The Four Horsemen of the Apocalypse, Class of 2011: IPv6
The third in a series of columns exploring the Four Horsemen of the Apocalypse, circa 2011: The cloud; data security in the new world of recreational hacking; IPv6; and the new rules for gTLDs, a quartet that keeps in-house lawyers awake at night.
The previous two columns in this series—The Four Horsemen of the Apocalypse, Class of 2011—discussed the Cloud and Recreational Hacking and what they mean for corporate counsel. This column looks at the third of the Horsemen: IPv6, the new protocol for the Internet that is rolling out over the next few months.The Internet—originally known as ARPANET, among other configurations—was developed by geniuses like Jon Postel, Vint Cerf, Lawrence Roberts, and others who made the technology advances that laid the groundwork and the backbone for the worldwide web as we know it today. I was honored to have met Postel and Cerf in the 1990s when I participated in hearings before the World Intellectual Property Organization in Geneva. The debates then centered on access and growth. One topic that was never discussed (or if it was, only in passing) was whether the Internet would ever run out of numbers – the unique identifiers known as Internet Protocol (IP) addresses. After all, the key to the Internet’s design was that it was scalable and could grow without foreseeable limitations. At least that was the plan. An IP address is only one element of the Internet’s overall design, commonly referred to as TCP/IP, a system comprised of many network layers (application, transport, Internet, and links).
What we know as the Internet is essentially a series of servers and other networked devices all over the world, all connected through wired and wireless routers. Each of these devices is identified by a dynamic or a permanent IP address. If dynamic, IP addresses are temporarily assigned to devices on an as-needed basis as they come on- and offline. But if a network segment runs out of IP addresses when too many devices request an IP address, growth comes to a standstill. Any new device requesting an IP address must wait until another device relinquishes its IP address—in essence, turning the pace of new devices coming online to the information superhighway to that of a former-Soviet Union breadline.
This collection of IP addresses operates under what is known as Internet Protocol Version 4 (IPv4). Think of it as a software program that allocates numbers. IPv4 has approximately 4.3 billion available addresses. More than enough, right? Wrong.In truth, we have lived with the fear of number exhaustion for years, and many regional Internet registries have already run out of assignable numbers. Large holders of IP addresses, such as businesses, typically pool these numbers on the network dynamically, deploying an IP address to a device on demand. Other operations, on the other hand, may have a one-device-to-one-IPv4-address setup where they have reserved sufficient IP resources. So, when we evaluate whether an IPv4 address is identifiable to a device or person for privacy purposes, our answer must be: “It depends.” More specifically, it depends on whether the IPv4 address is static or dynamic.Unfortunately, there are simply too many devices and not enough IP addresses for each device to have a unique and static IP address or enough to make dynamic randomization a continued option.
Say hello to IPv6. To address this address dilemma, the Internet Engineering Task Force (IETF) developed IPv6, a numbering protocol that provides a much greater IP address capacity than its predecessor. Under IPv6, every device can have its own unique and permanent IP address. Thus, IPv6 addresses have the theoretical potential to be unique to each device on the Internet, with over approximately 340 undecillion (trillion trillion trillion) available addresses. That’s a really big number. Makes the U.S. debt look like petty cash.This all matters because IPv6 has concrete privacy ramifications. With far more permanent addresses on the Internet, online-device profiles become easier to develop, making it easier to amass identifiable data on the device’s owner unlike ever before. Tracking takes on a whole new meaning when one is certain that they are always receiving data from the same computer, mobile device, or other computing device. Algorithms can be designed to extrapolate behavior into all sorts of valuable individual and demographic data. Indeed, many in-house privacy professionals have already responded to this dilemma by collecting addresses as little as possible within their own IT departments. (Which begs the question: What is your company doing?) But, there are cases in which collection of an IP address is unavoidable or required for law-enforcement purposes. So, privacy professionals are lobbying for privacy regulation to focus on use rather than the mere collection of data.
Over the next few years, corporate counsel must closely watch the regulatory environment to insure that the paranoia over potential abuse does not throw the baby out with the proverbial bath water. As it is, pundits are raising serous regulatory concerns that are based more in perception than reality. The industry has consistently said it is not really interested in knowing the behaviors of individuals but is focused on demographic or psychographic groups, targeting ads and offers that cross large populations. In fact, network managers have methods to anonymize IP addresses even under IPv6, allowing marketers to disassociate collected data from a specific IP address.The engineers who developed IPv6 had sufficient foresight to identify the privacy complications that could exist when each consumer device on the Internet has a unique and static IP address. The IETF has been anonymizing IPv6 addresses by developing algorithms for temporary pseudo-anonymous IPv6 number assignments. Sounds complicated, huh? It is.
The catch, however, is those parties responsible for assigning IP addresses must agree to participate in the anonymization process. It’s not automatic. Likewise, responsible marketers, while they cannot avoid the logging of IP addresses, should examine if they can disassociate any IP addresses logged from the collected mass of browsing habits before such data is mined.
What can corporate counsel do to anticipate this change?
First, advertisers should communicate to regulators that the collection of data should not be their primary focus. The ability to collect such data does not mean that the data element is mined, shared or ultimately, used. Thus it is the use, not the collection, that should be the central issue. If regulators focus on the collection and thwart the ability to fully realize the potential of IPv6, they are putting the proverbial cart before the horse. All that approach will do is stifle competition and further complicate what is already a technology nightmare that fewer and fewer companies can navigate without considerable expense and exposure.
Second, the advertising community must communicate that as the online community transitions from IPv4 to IPv6, it does not mean that IP addresses become instantly identifiable. There will be varying degrees of IPv6 deployment nuances that will continue to keep IP address in the “possibly identifiable” area that software entrepreneurs and ISPs will develop as concerns rise. Overzealous regulation will not add to the vibrancy and potential of IPv6.
Third, companies need to understand and comply with the current online behavioral advertising self-regulatory guidelines promulgated by the Digital Advertising Alliance (DAA); visit aboutads.info to learn more. These guidelines create safe harbors that can apply as IPv6 is deployed. Undoubtedly, the DAA will also proactively adjust its rules lest the ships in its harbor be torpedoed.
Before IPv6 becomes more ubiquitous, marketers must decide (1) whether most responsible actors will decouple IPv6 addresses from profile data (to shift the regulatory focus away from automatic data collection); (2) how any decoupling would occur technically; and (3) how the industry can continue to police itself. Hopefully, regulators will let the DAA deal with this and keep their hands off something that their intervention will only complicate and impede, rather than fostering the pace of innovation.
Douglas Wood is a partner in the New York office of of Reed Smith LLP. He specializes in media and entertainment law and is editor of Network Interference-a Legal Guide to the Commercial Risks and Rewards of the Social Media Phenomenon, a White Paper on how social media globally impacts every level of business. The White Paper is available here.