After years of criticism from EFF and other privacy advocates, Google announced yesterday a new policy on how it handles logs of its users' searches: after 18-24 months, it will delete key information in its server logs that could be used to link particular users to records of their search queries.
This is a big change from Google's previous policy, which was essentially to keep all of those logs forever in identifiable form, and we're certainly glad to see that Google is starting to limit its retention of such sensitive data. Your Google search history can paint an intimate portrait of your most private interests and concerns. Particularly in light of the disastrous AOL search terms disclosure, recent scandals involving government surveillance, and Google's own recent court fight with the government over a subpoena for search records, it seems that Google has finally realized that limiting the retention of such records is essential to protecting your privacy.
Hopefully, Google's change in policy will spur other online service providers to consider how they can minimize the amount of personal data that they store, and perhaps even prompt competition between service providers to offer the most privacy-protective services. However, we hope that this new announcement is only Google's first step in changing its privacy practices, because additional changes would better protect user privacy and set an even better example for the industry:
- Google should shorten the retention period for identifiable logs to six months at the outside, and ideally to only thirty days (which is AOL's retention limit for similar logs). Barring this, it should at least justify why it needs such records for up to two years, beyond offering one-sentence platitudes about how such records are used to improve Google's service.
- Google should also shorten the retention of the "anonymized" logs, which Google apparently still intends to keep forever. As Google itself admits, the new policy changes still don't guarantee users' anonymity, and holding onto those records indefinitely still poses a serious private threat.
- Therefore, Google should consider more robust anonymization techniques, up to and including scrubbing entire IP addresses rather than just the last quarter or "octet" of such addresses.
- Finally, Google should expand its new anonymization policy to include the search records of users with Google Account log-ins, and to records generated by their myriad other services, rather than limiting the policy change to regular search logs.
Beyond making these additional policy changes, there's one more thing that Google should be doing—something we think it actually has a duty to do as a good corporate citizen and as a preeminent Internet powerhouse—and that is using its considerable political clout to fight for better Internet privacy laws on Capitol Hill. Right now, there are significant questions as to whether or how Internet search logs are protected by existing federal privacy laws, and Google owes it to its customers to publicly advocate for updating those privacy laws for the 21st century.