At a time when users regularly turn to search engines to find information on the Internet, search privacy is of paramount importance. The search terms you give to search engines can be used to compose a telling portrait of your interests and concerns, a fact that has led privacy advocates to call for greater protection for individual users.
That's why it's great news that European privacy officials from the Article 29 Data Protection Working Party" (WP29), which is an influential advisory body to the European Commission, have recently taken decisive action to push for stronger search engine privacy.
Recently, WP29 told the major search engines Google, Microsoft and Yahoo that their methods of making users' search data anonymous still do not comply with the European Union's Data Protection Directive, a legislative mandate requiring governments and businesses to protect citizens from indiscriminate collection, use, and disclosure of personal information. WP29 further requested that the search engines change their search data retention policies to comply with the recommended maximum period of 6 months.
This builds on an opinion WP29 issued in April 2008, concluding that search engines' data retention practices are, in fact, subject to the EU Data Protection Directive. To comply with the law, WP29 has stated that search companies must delete or anonymize search log data, including IP addresses and search queries, no later than six months after their collection (if not earlier), and ensure that the anonymized data cannot be linked back to an individual.
After WP29 issued the opinion in April 2008, the world's three largest search engines met with the European authorities to discuss data retention practices and search anonymization policies, and the companies responded with various privacy improvements.
At the time, Google announced that it would anonymize IP addresses in its server logs after nine months, instead of the previous 18-24 months. Since then, Google has indicated that in practice it deletes the last octet of collected IP addresses. Google retains other information, like cookies, for a period of 18 months. Yahoo announced that it would anonymize user log data, page views, clicks, ad views, and ad clicks within 90 days of collection, with limited exceptions for fraud, security, and legal obligations. Yahoo also announced that it would delete full IP addresses, rather than deleting merely the last octet. And this year, Microsoft announced that it will delete IP addresses associated with search queries six months after their collection, a reduction form the previous practice of retaining that data for 18 months. Microsoft's announced data retention policy goes further by endorsing "de-identification" (separation of search queries and account information, as well as anonymization of cookie information) as soon as a Bing search query is received. After 18 months, Microsoft then deletes cookie information, and any other cross-session IDs associated with the search query.
Last week's letters from WP29 essentially responded to this first round of changes from the search companies. WP29 told Yahoo that "a partial deletion of the personal data contained in search logs does not constitute true anonymization," and told Google that "deleting the last octet of the IP-addresses is insufficient to guarantee adequate anonymisation."
WP29 also urged Microsoft and Google "to review [their] retention policy, to bring it in line with the recommended period of a maximum of 6 months;" and urged the three search engines "to review [their] anonymization claims and make the process verifiable, preferably by developing a credible audit process involving an external and independent auditing entity. The actual techniques of anonymization deserve an open debate, open to public scrutiny."
EFF has recommended that online service providers collect the minimum amount of information for the minimum time that is necessary to perform their search engines operations, and to effectively obfuscate, aggregate and delete unneeded user information.
WP29 understands the risks inherent in search engines holding vast collections of search log data of individuals. EFF hopes that search companies will now reduce the search data retention period and make public their methods for data anonymization to allow Internet users to make informed choices about which services they will use, and to encourage the development of more privacy protections for search engine users. Citizens should have the ability to make searches on the Internet without fear that their deepest secrets might be accessed by the government or private parties, published to the world, or used for secondary purposes without consent. By irreversibly anonymizing or deleting search log data no later than six months after their collection (if not earlier), individuals can have greater certainty that the government and private parties cannot gain access to their historical search data. That would be a very welcome first step.