Government proposals to force ISPs to maintain data links between IP addresses and subscriber identities will change at a stroke a key cultural assumption about big data. Until now, online service providers have been making free with the information that flows from connecting a device to the internet on the basis that none of it is personally identifiable information.
That argument has long seemed thin - IP address, just like search terms or location data, may not be directly associated with a specific individual. Data scientists have repeatedly shown just how easy it is to infer who the user is based only on this supposedly anonymous information, however.
With the new requirement to provide both connection history and user data to the security services, identification becomes explicit. Given the cost and processes involved in maintaining that data, it would be surprising if ISPs and mobile networks did not look for ways to monetise it in the commercial realm. At that point, current big data practices which rely on probability will get over-taken by new ones based on proven indicators.
From a data governance point of view, this could actually be a welcome development as it will drag those data science activities out of the shadows and into the clear light of compliance requirements. For one thing, networks will have to get consent to use subscriber data for purposes beyond the provision of service, such as to target ads.
Germany’s recent ruling on Google’s consent practices across its estate shows the direction of travel. When the Data Protection Regulation finally gets passed by the European Parliament next year, it is highly likely that IP address and location data will come under the definition of personal information it is based on, forcing the new wave of data-based service providers to undertake a cultural shift that many could find painful.
Take the example of Uber, the taxi booking service which is currently fighting compliance battles in jurisdictions around the world. Just last week, one of its executives casually accessed a US journalist’s travel log to make a point about the service, unintentionally revealing that the business is using this data without permission.
Like many others, the company probably views location and IP address as non-PII and therefore not covered by legislation or consent requirements. Consumers increasingly disagree and soon the law will, too. It is not often that intrusive data demands by the security services end up improving data governance and data protection for consumers. But in the case of linking IP to ID, they may just be doing us all a favour.