> Dnia 21.05.2026 o godz. 10:40:20 Randolf Richardson, Postmaster via mailop > pisze: > > if I see a unique string in > > place of an IP address, then I tend to assume that the obfuscating > > mail server's postmaster will have a method of decoding, decrypting, > > or otherwise looking up what the real IP address was > > I more often see nothing pointing to original IP address in the headers at > all than something with unique strings in place of an IP address...
Indeed -- such obfuscation is mostly beneficial to the obfuscator. > Dnia 21.05.2026 o godz. 14:17:34 John Levine via mailop pisze: > > They're not that transient. The IP address assigned to my fiber modem > > changes perhaps once a year. Lots of countries consider an end user's IP > > address to be PII so I'm not surprised they suppress it. > > Considering end user's IP address to be PII is a stupid law in my opinion, > but such a stupid definition has been introduced here in Europe by GDPR: > "`personal data´ means any information relating to an identified or > identifiable natural person (`data subject´); an identifiable natural person > is one who can be identified, directly or indirectly, in particular by > reference to an identifier such as a name, an identification number, > location data, an online identifier or to one or more factors specific to > the physical, physiological, genetic, mental, economic, cultural or social > identity of that natural person;" > > Many lawyers argue that "online identifier" mentioned in that definition > includes an IP address. WHOIS/RDAP queries for IPv4 and IPv6 addresses identify the netblock owner, but not the individual user, which is sometimes needed for reporting network abuse (spam, harassment, dark hacking, etc.). > Our Polish data protection law that was in effect before GDPR was adopted > had a better definition IMHO, because it said that personal data is data > that allow to identify a person *without excessive effort*. If you have > person's name or street address, then you can identify that person quite > easily - so that has been considered personal data. But to identify a person > based eg. on a car registration number requires excessive effort, because > you have to involve the police or some government office that has access to > registration numbers database. Similarly, identifying a person based on IP > address requires excessive effort, because you have to involve the ISP > owning the network range in question. So that was not considered personal > data. > But GDPR does not have the clause of "excessive effort", so under GDPR > everything that gives even slightest possibility to identify a person (even > if it would require detective work ;)) can be considered personal data. That > is simply stupid IMHO. I agree, and now I'm wondering if the GDPR's overreaching attitude could eventually result in further absurdities like a person's exhaled breath including aerosolized respiratory droplets that could also be used to uniquely identify a person based on genomic DNA. The Polish "without excessive effort" appears to be a good remedy for such absurdities. -- Postmaster - [email protected] Randolf Richardson, CNA - [email protected] Inter-Corporate Computer & Network Services, Inc. Vancouver, Beautiful British Columbia, Canada https://www.inter-corporate.com/ _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
