Google using IP addresses to localise search

Google will use a web user's location in its calculation of the best search results to publish, the company said. It will use a computer's internet protocol (IP) address to whittle down results.

Privacy campaigners have been urging governments and data protection authorities to increase the privacy safeguards around the use of IP addresses, which they say can amount to legally-protected personal data.

One privacy law consultant says, though, that the geographical information will turn the IP address into personal data in only a few cases.

"How do we guess your location? In most cases, we match your IP address to a broad geographical location," said software engineers Jenn Taylor and Jim Muller in a Google blog post.

Google said that users can also specify their location, either by postcode or by town, to set the default location that Google uses for that search or for that machine, if the location is saved.

Dr Chris Pounder is a privacy law consultant for training company Amberhawk Consulting. He said that the move to include geographical information will not automatically make an IP address count as personal data.

"If all it uses is 'Barnsley' or 'Glasgow' it's not personal data," said Pounder. "The more precise the location the more accurately it can link to an individual, but generally it won't be personal data because to be that it has to identify an individual."

Taylor and Muller said that the change was being introduced in a bid to help make search results more accurate.

"If you specify your location in your query, we often show your results on a map. But we've noticed that much of the time users make simpler searches, like 'restaurants' or 'dentist'," they said. "We've just finished the worldwide rollout of local search results on a map, which will now appear even when you don't type in a location. When you search on Google, we will guess where you are and show results near you."

If information qualifies as personal data then it gains legal protection under the Data Protection Act in the UK and other laws across Europe deriving from the European Union's Data Protection Directive. These laws stipulate that personal information be processed fairly and lawfully and part of that requirement is to notify users of how their data will be used.

An IP address is allocated to each machine that connects to the internet by that user's internet service provider (ISP). It is visible to other machines on the internet.

Some privacy advocates have tried to convince authorities that IP addresses are personal data. A Munich court ruled last year, though, that IP addresses are not always personal data.

Pounder said that the same IP address information could be personal data or not depending who was using it and for what purpose. He said it was vital what other information was relevant.

He said that a ruling that shed light on this was one in which the information that one person out of a population of 4,000 people in a Scottish area had leukemia was considered to be personal data.

"It is only identifying information if it is linked to an individual," he said. "If a particular person searches for a particular topic at a particular time from a particular remote geographical area it might identify them, but this should be seen on a case by case basis," he said.

The man charged with making sure that EU institutions comply with data protection law, European Data Protection Supervisor Peter Hustinx, said last year that for a piece of information to qualify as personal data it did not have to identify everything about a person, or even their name.

"Identifiable in the sense of the word personal data is singling someone out. We do not need to know someone's birth date, address, surname, first name etc," he told news site ZDNet.co.uk at a security conference last year. "So if we deal with a computer, an IP address, which is showing special behaviour in terms of the transactions we can follow, then in a reasonable world that is individuals. Computers do not do this alone, this is individuals using this."

"It is a mistake to assume that under these circumstances the data protection rules do not apply," he said.