Posts Tagged ‘privacy’
By Nate Anderson | Published: June 11, 2007 – 05:51AM CT
Only Google earned the dismal “black” color bar from the group, which has just issued a report on Internet privacy that took six months to assemble (see the rankings [PDF]). The current report is preliminary; final results will be released in September.
The report rated top Internet companies on privacy issues and distilled the various results into a single color bar. Microsoft was two ranks up from Google, earning a curry-colored “serious lapses” rating. Amazon scored one level higher with its yellow “notable lapses” rank, and eBay did even better, earning a coveted blue bar. No company earned a top mark, however.
In singling out Google, Privacy International said that it “witnessed an attitude to privacy within Google that at its most blatant is hostile, and at its most benign is ambivalent.” This stands in contrast to Microsoft, which several years ago would have earned the worst spot on the list. But “in more recent times the organization appears to have adopted a less antagonistic attitude to privacy, and has at least structurally adjusted to the challenge of creating a privacy-friendly environment,” says the report.
Google is taken to task for the usual issues: providing no way for users to expunge data, maintaining search logs that could contain personally-identifiable terms, tracking Google Toolbar users on the web, etc. But it’s not just Google’s policies that give Privacy International concern; the group worries especially about these policies being implemented by a company as large as Google. The report’s authors admit that Google’s low ranking is in part “due to Google’s market dominance and the sheer size of its user base.”
People are suspicious of massive corporations, it appears, no matter how non-evil they think they are.
By Nate Anderson | Published: June 13, 2007 – 01:23PM CT
Google had previously committed to anonymize (but not delete) its server logs after 18-24 months. Now, in a letter sent to the Working Group, the company pledges to anonymize the data after 18 months, though it cautions that future legislation may require it to store the data for longer. Under Google’s plan, the logs would be kept, but the IP addresses (probably just the last octet, though no final decision has yet been made) would be scrambled permanently; not even Google could gain access to the original information.
Peter Fleischer, Google’s global privacy counsel, said in the letter that Google was actually behaving better than most players in the industry. “Indeed, to our knowledge,” he wrote, “most Internet companies retain logs for far longer than Google—in many cases, indefinitely.” Actually, nothing that Google has said indicates that they won’t also keep log files indefinitely; logs will simply be anonymized for long-term storage.
In defending its initial plan to keep personal information for up to two years, Google pointed out that the US Department of Justice has called for a 24-month data retention period—though no legislation to this effect has been passed. In Europe, the Data Retention Directive requires all EU member states to pass data protection legislation by 2009, though the maximum term for data retention can vary from six to 24 months. Fleischer notes that “there seems to be an emerging international consensus on 24 months as the outer limit for data retention.”
When Google finally does start anonymizing logs (technical details are still being worked out), the process will be both permanent and retroactive. Anyone who used Google to search for “Jetsons porn” back in 2003 can soon rest easy.
By Joel Hruska | Published: July 23, 2007 – 10:01AM CT
Henceforth, Microsoft will make all Windows Live Search data anonymous after 18 months “unless the company receives user consent for a longer time period,” according to the company. The policy will be retroactive and will apply to all Microsoft search portals worldwide. Customer search data will also be stored differently than data explicitly tied to people (e-mail addresses, phone numbers, etc.), and no correlation of the two data types will be possible. All cookie user identification data will also be removed. For users who opt for longer data retention (for the purposes of customization services), Microsoft promises to be completely transparent with how that data is stored and handled.
“As search and other online services progress, it’s important for our customers to be able to trust that their information is being used appropriately and in a way that provides value to them,” said Peter Cullen, chief privacy strategist at Microsoft. “We hope others in the industry will join us in developing and supporting principles that address these important issues. People should be able to search and surf online without having to navigate a complicated patchwork of privacy policies.”
Such movements from Microsoft and Google are more than just an act of oneupmanship—though there’s certainly an element of that at work—but are a broader response to consumer concerns and nasty allegations of antitrust behavior that’ve been flung around recently. With the Senate set to review Google’s proposed merger with DoubleClick and with Microsoft’s own recent purchase of aQuantive, its in the industry’s best interest to appear very concerned about personal privacy, even as market consolidations point towards more specific, focused, and, in a word, personalized advertising on the horizon.
It’s hard to see these developments as anything but positive, and we are expecting a similar announcement from Yahoo later this week.
By Jacqui Cheng | Published: August 09, 2007 – 11:27AM CT
“We hope this signals the emergence of a new competitive marketplace for privacy,” said CDT president Leslie Harris in a statement. “By themselves, these recent changes represent only a small step toward providing users the full range of privacy protections they need and deserve, but if this competitive push continues it can only stand to benefit consumers.”
The report reiterated many of the recent search policy changes that have made headlines in the last several months. In June, Google agreed to anonymize its search records after 18 months instead of 24 (or previous to that, never). That announcement was followed by one from Ask.com in July, which also said that it would also anonymize its data after 18 months, and then Microsoft just days later—also 18 months. Both AOL and Yahoo! have also agreed to shorten the length of time they keep records around, undercutting the others by anonymizing records after just 13 months.
The report also cited Ask.com’s new AskEraser tool as offering a level of user control that the others do not. AskEraser is a preference that users can set on the site, ensuring that absolutely no search records will be retained for that user past a few hours. CDT praises Ask.com for AskEraser and points out that while the others offer options to their users to extend the length of time their search records are stored, no others currently allow users to choose not to have records retained. CDT recommends that other search engines “continue to work towards providing controls that allow users to not only extend but also limit the information stored about them.”
The CDT provides other recommendations as well. While the organization acknowledges that some search engines have legitimate reasons for keeping data around for advertising purposes, it says that those companies need to store the data securely (hello, AOL) and provide notice to their users about what is being stored and for how long. The CDT also says that the search engines should work together to promote privacy protections “across the board” with smaller partners.
Despite the progress that has been made, however, the CDT still feels that there is a need for stronger privacy legislation. “No amount of self-regulation in the search privacy space can replace the need for a comprehensive federal privacy law to protect consumers from bad actors,” the report says. “With consumers sharing more data than ever before online, the time has come to harmonize our nation’s privacy laws into a simple, flexible framework.”
By Nate Anderson | Published: March 15, 2007 – 07:15AM CT
Under the new policy, both the IP address and cookie information will be anonymized at a point 18-24 months after the log files are generated, “unless [Google is] legally required to retain the data for longer.” The new policy, once implemented, will be applied retroactively.
Google will still keep search data for 18-24 months before anonymizing it, in part due to concerns that governments around the world will eventually require this in short order anyway. And the program won’t begin until the end of 2007, and possibly even later. The new policy is a “difficult initiative to implement,” Google said in a statement, but the company believes that the effort will pay off in increased user trust and less suspicion from privacy advocates.
A response to privacy advocates
One of those advocates was the Norwegian government, which has been able to grab the attention of major tech companies like Apple and Google. In this case, the Norwegian Data Protection Authority was one of the groups that expressed its unease with Google’s current policy of retaining such personally identifiable information indefinitely.
Google was the only search engine to hold out against a US government subpoena early last year, so it does gain some credibility in the privacy department. The whole debacle (and the search fiasco at AOL) certainly brought home to the public the fragility of “online anonymity.” Millions who thought that their searches were private saw them turned over 1) to the government and then 2) to private researchers in the AOL case. When it became clear that this information could, in some cases, be used to identify individuals, the outrage was widespread.
Google seems to be seeking both good publicity and fewer future scandals with the new move, even though they say that the new policy could result in their losing data that “has analytical and statistical value” to the company.
“By anonymizing our server logs after 18-24 months, we think we’re striking the right balance between two goals: continuing to improve Google’s services for you, while providing more transparency and certainty about our retention practices,” the Google statement said. Privacy advocates might want personally-identifiable info scrambled a bit sooner, but this is certainly better than nothing.
By Ryan Paul | Published: September 14, 2007 – 08:46AM CT
Complying with the broad assortment of disparate and potentially conflicting privacy laws already in place is a costly burden for businesses that use the Internet to operate globally. Streamlining those regulations and establishing global standards would certainly simplify the compliance process, but determining an adequate standard that balances the desires of law enforcement, consumers, and businesses around the globe will pose a challenge.
Google retains a tremendous amount of personal information that could be used for identity theft and all sorts of other nefarious purposes if it were to fall into the wrong hands. Although some politicians are keen on legislation that would impose limits on data retention in order to protect consumer privacy, law enforcement agencies are insisting that data needs to be retained longer. Data retention duration is just one of many issues that will require some difficult compromises.
In July, Google competitors Microsoft and Ask.com collectively called for industry standards for search privacy. The approach taken by Microsoft and Ask.com seems to be market-oriented, whereas Google seems more interested in government standards.
Google’s interest in creating new privacy standards may relate to the company’s plan to acquire advertising company DoubleClick, a deal that is viewed with concern and hostility by privacy advocates. Establishing strong privacy standards could reassure consumers and lawmakers who might otherwise want to block the DoubleClick acquisition.
Google’s chief privacy officer Peter Fleischer denies that DoubleClick is a factor in this effort, though. “People look to us to show some leadership and be constructive,” Fleischer told the Associated Press. “To be effective, privacy laws need to go global…But for those laws to be observed and effective, a realistic set of standards must emerge. It is absolutely imperative that these standards are aligned to today’s commercial realities and political needs, but they must also reflect technological realities.”
Fleischer also said that he has been discussing the prospect of international privacy standards with Microsoft, Yahoo, and European government representatives.
The success of an international privacy standards initiative will depend on support from many stakeholders, and Google’s plan may prove too ambitious. Regardless of whether or not Google’s plan succeeds, competition in the search and web services space will hopefully continue to promote big improvements in company privacy policies, even without a worldwide agreement.