We have a similar system based around Cisco's CNR which is a popular
DHCP/DNS system used by large ISP's and other large organization and it
is the IP+Timestamp coupled with the owner to MAC relationship which
allows unique identification of a user and we have strict data
retention policies so that after the data has been maintained for the
interval specified by the Provost it is permanently removed from the
database.
We treat IP/Mac information as personally identifiable information and
as such limit access to this information to authorized users only.
But there seems to be a misapprehension that a dynamically assigned
address cannot be associated with a individual.
Eric Gauthier wrote:
Heya,
In the US, folks are fighting the RIAA claiming that an IP address isn't
enough to identify a person.
In Europe, folks are fighting the Google claiming that an IP address is
enough to identify a person.
I guess it depends on which side of the pond you are on.
They are both right. If you have a dynamic IP such as most college students
have, it is here-today-gone-tomorrow.
Our University uses dynamic addressing but we are able to identify likely users
in response to the RIAA stuff. There is a hidden step in here, at least for our
University, in the IP-to-Person mapping. Our network essentially tracks the
IP-to-MAC relationship and the MAC-to-Owner relationship. For us, its not the
IP that identifies a person, but the combination of IP plus Timestamp, which can
be used to walk our database and produce a system owner.
I'm guessing that Google et. al. have a similar multi-factor token set (IP,
time,
cookie, etc) which allows them to map back to a "person".
Eric :)