United States Court of Appeals for the Sixth Circuit Case No. 03-2012 JEFFREY KLIMAS Individually and as a Class Representative Plaintiff-Appellant, -v- COMCAST CORPORATION Defendant, COMCAST CABLE COMMUNICATIONS, INC., Defendant-Appellee. APPEAL FROM THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF MICHIGAN AT DETROIT BRIEF OF AMICUS CURIAE TRUSTe UNITED STATES COURT OF APPEALS FOR THE SIXTH CIRCUIT JEFFREY KLIMAS, individually and as ) a class representative, ) ) Plaintiff - Appellant, ) ) v. ) ) ) COMCAST CABLE ) COMMUNICATIONS, INC., ) ) Defendant - Appellee. ) _________________________________) DISCLOSURE OF CORPORATE AFFILIATIONS AND FINANCIAL INTERESTS Pursuant to 6th Cir. R. 26.1, Amicus TRUSTe Trusted Universal Standards In Electronic Transactions (“TRUSTe”), a not-for-profit corporation organized under the laws of California and classified as a Section 501(c)(6) entity under the Internal Revenue Code, hereby provides its nongovernmental corporate party disclosure as follows: 1. TRUSTe is not a publicly held corporation or other publicly held entity. 2. TRUSTe has no parent corporation. 3. No publicly held corporation or other publicly held entity owns 10 percent or more of TRUSTe. _____________________________ June 9, 2004 TABLE OF CONTENTS Page TABLE OF AUTHORITIES ............................................................................................... 3 STATEMENT OF AMICUS CURIAE ............................................................................. 1 INTRODUCTION ................................................................................................................... 3 ARGUMENT ............................................................................................................................. 5 I. Dynamic IP Addresses Are Not Personally Identifiable Information Because They Are Anonymous, Temporary, And Only Identify Internet Devices ............................................................................................... 5 II. Holding That IP Addresses Are Personally Identifiable Information Potentially Could Have Wide-Ranging Consequences ....................................... 7 CONCLUSION.........................................................................................................9 2 -- TABLE OF AUTHORITIES FEDERAL CASES Reno v. ACLU, 521 U.S. 844 (1997)....................................................................................5 FEDERAL STATUTES 47 U.S.C. §230(f)(1) ........................................................................................ 5 47 U.S.C. § 551(b) ........................................................................................... 6 Fed. R. App. P. 32(a)(7) ................................................................................ 10 3 -- STATEMENT OF AMICUS CURIAE TRUSTe respectfully submits this amicus brief solely to address one issue: whether an Internet Protocol (“IP”) address that is not linked to personal information constitutes “personally identifiable information” (hereinafter “PII”). On this issue, TRUSTe supports affirmance of the decision of the District Court. TRUSTe is an independent, nonprofit organization dedicated to enabling individuals and organizations to establish trusting relationships based on respect for personal identity and information in the evolving networked world. Founded in 1997, TRUSTe runs an award-winning global privacy certification and seal program. Its seal programs are considered Safe Harbors for the Children's Online Privacy Protection Act of 1998 (“COPPA”), 15 U.S.C. §§ 6501-6506, and the European Union Safe Harbor Framework under the auspices of the Department of Commerce. Today, TRUSTe maintains the largest privacy seal program with more than 1,300 Web sites certified throughout the world including AOL, Microsoft, IBM, Nationwide and The New York Times. For more information on TRUSTe please visit www.truste.org. TRUSTe establishes and enforces appropriate privacy standards that recognize the best practices of the industries and the requirements of various existing laws and regulations. Companies seeking to participate in the TRUSTe program must subject themselves to certification by TRUSTe and adhere to recognized standards of acceptable practices. The core of TRUSTe’s privacy certification program is the TRUSTe Privacy Seal. Displaying the TRUSTe Privacy Seal signals to customers that the company meets TRUSTe’s standards for data gathering and dissemination practices. By displaying the TRUSTe Privacy Seal, Web sites agree to abide by the program’s core tenets, which are based on long-standing principles of fair information practices as interpreted by the United States Federal Trade Commission and Department of Commerce.1 These core tenets are: notice; choice; access; security, and redress. As part of its program, TRUSTe provides users with an alternate dispute resolution mechanism designed to allow customers to bring their complaints to TRUSTe if they believe a TRUSTe-licensed Web site has misused their data. The TRUSTe Privacy Seal program has now become the most widely used privacy certification program and is used by all of the Internet portal sites (i.e., Yahoo!, Google) and fifteen (15) of the top twenty (20) most visited websites. See Department of Commerce staff discussion paper, “Elements of Effective Self Regulation for the Protection of Privacy,” enumerating principles of fair information practices that are essential for a strong self-regulatory approach to addressing privacy available at <<www.ecommerce.gov>>. 1 2 -- Comcast Cable Communications, Inc.’s (“Comcast”) Web site is part of the TRUSTe Privacy Seal program. INTRODUCTION The TRUSTe online Privacy Seal program defines “personally identifiable information” as follows: Personally Identifiable Information” means any information collected through the Site (i) that identifies or can be used to identify, contact, or locate the person to whom such information pertains, or (ii) from which identification or contact information of an individual person can be derived. Personally Identifiable Information includes, but is not limited to: name, address, phone number, fax number, email address, financial profiles, medical profile, social security number, and credit card information. Additionally, to the extent unique information (which by itself is not Personally Identifiable Information) such as, but not necessarily limited to, a personal profile, unique identifier, biometric information, and/or IP address is associated with Personally Identifiable Information, then such unique information also will be considered Personally Identifiable Information. Personally Identifiable Information does not include information that is collected anonymously (i.e., without identification of the individual user) or demographic information not connected to an identified individual. Thus, the TRUSTe program does not consider an IP address or other unique information that is not associated with PII itself to be PII. The IP address or other unique identifier becomes PII only if it becomes “associated with” personally identifiable information. Because the definition of personally identifiable information is at the heart of the TRUSTe Privacy Seal program, the classification of anonymous, impersonal 3 -- IP addresses that are used to track Web traffic, but are not associated with personally identifiable information, is of direct concern to TRUSTe. Although this case concerns the definition of PII under the Cable Act, the decision of the District Court regarding the classification of dynamic IP addresses is fully consistent with the definition of personally identifiable information used by TRUSTe in its online Privacy Seal program. In contrast, the Appellant and its amicus Electronic Frontier Foundation argue that IP addresses should be considered PII because an ISP has the ability to correlate the IP address with a subscriber’s identity even if the ISP does not, in fact, do so. TRUSTe respectfully submits that Appellant’s position is inconsistent with a proper understanding of PII. This Court should uphold the District Court’s decision. 4 -- ARGUMENT I. Dynamic IP Addresses Are Not Personally Identifiable Information Because They Are Anonymous, Temporary, And Only Identify Internet Devices IP addresses are the way the Internet2 identifies each unique device connected to the Internet. Every single computer, server, or other Internet-enabled device is assigned a unique IP address that consists of four numbers – each less than 256 – separated by a period (i.e., 101.201.102.11). Dynamic IP addresses are IP addresses that change over time. ISPs, like Comcast, deliver Internet service by assigning an IP address to a subscriber’s computer. When a subscriber requests a document from the Web, the ISP’s routers record the IP address of the computer requesting the information, direct the inquiry to servers where the requested documents are stored, and then transmit the information back to the subscribers’ computer assigned to the requesting IP address. TRUSTe considers IP addresses to be anonymous identifiers because they are not used as personal identifiers. IP addresses, standing alone, are anonymous 2 The federal Communications Act defines the Internet as “the international computer network of both Federal and non-Federal interoperable packet switched data networks.” 47 U.S.C. §230(f)(1). The Supreme Court has stated that the Internet is simply “an international network of interconnected computers” that exchanges information across the world. Reno v. ACLU, 521 U.S. 844, 849 (1997). 5 -- and only identify a device on the Internet, not the ultimate person using that device. While an IP address is a computer’s public face on the Internet, the identity of an individual whose computer has been assigned an IP address by an ISP is, absent a publication of the information, known only by the ISP and the subscriber. Only the most technically adept Internet users even know their own IP addresses. Accordingly, under the TRUSTe program IP addresses, standing alone, are not considered “personally identifiable information” unless associated with other information that is traditionally considered PII – such as a name, address or telephone number. The common practice of using IP addresses to track Web surfing activities should not be considered a collection of PII as a general proposition. TRUSTe is unaware of any rationale for concluding otherwise under the Cable Communications Policy Act of 1984 (“Cable Act”). See 47 U.S.C. § 551(b). In contrast, PII consists of commonly used unique personal identifiers available to the general public and traceable back to the person that it identifies (as well as certain especially sensitive information such as a person’s financial or medical data). In other words, PII is information that might, for example, enable someone to develop a profile of an individual for marketing purposes; and, in order to have practical usefulness, that profile must include a name and/or some form of 6 -- contact information. Anonymous Web tracking, in and of itself, has little or no value for such purposes. For these reasons, the District Court was correct when it found that a “dynamic IP address, by itself, does not constitute PII.” Opinion of 7/1/03 (R. 32). An additional step must occur before an IP address assigned to a subscriber’s Internet connected device can become PII – namely an association between the IP address with identifying personal subscriber information. II. Holding That IP Addresses Are Personally Identifiable Information Potentially Could Have Wide-Ranging Consequences Although TRUSTe does not track the number of its licensees that routinely collect IP addresses without associating them with personally identifiable information, the collection of a Website visitor’s IP address is a common practice on the Internet. Websites typically collect IP addresses in order to monitor usage patterns, collect statistical information, and to aid in updating the Web site as necessary. These practices are common and, unless the IP addresses are linked to PII, in TRUSTe’s view raise no legitimate privacy issue. A decision by this Court that IP addresses are, by themselves, PII could therefore have significant consequences. First, it could affect the common technical operations of a large number of Internet Websites. Any website that is potentially subject to any of the various state or federal privacy laws could be 7 -- forced to obtain a blanket consent from its visitors before using their IP addresses to monitor Web usage on its site, or cease any use of IP addresses in the first place. Moreover, the web site could be forced to seek this consent each time the visitor’s ISP changed the IP address assigned to the visitor’s Internet device. As most Internet users do not even know what their IP address is, this process could be confusing and cumbersome. Second, although the TRUSTe program per se is not subject to the Cable Act (although cable company participants in the Privacy Seal program themselves may be), such a ruling could potentially affect the TRUSTe program, which as noted above does not classify IP addresses as PII unless associated with PII. As a result, TRUSTe licensees could be forced to rethink their privacy policies and potentially be forced to implement onerous practices to perform routine functions. Web sites could also be forced to change their privacy policies should this Court hold that IP addresses are PII. This change would not be limited to IP addresses but would also include any other anonymous identifiers that were “capable” of being traced back to the user no matter how accurate or difficult that process may be. Instead, the proper result is for this Court to hold that IP addresses are not, by themselves, PII. Only when IP addresses are actually correlated with the personal information of the user of the device assigned the IP address should an IP 8 -- address be considered PII. To hold any other way would run counter to the privacy expectations and practices of the vast majority of Web sites and Internet users. Conclusion Accordingly, the decision of the District Court should be upheld. _______________________ John C. Yang William B. Baker Wiley Rein & Fielding LLP 1776 K Street, N.W. Washington, D.C. 20006 202.719.4483 9 -- CERTIFICATE OF COMPLIANCE WITH FRAP 32(a)(7) I hereby certify that this brief complies with the type-volume limitation of Fed. R. App. P. 32(a)(7)(B) because it contains, according to the Microsoft Word software in which it was composed and excluding the parts of the brief exempted by Fed. R. App. P. 23(a)(7)(iii), 1728 words. ________________________ John C. Yang 10 -- CERTIFICATE OF SERVICE I hereby certify that, on this 9th day of June, 2004, two (2) true and correct copies of this Brief of Amicus Curiae TRUSTe were served via UPS, Overnight Delivery, upon the following: Seth Lesser Locks Law Firm, PLLC 110 East 55th Street New York, NY 10022 Thomas J. Tallerico Bodman, Longley 201 W. Big Beaver Road, Suite 500 Troy, MI 48084 Steven E. Goren Goren, Goren & Harris, P.C. 30400 Telegraph Road, Suite 470 Bingham Farms, MI 48025 Jaime Bianchi White & Case 200 S. Biscayne Boulevard Suite 4900 Miami, FL 33131-2352 Kevin Bankston Electronic Frontier Foundation 454 Shotwell Street San Francisco, CA 94110 __________________________ John C. Yang 11 --