Google bends privacy policy to EU concerns

Search giant says it will revise policy, and investigate ways to redesign cookies, reduce duration they're stored on PCs

Google Inc. will make the data it stores about end users anonymous in its server logs after 18 months, part of an effort to deflate concerns about privacy raised last month by a European Union working group.

In a letter sent to the group on Monday, Google also said it is looking at ways to redesign its Web cookies and reduce the length of time they are stored on users' PCs. Cookies are small files that uniquely identify a Web browser and are widely used to track surfing behavior and store user preferences.

[ Cringely: Is Google 'hostile to privacy'? ]

The letter, from Google's global privacy counsel, Peter Fleischer, was in response to a letter sent last month by the E.U.'s Article 29 Data Protection Working Party, which outlined its concerns about Google's service.

Among them, it questioned why the company needed to retain its server logs for 18 to 24 months, saying the practice does not appear to meet Europe's data protection rules. The server logs, which include search histories, can be linked to individual users and therefore constitute personal data, the group said.

Fleischer responded by saying that Google would make data anonymous in its server logs after 18 months, the low end of its previous commitment. "We ... firmly reject any suggestions that we could meet our legitimate interests in security, innovation and anti-fraud efforts with any retention periods shorter than 18 months," Fleischer wrote.

The company said it needs the log data to improve its search algorithms, fight click fraud and spam, comply with data retention laws, and meet "valid legal orders from law enforcement as they investigate and prosecute serious crimes like child exploitation."

It noted that the E.U.'s own Data Retention Directive will require companies to retain such data for 6 to 18 months when new laws go into effect by 2009. Since few countries have passed their retention laws yet, "we have no choice but to be prepared to retain log data for up to 24 months," Fleischer wrote.

The working group had also complained about the length of time Google stores cookies on users' PCs. Google said that it is exploring ways to redesign its cookies to improve privacy and that it would make an announcement "in the coming months."

One observer, while acknowledging privacy concerns about Google, was critical of the working group for singling out one company.

"These concerns would have been equally applicable to Yahoo or Microsoft or many other companies on the Internet," said Danny Sullivan, editor-in-chief of the Web site Search Engine Land, who wrote a detailed analysis of Google's response.

Microsoft and Yahoo have not specified how long they store their log files, he said, and they may retain them for longer than Google.

He also said the group showed "technical ignorance" by focussing on server logs. Like other search engines, Google collects information about users each time they register for a service such as Gmail or Adwords. These "user databases" contain more personal information than server logs can gather, and they are often retained until a user closes the account or actively deletes the information, he said.

The working group in its letter last month cited Google's "market position and ever-growing dominance." It also thanked the company for its "ongoing engagement with the data protection community," especially in contrast with "a lack of engagement by some of the other leading players" in the search industry.

The group is expected to discuss Google's response at a meeting later this month.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies