According to an EFF newsletter item, Google will start destroying any identifying information in their search records that is more than a year old. This is a very good thing. I’ll have to see if I can find a demo of how easy it is to profile someone based off their search history. Some of the AOL results released were traced back to individual people and that was without IP addresses! Really Google should be doing a lot more than it is, but this is better than nothing.
* Google’s New Plan to “Anonymize” Search Logs: A Good
First Step, But More Is Needed
After years of criticism from EFF and other privacy
advocates, last week Google announced a new policy on how
it handles logs of its users’ searches: after 18-24 months,
it will delete key information in its server logs that
could be used to link particular users to records of their
search queries.
This is a big change from Google’s previous policy, which
was essentially to keep all of those logs forever in
identifiable form, and we’re certainly glad to see that
Google is starting to limit its retention of such sensitive
data. Your Google search history can paint an intimate
portrait of your most private interests and concerns.
Particularly in light of the disastrous AOL search terms
disclosure, recent scandals involving government
surveillance, and Google’s own recent court fight with the
government over a subpoena for search records, it seems
that Google has finally realized that limiting the
retention of such records is essential to protecting your
privacy.
Hopefully, Google’s change in policy will spur other online
service providers to consider how they can minimize the
amount of personal data that they store, and perhaps even
prompt competition between service providers to offer the
most privacy-protective services. However, we hope that
this new announcement is only Google’s first step in
changing its privacy practices, because additional changes
would better protect user privacy and set an even better
example for the industry:
* Google should shorten the retention period for
identifiable logs to six months at the outside, and ideally
to only thirty days (which is AOL’s retention limit for
similar logs). Barring this, it should at least justify why
it needs such records for up to two years, beyond offering
one-sentence platitudes about how such records are used to
improve Google’s service.
* Google should also shorten the retention of the
“anonymized” logs, which Google apparently still intends to
keep forever. As Google itself admits, the new policy
changes still don’t guarantee users’ anonymity, and holding
onto those records indefinitely still poses a serious
privacy threat.
* Therefore, Google should consider more robust
anonymization techniques, up to and including scrubbing
entire IP addresses rather than just the last quarter or
“octet” of such addresses.
* Finally, Google should expand its new anonymization
policy to include the search records of users with Google
Account log-ins, and to records generated by their myriad
other services, rather than limiting the policy change to
regular search logs.
Beyond making these additional policy changes, there’s one
more thing that Google should be doing–something we think
it actually has a duty to do as a good corporate citizen
and as a preeminent Internet powerhouse–and that is using
its considerable political clout to fight for better
Internet privacy laws on Capitol Hill. Right now, there are
significant questions as to whether or how Internet search
logs are protected by existing federal privacy laws, and
Google owes it to its customers to publicly advocate for
updating those laws for the 21st century.
