Hubbub over IP Addresses

To read the press coverage of the past few weeks, one might think that web servers had just developed a nefarious new tactic in the target-marketing wars -- registering and retaining records on the IP addresses to which they deliver information.  The uproar on Google refusing to comply with a DOJ request for random search request data has subsided for the moment, but the idea that Google keeps a record of every search submitted and can cross-reference on various attributes remains a hot button. BoingBoing (certainly a tech-savvy site that knows better than to believe the hype) presented its own eager round-up on the Google-correlations beginning with comments by private IT consultant Adam Fields.

Similarly, people seem shocked that Internet service providers might be able to associate IP addresses (whether static or dynamically allocated) to particular subscribers.  The BBC freaked over ISPs receiving court orders to turn over subscriber information on alleged file sharing sites, while the New York Times sounded the alarm bell over similar tactics in US federal and state courts for a variety of criminal and civil cases.

I'm not asking "isn't this horrible?" though -- my questions are more along the lines of "why did it take so long to be an issue?" and "don't we want courts involved in defending individual privacy?".  The RIAA has been issuing blanket subpoenas and John Doe lawsuits (where it knows something about a defendant but not the true legal identity) against alleged file-sharers for nearly two and a half years, with the EFF offering advice on countermeasures.  Six years ago, I was filing my own John Doe complaints in federal courts to get subpoena authority against AOL, Yahoo!, Microsoft, and small ISPs.  (*)

Society as a whole is probably benefitted by some limits on private corporation's data retention.  If Google really wants to "do no evil," it can certainly adopt a 90- or 180-day retention policy for search results -- some IP tracking is probably relevant to support AdSense payout and whatnot, but longer retentions are an invitation for more snooping by lawyers.  I'd also suggest that Google and other content providers need to reassert themselves -- for example, reviewing the sufficiency of complaints before responding to subpoenas.  Privacy and data usage disclosures are required from finance companies (banks, credit cards, insurance) -- but they're good policy across the board.

Furthermore, I applaud the role of the courts in this debate.  In my cases, I always felt that my John Doe complaints had to be bulletproof before I'd file and begin issuing subpoenas.  The RIAA is learning that lesson the hard way -- although courts don't (and realistically can't) review complaints before plaintiffs start firing off subpoenas, they will waste no time in slamming frivolous or badly-formed complaints.  I want the courts as a check on requests, even if it is after the fact. 

Requiring notice to a target isn't such a bad idea either, even in many criminal cases (assuming we still respect the notion of "innocent until proven guilty" buried within the Fifth and Sixth Amendments).   As for the national security trump card, prosecutors can still go through the FISA court (for international communications) or get a legitimate ex parte court order and supervision (for purely domestic situations).

And (tying it all back together) an explicit Constitutional amendment identifying and defending an individual's right to privacy can only bolster the provisions I've suggested above.