Ground Shakes Beneath Google as EC Debates IP Privacy

European approval of Google’s US$3.1 billion acquisition of DoubleClick may be in doubt as privacy hearings held by the European Commission get underway. The hearings are focusing on whether Internet protocol, or IP, addresses should be considered personally identifiable information (PII).

The risk to the pending deal, which has been approved in the United States, is that the European antitrust authority may decide to put privacy back on the table as it weighs its decision. It has previously said it would not consider it.

Google is fighting the idea of categorizing IP addresses as PIIs throughout Europe. Besides the risk of putting the kibosh on Google’s hard-fought DoubleClick deal, such a move would effectively set a higher standard of protection. It could hinder Google’s constant tinkering with search engine algorithms, and might also hurt its advertising platform, as it would be harder to prove to advertisers that real people were clicking on their ads.

For instance, if the EC were to prohibit the recording of IP addresses — or some portion of an IP address, in Google’s case — then Google’s geography-specific search results would be constrained, noted Mark McCreary, a partner with Fox Rothschild.

“If I am using a computer in Philadelphia, and I type in ‘vegetarian restaurant,’ those vegetarian restaurants in my area are more likely to appear because Google can determine my location,” he told the E-Commerce Times. “This functionality would cease under EC prohibitions.”

From a larger industry perspective, e-commerce and Web 2.0 companies do not want to see such a valuable commodity placed off limits from their advertising, product development and monetization schemes.

Thank You, RIAA

Privacy advocates began pushing to include IP addresses in the formal definition of “personally identifiable information” when the Recording Industry Association of America began subpoenaing Internet Service Providers for user information in its quest to shut down peer-to-peer music Web sites.

To be specific, IP addresses do not identify a person — they identify a device, explained Robin Sheldon, also a partner with Fox Rothschild.

“So an IP address is not personally identifiable information,” she told the E-Commerce Times. “This is why, for instance, police need to subpoena Internet service providers to find out the account that belongs to a specific IP address.”

Over time, though, entities can associate IP addresses with individuals, she said.

“The argument that IP addresses cannot be used to identify someone — especially if only one person uses that computer — has been proven to be bunk,” Pam Dixon, executive director of the World Privacy Organization, told the E-Commerce Times.

However, IP addresses can be disguised by altering the string or cutting off the last several digits.

“It is an approach,” Leslie Harris, president and CEO of the Center for Democracy and Technology, told the E-Commerce Times. “Not a perfect approach — but it is one approach some companies are advocating.”

Other options include encrypting IP addresses or not storing them, she noted.

The former option, though, would not preclude prosecutors’ use of IP addresses — an issue that was highlighted in the European Parliament session on Monday, when chair Stavros Lambrinidis asked Google attorney Peter Fleischer whether Google turned over personally identifiable information to government authorities.

Fleischer’s response was that if authorities go “through a valid legal process, we will respond to it.”

Gaining Momentum

Even if the EC decides to ignore privacy issues in its DoubleClick review, the effort to give an IP address the same gravitas as, say, a social security number, will continue, Dixon pointed out.

“This concept, in fact, is just now beginning to gain momentum,” she said.

In October 2007, the World Privacy Organization — along with several other advocacy organizations, including the Center for Democracy and Technology, Consumer Federation of America and Electronic Frontier Foundation — sent a consensus document outlining consumer rights and protections in the behavioral advertising sector to the Federal Trade Commission, which by law must consider it.

That document labeled IP addresses as PII.

In fact, it went much further, including other less-quantitative factors in the definition. Besides consisting of such information as name, address, IP address, social security number or other assigned identifier, PII also was defined as follows:

“[a] set of behaviors or actions to be consistently associated with a particular individual or computer user, even if the individual or computer user is never identified by name or other individual identifier. Any set of actions and behaviors of an individual, if those actions create a uniquely identified being, is considered PII because the associated behavioral record can have tracking and/or targeting consequences.”

Without a doubt, Google — along with other e-commerce firms — will fight to the death against adoption of this broader definition, as it goes to the heart of most Web 2.0 business models.

Right now, however, it is focusing on keeping the privacy debate away from the antitrust review process. Indeed, the company must have had an inkling something like this would happen. In an October 2007 post on his personal blog, Fleischer argues against the possibility.

“That’s just plain wrong, as a matter of competition law,” he says.

“If online advertising presents a ‘harm to consumers,’ let’s try to figure out what exactly the harm is, figure out which online advertising practices to change, and then apply those principles to all the participants in the industry,” Fleischer suggests.

“But we shouldn’t bootstrap privacy concerns onto a merger review,” he continues. “That’s like evaluating a merger of automakers by looking at the gas mileage of their cars. We don’t invoke antitrust law to prevent a merger of car companies because we think the industry should build cars that use less gas.”