Tuesday, July 21, 2009

Is an IP address "Personally Identifiable Information?" Apparently not.

Brian Johnson, as class representative, sued Microsoft alleging unjust enrichment, breach of Microsoft's End User License Agreement (EULA), violation of Washington's Consumer Protection Act, trespass to chattels, nuisance, and interference with property. Both sides moved for summary judgment on the claim of breach of the EULA.

The EULA prohibits Microsoft from transmitting "personally identifiable information" from the user's computer to Microsoft without the user's consent. According to Johnson, because Microsoft collects user's Internet Protocol ("IP") addresses, it breached the terms of the EULA by transmitting this "personally identifiable information" back to Microsoft. Microsoft did not dispute that it collects IP addresses, but argued instead that IP addresses are not "personally identifiable information."

To know if there was a breach of contract, the Court needed first to construe the term -- what is "personally identifiable information?" Johnson grabbed a definition off of Microsoft's online security glossary, which defined "personally identifiable information" as "Any information relating to an identified or identifirable individual. Such information may include ... IP address." Microsoft countered that the security glossary was not incorporated into the EULA, and was thus irrelevant. It then pointed to 2 cases (Klimas v. Comcast Cable Comm'cns, Inc., 465 F.3d 271, 276 n.2 (6th Cir. 2006) and Columbia Pictures Indus. v. Bunnell, 2007 WL 2080419 *3 n.10 (C.D. Cal. May 29, 2007)) which sugged that an IP address, in and of itself, would not be personally identifiable information.

The Court agreed with Microsft:

Because the EULA does not incorporate the web glossary by reference, and there is no evidence that any of the Plaintiffs even read the glossary, the court finds that the web glossary is not helpful to construing the provision. Furthermore, the court finds that Microsoft’s interpretation of “personally identifiable information,” in the absence of any definition, is the only reasonable interpretation. In order for “personally identifiable information” to be personally identifiable, it must identify a person. But an IP address identifies a computer, and can do that only after matching the IP address to a list of a particular Internet service provider’s subscribers. Thus, because an IP address is not personally identifiable, Microsoft did not breach the EULA when it collected IP addresses. Plaintiffs’ contract claim on that ground must fail.

No comments:

Post a Comment