Dnia 21.05.2026 o godz. 10:40:20 Randolf Richardson, Postmaster via mailop pisze: > if I see a unique string in > place of an IP address, then I tend to assume that the obfuscating > mail server's postmaster will have a method of decoding, decrypting, > or otherwise looking up what the real IP address was
I more often see nothing pointing to original IP address in the headers at all than something with unique strings in place of an IP address... Dnia 21.05.2026 o godz. 14:17:34 John Levine via mailop pisze: > They're not that transient. The IP address assigned to my fiber modem > changes perhaps once a year. Lots of countries consider an end user's IP > address to be PII so I'm not surprised they suppress it. Considering end user's IP address to be PII is a stupid law in my opinion, but such a stupid definition has been introduced here in Europe by GDPR: "‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;" Many lawyers argue that "online identifier" mentioned in that definition includes an IP address. Our Polish data protection law that was in effect before GDPR was adopted had a better definition IMHO, because it said that personal data is data that allow to identify a person *without excessive effort*. If you have person's name or street address, then you can identify that person quite easily - so that has been considered personal data. But to identify a person based eg. on a car registration number requires excessive effort, because you have to involve the police or some government office that has access to registration numbers database. Similarly, identifying a person based on IP address requires excessive effort, because you have to involve the ISP owning the network range in question. So that was not considered personal data. But GDPR does not have the clause of "excessive effort", so under GDPR everything that gives even slightest possibility to identify a person (even if it would require detective work ;)) can be considered personal data. That is simply stupid IMHO. -- Regards, Jaroslaw Rafa [email protected] -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
