IP addresses, Google, and data protection: That's why IP addresses are potentially always personally identifiable for Google

The IP address (network address) is potentially always personal data for the Google consortium. The reasons are diverse and are considered in this contribution. Therefore, the IP address, when sent to Google, is independent of national laws to be regarded as personal data.

Introduction

The ECJ ruled long ago, namely on 19.10.2016 (Case C-582/14), that IP addresses are always considered personal data when a national law allows the internet connection owner to be identified from an IP address. It is sufficient if there is an objective possibility of doing so. This also applies if several third parties would have to be involved in identifying the internet connection owner, for example the telecom and BND or in other countries then just other organizations or companies.

In Germany the BGH confirmed the judgment of the ECJ (see BGH-judgment from 16.05.2017 – VI ZR 135/13). Because in Germany it is possible within a criminal investigation to find out who the subscriber of a person of interest for criminal technical reasons is.

In other countries this may be different, because national prosecution laws of other countries can be shaped differently than in Germany.

If Google gets your IP address or mine, then it's potentially always personally identifiable. Google gets your IP address every time you visit a website from your desktop PC and this website Google Fonts or another Google tool is embedded. Even when using Google Analytics with IP anonymization, this applies. The anonymization option says according to Google that they promise not to use the IP address they always get anyway (which would be the interpretation of Google's promises, marked here as purely theoretical).

Why your IP address could potentially always be linked to you as a person, I will explain in the following.

The Google Account

Almost all of you have a Google account. This even applies if you've never created one yourself. Google simply assigns you an account when you use the Google search engine, Google Maps, or an Android smartphone (as long as it's standard and not ent-Google-t).

And that's how Google does it:

• For example, they call up the Google search engine (which you wouldn't do because there are other search engines like Ecosia, DuckDuckGo or Xayn).
• Google asks on first visit (or if you've deleted cookies beforehand), whether you agree with unnecessary data processing (the bolded formulation comes from me and is meant as a very shortened representation. To be precise, one would have to write hundreds of pages for the data processing at Google).
• Regardless of what you click on, Google always sets up an account for you and stores an identifier for you in one or more cookies. These cookies are called ENID, __Secure-ENID or also NID or IDE (or whatever, Google doesn't reveal that). For example, I'm still searching for a reliable explanation of the meaning of the cookies DV, OTZ, SOCS and AES.

They can therefore be associated with a Google account whenever you visit a page from Google, use a Google device or visit a page that has a Google service embedded or one that has a service embedded that exchanges data with Google (for example, an advertising platform that almost always operates Cookie Matching).

Using one of the mentioned cookies, Google can identify you with 100% accuracy. This works for example when a website has embedded the reCAPTCHA plugin from Google or is using the Google Maps plugin in its popular variant. As regards reCAPTCHA by Google, it should only be briefly noted that this plugin really uses many cookies with detailed specification.

A general personal connection arises from this

The Article 29 Group is the predecessor of the European Data Protection Board and enshrined in Art. 94 GDPR. This group has interpreted the GDPR and concluded that a data value can be personal if it is suitable to distinguish a person from others within a group of people. This interpretation is also represented by the Irish Data Protection Authority in its justification for the fine against WhatsApp.

Thus, a personal data situation would already be given if you can be distinguished from other people with it ("a person can be singled out from a group of persons").

A personal reference is established even more clearly when a personally related data value is present. This is given if either directly or indirectly, you can be concluded as Maxi Musterperson. A direct conclusion is especially possible through your name and your address.

An indirect conclusion is possible if you have a data value for which you could objectively identify a specific person. For example, it can be determined from a vehicle license plate who the car is registered to. You probably know that from the fine for speeding (of course only by hearsay). Also, a telephone number can be traced back to a person. Finally, this number is registered on a person. Similarly, an email address can be traced back to a person. One of my email addresses is klaus.meffert @ dr-dsgvo.de. Here there are two references to persons. Firstly, my name is in the email address. Secondly, it can be found out through a NIC query (DENIC in this case) who the domain dr-dsgvo.de was registered by. DENIC names the conditions for this, which include, for example, enforcing name and identification rights, but also a "legal infringement by websites". NIC stands for Network Information Center, DENIC for the German NIC

The more data presented about a person, the sooner it can be conclusively determined that it is a specific person. If the email address herberto.buechneri@web.de is known, along with the IP address 4711, along with the User-Agent Firefox97.Windows10.Version.1873, along with numerous visits to websites from this IP, along with the identification number of a Google account, along with the often entered address in Google Maps Wielandtstr. 999 in 66666 Frankfurt, along with the GPS coordinates from an Android smartphone, along with the telephone number of an Android smartphone, then this person will likely be fully identifiable. One could say that this person can be objectively identified. This follows the logic of the ECJ ruling "Breyer". Objectively identifiable means that others would have to be brought in, such as law enforcement agencies, telecommunications authorities or user tracking companies like Google. Less than the data values mentioned above would certainly suffice. By the way, one can assume that a person who, for example, Herbert Büchner is named, can also be found if the email address suggests the name Herberto Büchneri.

Why Google can directly identify you as a person named X, I will explain with facts.

A personal connection for Google is created

Initially, I hold the opinion that it doesn't matter how you're called and where you live for Google. Google rather wants to get to know you as well as your parents can't even do. There was once a study on data points, which were collected via Facebook Likes, representing exactly this possibility.

After Google has bestmöglich kennengelernt you, you can be profitably influenced in your opinion and behavior through the Google advertising platform. This also applies to voting behavior.

It is well known that Google has collected a lot of data about them, including:

• Your IP-Address (whenever you visit a Google page, use a Google device, visit a website with a Google plugin or directly or indirectly use a service that exchanges data with Google).
• Your Device identification (User-Agent): Is sent together with your IP address to Google.
• Referrer: The website you came from when you visited a webpage that sends data (directly or indirectly) to Google.
• The just mentioned visited website itself.
• Additional data collected by Google services such as Google Analytics, including for example the Viewport, which is the size of your browser window.
• Google-Cookies, used on Google's own websites.
• The same Google-Cookies, which are used when using Google Plugins, that are embedded on websites you visit.
• Other Google-Cookies just like that, but which are only used in Google Plugins on third-party websites. Examples of this include Google Analytics Cookies, which always store User-IDs by default and assign you an identifier so that your online activities can be tracked as well as possible.
• Your self-entered data in an explicitly created Google account by you. This includes the personal E-Mail-Address, especially when you have your own domain or your real name appears before the @ symbol.
• Your billing data, if you use a paid Google service. Yes, even as a Google customer, you are an internet user with rights.
• Your entered Login-Daten, if you use a free or paid Google service. For example, your E-Mail-Adresse is requested for using Google Analytics. Also, when using the Google Play Store on Android smartphones, your email address is requested.
• Search terms: The search terms you entered in your Google search. We remember: You have a Google account.
• Static IP addresses: There should be people who have a (only) registered IP address permanently rented. That is just as personal as a car license plate of a private car. We are in agreement, aren't we?

The number of entries in this list quickly makes it clear that Google can learn a lot about you very quickly. Whoever gives their email address to Google for the reasons mentioned is not only recognizable as a user, but also as a person by Google. You are then the owner of the email address johndoe@mydomain4711.de. Who exactly you are may already be evident from the email address itself. But if not, looking it up or searching online might possibly lead to identifying you as John doe on other grounds. Just think about an XING account where your real name is linked with the registered email address. Maybe you have mentioned your email address werichbinweissniemand@wirklichjetzt.de in the imprint of your website. We all know that (at least in Germany and probably also in Austria) the name and address of individuals are listed in the Impressum of a medium like a website. Whoever does not want to bother with the Impressum often finds the desired information through a WHOIS search, for example, for domains ending in .at for Austria.

Some websites offer a contact form. I just found a case where all the data entered there was sent to Facebook when submitting it. The same can happen with Google instead. Especially, URLs of websites containing for example search terms can be sent to Google via Google Analytics. If I search on a website for my own name, Google will then know who I might be. If I then search again on Google for my name and Google can connect my IP address elsewhere with my name, the probability that I am the person being searched for quickly turns into certainty.

People who often use Google Maps usually enter their home address as a starting or ending point, making it easy to establish a personal connection.

Google knows about a fictional user who has visited some websites (just an excerpt, so that the example doesn't get too long):

• Household pets
• Buy dog food regularly
• Ist männlich
• Employed or otherwise engaged
• Cover also more expensive purchases (but not: expensive TVs)
• Has an account at Bank X and one at Bank Y, as well as a stock portfolio
• Interested in art
• Travel gladly to South America
• Enjoys riding a bike
• Enjoys running winter sports
• Interested in fashion
• Men often seek medical help for erection problems or impotence
• Uploaded photos from a city trip (possibly with GPS coordinates in the image metadata)
• Uses browser version X under Windows 10 Home with screen resolution Z as well as Android smartphone model Y
• Lives in Frankfurt/Main or its immediate surroundings
• Often enter the following address into the route planner: Hansaplatz 999, 66666 Frankfurt/Main
• Often enter the following address into the route planner: Blauring 888, 60667 Frankfurt/Main
• Let's leave that out, otherwise it would be too simple: Has the email address abcd4711@08151617.de?

Fictitious example. How many people might there be who meet all these criteria?

If you use Google Search and click on a hit, Google always knows that you have called up website X, which is behind the hit. Then, if you call up a completely different website Y from website X via an external link available there, Google also knows about it, provided website Y uses a service like Google Fonts.

If someone has registered their website in Google Search Console, they have made at least two statements there: The address of websites and an email address. If Google then sends them emails based on this, Google gets your IP address when you read the email and haven't blocked images. Google then knows that the IP address X belongs to the person who registered the email address Y and the website Z. There's hardly more personal reference in the internet. Of course, there are cases where this personal reference still doesn't exist. But these are already rather rare. Especially when the other options mentioned above are considered as well.

Furthermore, note that the combination of IP address and User-Agent would identify you and me with a high probability. Using cookies, WLAN signals, and possibly other methods, even dynamic IP addresses can be matched. The method is referred to as Session Stitching in itself. By the way, IP addresses from cable connections are often stable for months. Some people supposedly have a static IP address that can be rented for little money. We don't want to talk about cars with Android Auto, or Google Nest, or Google Smartwatches right now.

An additional way to track a user within a browser is offered by advanced techniques like ETag. A demo page shows that you and I as users can be tracked without cookies, IP addresses, browser fingerprinting or similar things. Even after closing the browser, at least in my case, the access counter for me was still counted up and did not start again from 1 before a new one.

Why did someone set up a Google account?

Google had recently had an unlawful consent query on the page of the Google search engine and the page for Google Maps. They were forced to click five or six times to REFUSE consent. Instead, you only had to click once to agree. If then, as data protection opponents recommend, you regularly delete your cookies, you had to go through a clicking frenzy again when using the Google search or maps.

Google has a way out for you: Create your own Google account yourself. You just have to enter your email address and password. When you then delete your cookies again, you only need to log in quickly (possibly with pre-filled login fields) instead of clicking five times.

Google will then know who you are again (keyword: email address and history of your internet activities that Google linked to your profile). How convenient, because then previously deleted cookies can be renewed again. Good for Google and the advertising industry, rather bad for people like you and me.

Conclusion

The IP-Address often allows a personal connection with Google. Along with the User-Agent, this picture of you from Google's perspective becomes even clearer.

If cookies are then used, such as from a mostly (!) existing Google account, you will quickly become transparent as internet users. Alternatively, there is also a Super-Cookie like the Chrome Browser, which presents a cookie cake. Instead of Chrome, it's also done for Google with an Android-cell phone, through which you kindly make your data donation to Google.

From your Surf-History alone you could already be identified as a concrete person. There are not that many people with the same 40 preferences in Germany. Usually, there is only one person with a specific email address. And if it's a couple, you can often tell from a message whether Peter or Erna or both are writing.

Google knows which websites belong to you through Google Search Console, with personal data readily available. But perhaps you simply signed up with Google at some point, so as not to have to close that annoying cookie request from Google in five clicks. Then Google has your email address, which often has a direct or indirect personal reference. Please note that in Article 4 Section 1 GDPR, the definition of personal data includes person-related data!

Even if the IP address might not be considered personal data in countries other than Germany: For the Google conglomerate, which is trying to track all internet users worldwide, IP addresses are potentially always personal data for the aforementioned reasons. Therefore, using Google Fonts leads to the transfer of personal data to Google, at the responsibility of the website operator who has embedded the Google fonts.

If someone (let's call this person Adam or Eva) were to file a lawsuit in Austria, they would only need to have a Google account linked with a good email address. Then it could be determined that the plaintiff's IP address is considered personally identifiable by Google. Perhaps even the existence of a Google Android smartphone would suffice.

Google Fonts excursion

The Google Fonts Terms of Service refer to the Google APIs Terms of Service. The latter name as provider "Google LLC with headquarters at 1600 Amphitheatre Parkway, Mountain View, California 94043, USA".

That US intelligence agencies can hire more people with IP addresses than a field-forest-meadow website operator should be clear to everyone.

From the mentioned terms of use, reference is also made to the Google Privacy Policy. There it says (bold print from me):

Your location can be determined with varying degrees of accuracy. To do this, we use:

• GPS and other sensor data from your device
• IP address
• Activities in Google services, such as your search queries and places you've labeled, like home or work
• Information about objects near your device, such as Wi-Fi access points, cell towers, and Bluetooth-enabled devices

From: https://policies.google.com/privacy

Furthermore, it is said there:

To the data we collect include unique identifiers, the type and settings of the browser, the type and settings of the device, the operating system, information about the mobile network such as the name of the mobile provider and phone number as well as the app version. We also collect data on your apps, browsers and devices interaction with our services. This includes e.g. the IP address, crash reports, system activities as well as the date, time and referrer URL of your request.

We collect this data when a Google service contacts our servers on your device, for example when you install an app from the Play Store or when a service requests automatic updates. If you use an Android device with Google Apps, your device regularly contacts the Google servers to provide information about your device and connection to our services. This includes data such as the type of your device and the name of your mobile provider, crash reports, apps that you have installed, and, depending on settings on your device, further information about how you use your Android device.

From: https://policies.google.com/privacy

It goes even further:

We collect data on your activities in our services. For example, we use this data to recommend a YouTube video that might interest you. We may also collect activity data such as:

• Terms you are searching for
• Videos that you watch
• Content and ads that you view and interact with
• Language and audio data
• Purchase activities
• People with whom you communicate or exchange content
• Activities on websites and apps of third-party providers that use our services
• The Chrome browsing history that you have synchronized with your Google account

From: https://policies.google.com/privacy

Google uses these many data according to its own statements for personalizing data and advertisements (with advertising, Google earned lastly about 66% of a turnover of $160 billion in one year).

Summary: Google at least admits that all data generated directly by Google through data feeds is used to get to know you better and influence you with advertising.

Detour: False Arguments

An article titled "Google Fonts: Aggressive warnings" appeared on the CRonline-Blog, where some facts are incorrectly presented. I will address this in the following:

There would be no data transfer to the US at all. The argument is load distribution or server architecture being mentioned. Furthermore, GET requests are spoken of. All this is legally irrelevant. If an American intelligence service knocks on Google LLC, USA (the self-proclaimed operator of Google Fonts) and demands access to a Google server, then Google will have to grant it, provided there is a legal basis under US law that requires it (Cloud Act, EO12333 or FISA 702 for example).

There would be no personal reference at all due to the IP address being sent to Google for Google Fonts. That's nonsense or a completely unsubstantiated claim, as my previous contribution hopefully shows. Knowing just a snippet of a person's internet usage history is enough to know them well. Whoever doesn't accept that should remember that Google knows the potentially always personal email addresses of users and their IP address too. And over time it can be several IP addresses. These can be linked together in various ways, which are all available to Google. Cookies are just one way, cookie-less tracking is another, Google devices a third, GPS signals from mobile phones a fourth, Android Auto a fifth, Google customer accounts a sixth etc.

On the CRonline-Blog the following completely absurd claim is made: “The GET request from the affected person to Google Inc. contained no personal data, but only an insignificant string of characters.” Firstly, it's Google LLC, not Google Inc. At least that should be something a lawyer writing this blog article would know better than me. By the way: Is there even still Google Inc.? Secondly, this "insignificant string of characters" apparently is so informative that Google makes around 100 billion dollars in revenue per year with it. As written above, the string of characters is not insignificant. Furthermore, the IP address is always linked to the User-Agent when access occurs via an internet browser. This way, the IP address becomes even less insignificant.

Then it is also stated in the CRonline blog: “The IP address does not allow any conclusion about the end device and thus the user, but only about the connection.” That's also a bit off. Whoever is currently logged into their Google account (which Google always assigns when you call up the Google search engine or Google Maps or another Google service or use a Google device), usually gets a cookie (see my contribution above). This cookie is actually stored in the user's end device. When accessing cookies, the user's IP address is also transmitted to Google at the same time. Hmm, now the IP address is indeed user-related and end-device-related. I myself only use my PC. There are supposed to be PCs that are used by several people (although probably no more than two or three people). Microsoft has noticed this at some point and implemented a login function in Windows that manages storage space and applications separately per user. So even with multi-user operation, which the plaintiff would not himself mention but which the defendant would have to prove, an end device is to be valued as being related to one user if this user surfs the internet. Just because of the Google cookies that are maintained by the operating system per user.

Responsibility of Website Operator is also denied by the article in the CRonline Blog, which states that Google, according to Google Fonts Terms of Use, would not conduct a "Voodoo". Hmm, I read it differently though. See my contribution above as well as the quotes from Google Privacy Guidelines, which link to the Google Fonts Terms of Use. Should I perhaps become a lawyer and the author of the CRonline article look for a new profession, or did I misread the privacy guidelines? Please clarify if there is anything to clarify. A repeated search has brought me the same result as before described by me. Moreover: If other data protection provisions than those linked by Google to the Google Fonts platform would apply, then these would be those in which Google writes: "To the extent that this is required under the data protection laws applicable to the parties, the parties agree on Data Protection Terms between Data Controllers." Click on this link, then it's about Controller-Controller. Controller means Responsible Person, Controller-Controller is a joint responsibility (at least a responsibility of two parties). Sounds like the CRonline article writer didn't get it right either.

Conclusion: The contribution in the CRonline-Blog shines through the absence of facts. As for the character of mass warnings, one can indeed talk about legal misuse. But to ignore the offense is completely misguided and an academic discussion only. Of course, you have a right to information against a website operator to check the legality of processing if he integrates Google Fonts on his website. Whether a mass warning sender also has this right is another matter.

A fictional warning letter

Some people in Germany could certainly name such a reason to show that there is a personal reference by Google if Google Fonts had been embedded on a visited website:

Dear authorities of a Google Fonts infringement,

They have integrated Google Fonts on their website xyzabd4711.de which I visited at X o'clock in the afternoon.

By doing so, my IP address and device identification (User-Agent) were transmitted to your responsibility at Google LLC (1600 Amphitheatre Parkway, Mountain View, California 94043, USA; briefly "Google"). The aforementioned Google is according to its own statement the provider of Google Fonts.

This was done without a legal basis. I did not give consent and there was no contract between us. Furthermore, you cannot rely on a legitimate interest. See the explanations in this contribution. So you have processed my personal data without a legal basis (cf. Art. 4 No. 2 DS-GVO as well as Art. 6 No. 1 DS-GVO).

It concerns my personal data (cf. Art. 4 No. 1 DS-GVO), as Google can link my IP address and user agent with my Google account in the Google Search Console or other used Google services. I use Google Search Console, for example, to optimize the performance of my website in the well-known Google search engine. For using the Google Search Console, I have to forward my email address and phone number to Google. This email address is the same one I am writing you with right now. My email address is personal data for several reasons. Firstly, my full name is included in the email address to build higher trust in mail communication. Secondly, it can be objectively determined from DENIC that I am the owner of the domain.

Furthermore, Google misses me at least one cookie every time I use the Google search engine or Google Maps, which contains an identifier that allows Google to recognize me next week. The cookie is transmitted together with my IP address. Every time I enter two addresses in Google Maps for route planning, Google learns about it, and both addresses and my IP address. These data can be married by Google to determine from the IP address my address where I am registered (at least the only one with the name I bear and which is reflected in my email address).

My IP address can therefore be traced back to me by Google even if it changes (dynamic IP address). And to make matters worse, I occasionally use a static IP address because I need this for running my own web services. The static IP address is directly traceable back to me, as a glance at my contract with the telecommunications company that provides me with this IP address reveals.

I could name further reasons why my IP address, which you transmit to Google without legal basis, is personal data. You can find these justifications in a article on Dr. GDPR. Furthermore, I recommend reading the judgment of the Court of Justice of the European Union of 19 October 2016 – C-582/14, especially RN. 49, which also deals with dynamic IP addresses and considers it sufficient that there is a legal means to refer a data value back to a person so that the data value is personal in the sense of Article 4(1) DS-GVO.

Punitive undertaking declaration

They have refrained from…

Typical justifications