Thursday, March 15, 2007

Google's New Plan to "Anonymize" Search Logs: A Good First Step, But More Is Needed. Google's New Plan to "Anonymize" Search Logs: A Good First Step, But More Is Needed. After years of criticism from EFF and other privacy advocates, Google announced yesterday a new policy on how it handles logs of its users' searches: after 18-24 months, it will delete key information in its server logs that could be used to link particular users to records of their search queries. This is a big change from Google's previous policy, which was essentially to keep all of those logs forever in identifiable form, and we're certainly glad to see that Google is starting to limit its retention of such sensitive data. Your Google search history can paint an intimate portrait of your most private interests and concerns. Particularly in light of the disastrous AOL search terms disclosure, recent scandals involving government surveillance, and Google's own recent court fight with the government over a subpoena for search records, it seems that Google has finally realized that limiting the retention of such records is essential to protecting your privacy. Hopefully, Google's change in policy will spur other online service providers to consider how they can minimize the amount of personal data that they store, and perhaps even prompt competition between service providers to offer the most privacy-protective services. However, we hope that this new announcement is only Google's first step in changing its privacy practices, because additional changes would better protect user privacy and set an even better example for the industry: Google should shorten the retention period for identifiable logs to six months at the outside, and ideally to only thirty days (which is AOL's retention limit for similar logs). Barring this, it should at least justify why it needs such records for up to two years, beyond offering one-sentence platitudes about how such records are used to improve Google's service. Google should also shorten the retention of the "anonymized" logs, which Google apparently still intends to keep forever. As Google itself admits, the new policy changes still don't guarantee users' anonymity, and holding onto those records indefinitely still poses a serious private threat. Therefore, Google should consider more robust anonymization techniques, up to and including scrubbing entire IP addresses rather than just the last quarter or "octet" of such addresses. Finally, Google should expand its new anonymization policy to include the search records of users with Google Account log-ins, and to records generated by their myriad other services, rather than limiting the policy change to regular search logs. Beyond making these additional policy changes, there's one more thing that Google should be doing[~]something we think it actually has a duty to do as a good corporate citizen and as a preeminent Internet powerhouse[~]and that is using its considerable political clout to fight for better Internet privacy laws on Capitol Hill. Right now, there are significant questions as to whether or how Internet search logs are protected by existing federal privacy laws, and Google owes it to its customers to publicly advocate for updating those privacy laws for the 21st century. [EFF: Deep Links] 3:05:57 PM

Google To Anonymize Data -- Updated WIRED Blogs: 27B Stroke 6 Googleis reversing a long-standing policy to retain all the data on its users indefinitely, and by the end of the year will begin removing identifying data from its search logs after 18 months to two years, depending on the country the servers are located in. Currently, Google retains indefinitely detailed server logs on its search engine users, including user's IP addresses - which can identify a user's computer, the query, any result that is clicked on, their browser and operating system, among other details. Even if a user never signs up for a Google account, those searches are all tied together through a cookie placed on the user's computer, which currently expires in 2038. The new policy will be global, but there will be variances by country, especially in Europe where a data retention rule passed in 2005 requires ISPs and phone companies to keep data from six months to two years. After that time period, Google will "anonymize" the search data from web and image searches by dropping either the second half or last quarter of I.P. addresses, thus turning an address such as 127.0.34.35into127.0or127.0.34. The goal is to make it technically impossible to retroactively tie a query back to a computer, unless the query included identifying information. User logs from services that require log-ins, such as personalized search, Google Documents and Gmail will not be subject to this policy. Those services are governed by their own privacy policies. More can be found on this at Google's official blog announcement. Civil libertarians have long criticized the search giant's hoarding for data, saying that the data store created an attractive target for law enforcement and civil suits. Google successfully quashed a Justice Department request for large chunks of user data in 2005. 2:15:53 PM

© Copyright 2007 Paul Hardwick. Last update: 3/19/07; 12:43:31 AM.