Can your IP address give away your identity to hackers, stalkers and cybercrooks?

In today's world of hackers, stalkers and cybercriminals, not to mention government spy programs and commercial sites that collect information about you for advertising purposes, is there a way to surf the Web and keep your privacy intact? Or does that mere fact that you have an IP address mean that your identity is out there for the taking?

(7 ways to mask your Internet identity)

Turns out, there's no easy answer to this question. (Watch the slideshow version.)

Legally, an IP address does not constitute personal identifiable information, according to two recent court cases.

In July 2009, in a case involving Microsoft, the U.S. District Court for the Western District of Washington ruled that IP addresses do not constitute personal identifiable information (PII). And in a separate case in 2011, the Illinois Central District Court also ruled that an IP address does not -- by itself -- qualify as personal information that can accurately identify a specific Internet user.

Alan Webber, a research analyst at the Altimeter Group, agrees that "with the exception of law enforcement personnel who have other tools and methods to match IP addresses to a variety of sources (which provide additional information); at this time, an IP address, alone, cannot identify a specific person."

He adds, "However, when combined with other information, such as a user name, then yes, the IP address can reveal your identity."

Scott Crawford, managing research director at Enterprise Management Associates, explains that an IP address identifies a host on a specific network or subnet. That subnet may identify a set of logical addresses that can, in some cases, be associated with a physical location. For example, there could be an address range associated with ISP subscribers in a certain area.

Crawford emphasizes that when correlated to more specific information (such as address, browsing activity, or other data collected), during the course of online transactions; for example, the IP address can be associated with that activity or with a specific location. Although ISPs often assign addresses dynamically through protocols such as DHCP, it's not uncommon for a single, physical location (such as a home) to retain the same IP address for a long period of time. "Once the specific personal data is linked to the IP address, the activity associated with that address can be correlated accordingly," adds Crawford.

It can be done

Andrew Lee, CEO of London Trust Media, Inc./ (a VPN service that protects users' privacy and identity), says linking users to their IP address is not simple, but it can be done. Many email providers, some IRC networks, extreme tracking sites, poorly configured forums and design flaws in applications such as Skype and AOL (among others) have disclosed users' identities along with their IP addresses.

He adds that email providers have been known to leak IP addresses to advertisers, market researchers, and other such agencies and some emails (like those from mailing lists) are indexed by Google. "Thus, the IP becomes searchable," Lee says. "Programs such as (now inactive), which reveals users' personal data are developed every day by programmers across the globe. Extreme tracking sites link IPs to Google searches and make them public. And business websites including, but not limited to, Facebook, Twitter, Google, etc. -- in addition to ad targeting companies -- already have your personal info linked to your IP address in their databases. Anyone with access to those databases, including those with legitimate or illegitimate access (such as hackers), can obtain any and all of that information."

[ALSO:10 hot security startups to watch]

David Gorodyansky, CEO of AnchorFree's HotspotShield (an Internet security solution that includes anonymous browsing) agrees the IP address can be linked to a specific individual's name, address, and other personally identifiable information. According to Gorodyansky, hackers and malware programs attempt to compromise user identities by gaining access to their IP address and then tracking them on the web.

"An IP is like your digital address," Gorodyansky says. "It provides intel on the city and state of the ISP location, which can be linked back to a residential address if accessing a Wi-Fi hotspot from home. Based on the IP address, companies and hackers collect information about individuals without knowing specific details such as their name. Third party websites and hackers can collect this data and, for example, use it to identify your name and steal or resell your identity and/or track your web browsing habits."

Surfers, beware

John Kindervag, a security and risk analyst at Forrester, says that the IP address can be tracked, but with some limitations. The IP header should not have any personal information in it. The mapping of the IP address is performed at the ISP level and, since there is no real user information in the headers, the assumption is that since person A lives at the location where the IP address is assigned, then person A created the traffic.

"This is a flawed assumption," Kindervag says. "Person A's network could be compromised, especially if it's wireless, to hide the identity of an attacker. Attackers always spoof their IP address, sometimes by using someone else's network and sometimes by going through a proxy server located in some other country. The attacker could live next door, but make his/her traffic look like it came from Eastern Europe."

According to Andrew Lewman, executive director at the Tor Project (a free anonymity online service), lots of companies use GeoIP databases to determine where a potential or actual customer is located in the world and then directs the marketing pitches appropriately. "Criminals also use GeoIP databases to target geographic areas for various malware attacks (English vs. French vs. Spanish languages, donation scams based on localized events). Child molesters and kidnappers can also use the IP address to track where a potential victim is located and further convince the victim that they are local and friendly," Lewman says.

"The greatest danger here, in my opinion, is from malware such as toolbars and other downloaded utilities that can secretly and systematically collect information and interfere with communications," cautions Andrew Frank, research vice president at Gartner. "IT professionals should prioritize malware prevention and home users should enforce basic rules about not opening unknown email attachments, how to identify suspicious sites, and regular use of a virus protection service. IT professionals concerned about this should talk to their ISP about proxy services and other privacy protection methods that may be available. And last, concerned citizens should support common-sense privacy options that give them choice and control over tracking and targeting, but should recognize that illegal tracking is unlikely to be curtailed by any new privacy laws."

How to mask your IP address

In addition to caution regarding how much personal information you disclose on the Internet, you can further protect your privacy by hiding or masking your IP address. The easiest and most effective solutions are anonymous proxy servers or VPN software and services. An anonymous proxy server functions as a liaison between your home network or computer and the Internet. It requests information, on your behalf, using its own IP address instead of yours, so only the proxy's IP address is revealed instead of your home IP address.

VPN protection generally requires that you download a software product that works with the company's VPN services, which bounce your connections around the globe through various distributed networks. These virtual' tunnels burrow through the Internet landscape creating a random path, which thwarts traffic analysis.

If you search for proxy servers,' VPN services,' or hide my IP address,' note that dozens of products are available; some free and some with fees. The Tor Project is a free "onion routing project" that was originally designed for the U.S. Naval Research Laboratory, which provides multiple privacy services including IP protection. Fee-based VPN products include Private Internet Access, Hotspot Shield, Banana VPN, Black Logic, and Unblock Us. Free proxy services include Hide My Ass and Mega Proxy, and fee-based services include Proxy Solutions and AllAnonymity.

Sartain is a freelance writer. She can be reached at

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityAltimeter GrouplegalWide Area Networkcybercrime

More about Andrew Corporation (Australia)AOLEnterprise Management AssociatesFacebookGartnerGoogleInc.Internet AccessMicrosoftScott CorporationSkype

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Julie Sartain

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place