Feeds

Google plays cat and mouse with regulators

Privacy questioned

SANS - Survey on application security programs

Google has faced down one European probe into what it does with people's personal information, only to be challenged with another.

Last October, privacy watchdogs in Norway, which is not part of the European Union but has identical data protection laws, asked Google to justify why it retains people's search histories for up to two years. Google refused to co-operate.

Now the Article 29 Working Party, which advises the Justice Directorate of the EC, has asked Google to bring its business practices into line with European data protection law so that it gives due respect to people's privacy.

When AOL released its search logs to researchers, some information was so specific that individual people were identified. They later sued AOL.

With the Norwegian investigation at an impasse, the A29 Working Party has effectively taken up the baton asking Google to provide a justification of its data policy.

Peter Fleischer, the Google privacy lawyer who met with Norwegians on the understanding that it would not accept their authority, has presented Google's justification for its data retention on Google's blog.

One reason was to comply with regulations including the European Data Retention Directive, which was passed in 2005 but does not have to be passed into national law until 2009.

EU member states have the scope to demand companies retain communications data for between six months and two years as an aid in terrorist and criminal investigations.

But the directive explicitly excludes the "content" of communications, under which moniker European regulators include search histories.

The directive requires phone and internet firms to retain "data necessary to trace and identify" a communication source, destination, date, time, duration, type, device and location.

Fleischer also said Google needed to keep its data stockpile in order to help it improve its services and to wheedle out fraudsters, spammers, and hackers.

But The Register understands that Google has been the cause of anxiety among members of the A29 Working Party for some years. Their members, who include representatives of national EU privacy watchdogs, are not pleased about how long it keeps information. The Norwegians were also concerned that Google might be using its data stores to create profiles of people's lives. This was one question Google refused to answer.

Leif Aanensen, deputy director general of the Norwegian Office of the Data Inspectorate, told The Register that it had effectively put its Google probe on ice after the data giant refused to accept that it came under Norwegian jurisdiction.

"We are not satisfied," he said. "We didn't get the proper answers."

"Our main issue was their data retention policy and the use of the data they stored. We asked them what they were doing with the personal data - are you creating profiles - they didn't answer," he said.

Two Norwegian search engines - Sesam and Kvasir - had also come under the scrutiny of the Norwegian regulators. The regulator has suggested in a preliminary decision that they may have to delete any connections between someone's identifying information and their search queries the moment the query is complete. At least one of them has claimed it will need up to two months to make its data anonymous. The final decision of the regulator will be published next month.

A Google spokesman refused to say whether Google had answered Norway's specific queries. He said that Google would send an answer to the A29 Working Party before its next meeting in June.

The Register understands that the A29 letter, from Peter Schaar, the group's chairman, had included some encouraging words for Google. The data giant had done much to improve its standing among privacy watchdogs, but there was still more it should do. ®

High performance access to file storage

More from The Register

next story
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.