Can we collect these data for security purposes?
For organizations, it is a common practice to collect, store, process, and analyze online records data. This data record includes the IP addresses of each computer that accesses or attempts to access a network, the website or the process. In ethical hacking, these records can be used to determine the source and pattern of an attack, and to provide early warning about these events, even to prevent them.
However, arising from this activity we can come up with two relevant questions: Within the framework of the European Union General Data Protection Regulation, are IP addresses considered personal data? And, if so, can they be collected, stored and processed with or without the consent of the IP proprietary? There is no single answer, because it depends on other factors.
What is an IP address?
According to ethical hacking specialists from the International Institute of Cyber Security, an Internet Protocol (IP) address is a numerical tag assigned to each device connected to a computer network that uses the Internet Protocol and it complies two main functions: network interface identification and address location.
An IP address can identify a connected device, not the actual identity of the person using that device. In addition, the extent to which the IP address actually identifies a device may depend on whether the IP address is “static” (the device has a specific assigned IP address associated with it) or “dynamic” (the device is assigned a new IP address every time it connects to the Internet). Even if it is dynamic, it can depend on whether the IP address is reallocated for each session and how long each session can last. The longer an IP address is associated with a device, the more it will be “associated” that IP address with that device.
The information needed to connect an IP address to a device is not publicly available in most cases. An IP address, for example 220.127.116.11, may be associated with a government office, but not with any specific individual or device in that office. The IP address will identify an Internet service provider responsible for assigning that address to a subscriber. With the IP address, date, time, and possibly other data, the vendor can determine which subscriber was assigned that IP address at any given time. If the subscriber uses a VPN or a similar tool, forensic analysis will be required to determine who is associated with that address.
Some ethical hacking experts doubt that IP addresses can be considered as personal data, as Internet service providers do not give this information to anyone, usually a court order or other legal process is required to be able to track the IP address of an Internet service subscriber. Therefore, it is not possible to find an IP address and associate it with a specific person, so this information cannot be considered as personal data.
Personal data is at the core of the European Union GDPR, but it is not clear whether an IP address is adjusted to its definition of personal data. The GDPR establishes that “a personal data is any information related to an identified or identifiable physical person (data subject)”. As for the data subjects, the GDPR establishes that “an identifiable natural person is that which can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or one or more specific factors of physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Specialists in ethical hacking mention that, according to GDPR, an IP address is considered personal information when the provider has the additional data needed to link that IP address to a specific individual. Therefore, if your Internet provider can track your identity or activities or identity by your IP address, then, with respect to them, your IP address is personal information. But the case is ambiguous.
It all depends on the context
An IP address can be personal information if you want to keep track of what a specific person is doing, if you have the ability to do so and if you have reasonable access to the data needed for this to happen. If you are compiling IP address data to see which sites your employees visit, then they count as personal data. If you are conducting a general traffic analysis, this information should not be considered as personal data.
Collecting these data for security reasons can be a more complex case. To a greater extent, the records are used to have a general idea of the security status of a company. As for security, we can know that an IP address has been identified as the source of a particular attack, and we can, with other information, link that information to a malicious actor in Belarus (for example), that still does not make it into personal data. If we then link that information, for example, to a group of hackers, this is closer to the conception of GDPR personal data; the key is there, to link all this information to a specific person.