely new light on the question of whether a personal identification can be made with the aid of an IP address. Companies that make their Internet websites IPv6- compatible should answer this question for themselves so they do not come within the crosshairs of the data protection authorities unnecessarily.