CDT Reports on Search Engine Privacy Policies

The Center for Democracy and Technology has just released a report on privacy policies at the five major search engine companies: Google, Yahoo, Microsoft, Ask, and AOL. While these policies have improved fairly recently, more work needs to be done. In this article, we’ll take a look at the new policies, the reasons behind them, and the work ahead.

The six-page PDF is entitled “Search Privacy Practices: A Work In Progress.” It includes a helpful glossary for those not familiar with terms such as cookie, cookie ID, IP address, and octet. Those terms are important if you don’t know that search engines track your queries and sometimes attach information that can be traced back to an individual (or at least a particular machine).

Let’s consider the obvious question: why would search engines track a user’s queries and connect them with particular browsers or IP addresses? There are a number of reasons. Search engines want to improve the quality of their search results; if they keep track of the searches a particular user conducts during a session, and what links are clicked, they can get a better idea of how well they’re doing. Most search engine users want to see these tools improve; without search logs, the steady algorithm improvement that goes on at Google and the other major search engines would not be possible.

Another reason search engines need to retain results is advertising. It helps to know which sponsored links you’ve displayed to whom. This point brings us to the issue of click fraud and other abuse. The search engines insist that they need these records to track and fight these problems.

As the CDT pointed out, each search engine tackles these issues in its own way. But everybody searches the web, which is why it’s a good idea to know exactly how the search engines handle your private information. Last year’s information nightmare for AOL  is one reason that this topic is receiving so much focus. Certain very large purchases by Microsoft, Google, and Yahoo also mean that not only consumers, but government agencies are scrutinizing the search engines’ privacy policies. Let’s take a look at recent announcements by the search engines as to what data they retain, and for how long.

With Google’s purchase of ad agency DoubleClick being closely scrutinized by the U.S. government, you’d expect Google to have the tightest privacy policy. While it did improve its policy, it isn’t the best one out there by a long shot. Google is instituting a new policy that will be in place by the end of this year; it will be applied retroactively. The search engine will retain the IP address and cookie ID for a query for 18 months after the query data has been collected. The query itself will be retained for an indefinite amount of time. Even after the 18 months, the IP address and cookie ID may be only partially deleted. Google said that its cookies will expire after two years – but anyone who visits Google’s site will have their cookie expiration date extended another two years. That sounds pretty indefinite to me.

Yahoo will be putting its new policies into place by July 2008. The venerable search engine completed the acquisition of advertising company Right Media just last month, so it is also conscious of privacy-minded eyes upon it. It will retain IP address and cookie ID information for only 13 months. It will hold on to the queries themselves for an indefinite period, but it will be putting a personal information filter in place that will automatically remove certain queries after 13 months. After the 13 months, Yahoo’s policy will be similar to Google’s, with partial removal of the IP address and cookie ID. Additionally, the previously mentioned personal information filter will remove names, Social Security numbers, and similar data.

Microsoft’s policies, which will go into effect at the same time as Yahoo’s, are almost indistinguishable from Google’s. The one important difference is that it will completely delete the IP address and cookie ID at the end of 18 months.

AOL’s new policies will go into effect this year. It will retain IP address and cookie ID data for the same length of time as Yahoo, 13 months. It will also retain query data for only 13 months. Like Microsoft, it will completely delete the IP address and cookie ID. As far as the query data, it will retain “only aggregate statistics about search query frequency,” according to CDT’s chart. It’s worth noting that AOL shares query and IP address data with Google for advertising purposes. But it does limit the use of this data.

Ask’s privacy policy stands out among all the major search engines. Its regular policy is nothing special; it retains IP address and cookie ID data for 18 months, while holding on to query data for an indefinite period of time. Likewise, how much of this information it deletes (partial or complete) is comparable to the other search engines. But it has a special tool in place called AskEraser. For those who use this tool, Ask completely deletes the IP address, cookie ID, and all query data within a few hours.

Some have drawn the conclusion that these improved policies mean that the free market works. Search engines which have up to now competed “on the quality of their search results, the clarity of their site design, and their ability to personalize their services” are now competing on the strength of their privacy policies as well, the CDT says in its report.

But how accurate is that? Are the major search engines trying to reassure their users…or the regulators? Three of the five search engines reviewed have recently purchased advertising companies, with all of the potential privacy issues this implies. The only search engine with a privacy policy that really stands out is Ask, and that is only when you use the AskEraser; its regular policy is right in line with all the others.

The CDT report makes a number of recommendations. It points out that privacy issues will continue to crop up, especially since many users also take advantage of email, chat, and other services available from the search engines. Therefore, the CDT things that search engine companies “should continue to work towards providing controls that allow users to not only extend but also limit the information about them,” perhaps as offered by Ask’s tool. The report calls on researchers, academics, and Internet companies “to pursue new and innovative methods” for improving relevance without tying data to specific users, and safeguarding data stored for long periods. The CDT also emphasized the importance of developing “policies that balance the demands of the advertising marketplace with their users’ privacy needs.”

The CDT report concludes with the idea that “No amount of self-regulation in the search privacy space can replace the need for a comprehensive federal privacy law to protect consumers from bad actors.” It calls on the government to enact binding consumer privacy regulation to protect searchers.

CDT president Leslie Harris emphasized this point. “By themselves, these recent changes represent only a small step toward providing users the full range of privacy protections they need and deserve, but if this competitive push continues it can only stand to benefit consumers.”

The Center for Digital Democracy, however, takes exception to the CDT’s report. The CDD has previously complained about the ways in which Microsoft and Google handled privacy issues, and complains that the CDT’s report does not go far enough. In a blog post, CDD executive director Jeff Chester accuses the CDT of having “long been an ally of the various data collection companies it purports to oversee on behalf of consumers” and of receiving funding from the very companies it reviewed.

Chester pointed out that “it’s only because of policy-related pressure from privacy advocates” that the search engines have made any changes to their policies at all. Chester believes that “The marketplace’s approach isn’t protecting consumers.”

Chester is convinced that despite the modest improvements we’ve seen, the privacy landscape is going to get worse, not better, and cites interactive advertising practices – behavioral targeting, rich media, and virtual reality formats – as “posing a serious threat to privacy and personal autonomy.” Furthermore, he does not believe the CDT is capable of giving an objective evaluation of the search engines’ products. “As long as CDT’s hands are out for a donation, they won’t be able to have an independent position that protects the public.”

Even so, regardless of the source, the industry itself seems to have heard the complaints about privacy, and is taking steps to self-regulate. Late last month, Microsoft and Ask said they wanted other companies to join them in creating guidelines for the protection of consumer privacy in two areas: search and online advertising. They planned to report on their efforts in September. Brendan Lynch, director of privacy strategy at Microsoft, noted that “It’s a topical area right now, and (the Google-DoubleClick plan) had some influence on us looking at this…We believe privacy is a very important aspect for our business going forward.” The search engines have indeed taken some steps forward, but whether they will continue to follow up their words with action remains to be seen.

Google+ Comments

Google+ Comments