Mikael Abrahamsson wrote on 06/09/2019 08:59:
On Thu, 5 Sep 2019, Ray Hunter (v6ops) wrote:
IMHO Expected behavior. Many European data protection people consider
an IP(v6) address to be privacy-sensitive personal data. That will
likely mean regular renumbering of IA PD by ISP's as the norm rather
than the exception.
This is the first time I've seen anyone make this claim (I guess
related to GDPR). I've gone through GDPR review and talked to others
who have done the same, and I from a GDPR point of view there is no
reason to renumber on a regular basis. From what I can tell,
renumbering at some frequency makes no difference from a GDPR point of
view. The addresses are privacy sensitive regardless if you change
them frequently or not.
This last sentence is key.
FYI The opinion I read was as follows:
"The same also applies to IP addresses. If the controller has the legal
option to oblige the provider to hand over additional information which
enable him to identify the user behind the IP address, this is also
personal data."
So if the provider intentionally destroys any method of linking an IP
address to a user behind an address (by regularly renumbering using
pseudo-random prefixes) then by the opposite argument the IP address
shouldn't be considered personal data any more.
This is a method that I've also seen used to pseudo-anonymize MAC
addresses logged via wifi in a building management system. The MAC
addresses were hashed with a pseudo random key that rotated every day,
and the key was not stored anywhere. So the location data could be
tracked accurately for an individual device over a period of 24 hours,
but the privacy people considered this good enough that the result
wasn't considered as personal data, because there was no practical way
to work backwards from the hashed addressed to the movements of an
individual device carried by an individual person.
I ain't a lawyer.
My experience is that the frequent renumbering is a local market
practice that people in that market got used to. As a swedish user, I
hadn't heard of this practice until I started talking about these
things with people that ran/experienced ISPs in other nations. The
defaults are also different.
Some markets have frequent renumbering (some even reset the PPPoE
session once per day, which is a flash renumbering eevent), some never
renumber unless there is a big network change (I've had the same IPv6
prefix now for a year).
The conclusion is that we need to create solutions that handle both
these cases.
I agree with your conclusion, so the rest is pretty much a moot point
for Homenet.
--
regards,
RayH
<https://www.postbox-inc.com/?utm_source=email&utm_medium=siglink&utm_campaign=reach>
_______________________________________________
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet