Feeds

EU says Google and Microhoo still violate data protection law

'Your anonymization doesn't anonymize'

Providing a secure and efficient Helpdesk

A panel of European Union data protection authorities has told Google, Microsoft, and Yahoo! that their data retention policies still do not comply with EU law.

On Tuesday, the Article 29 Data Protection Working Party — an independent advisory body on data protection and privacy — sent public letters to the three major search engines saying that although it welcomes their efforts to bring their data retention policies in line with the law, they haven't gone far enough. With the letters, the Working Party — or W29 — urges Google, Microsoft, and Yahoo! to bring in outside auditors to ensure that they properly anonymize user data.

"On behalf of the data protection authorities in the EU united in WP29, I call on you to improve the protection of the online privacy of users of your search engine services," reads the letter from the chairman of the Working Party to Google.

"Besides limiting the retention period of personal data, measures include a reduction of the possibility to identify users in the search logs and the creation of an external audit process to reassure users that you are delivering on your privacy promises, i.e. by involving an independent and external auditing entity."

WP29 was set up under Article 29 of the EU's Data Protection Directive 95/46/EC (PDF), and it includes representatives from the data protection authorities of the EU member states as well as the European Data Protection Supervisor and the European Commission. In its letters to the big-name search engines, the Working Party says that all three still fail to comply with the Data Protection Directive, which says that user search data should be anonymized after six months.

Since 2007, the EU has urged the big name search engines to reduce the amount of time they hold data linked to individual users, and though all three have done so, they've yet to satisfy the letter of the law.

Google is now erasing the last octet of a user's IP address from its server logs after nine months, and it removes cookie data after 18 months. This policy was announced in the fall of 2008, and it was implemented sometime before November of 2009.

Google has long claimed that under the new policy, it "anonymizes" IPs after nine months. But that word doesn't mean what they think it means. If a cookie stays intact for 18 months, then restoring those missing eight bits is trivial. Though Google erases the bits on your nine-month-old search queries, they remain intact on your newer queries - and both sets of queries carry the same cookie info.

The W29 is wise to this — not to mention the fact that Google has completely ignored the Directive's six-month limit.

"Deleting the last octet of the IP-addresses is insufficient to guarantee adequate anonymisation," reads the Working Party's letter to Google. "Such a partial deletion does not prevent identifiability of data subjects. In addition to this, you state you retain cookies for a period of 18 months. This would allow for the correlation of individual search queries for a considerable length of time. It also appears to allow for easy retrieval of IP-addresses, every time a user makes a new query within those 18 months."

In January, Microsoft said that it plans to remove IP addresses entirely after six months, but that it will retain cookie data for a Google-like 18 months. It expects to implement this policy sometime next year. "While the decision to make this change in policy was significant, turning this policy into actionable steps for each of the various security, product and business teams requires a substantial investment of time and resources," the company told us in January. "The systems and processes that support this policy must not only meet a clear standard of compliance, they must ensure our continued ability to innovate."

The company also told us it does "not reconnect an IP Address once it has been removed as part of our standard processes." But again, WP29 wants cookies deleted after six months to ensure this sort of thing doesn't happen. "The policy to delete IP addresses completely after 6 months is a significant improvement," WP29 told Redmond. "However, in order to be able to point to true privacy protection in this area, you should apply the same procedure to all cookies."

Yahoo! has said that it's "now reducing our retention time to 90 days with limited exceptions for fraud, security, and legal obligations," and this means the deletion of the entire IP address. But the Working Party says that Yahoo! has not provided enough information on how it intends to handle cookies and other unique identifiers.

WP29 also said it would ask the US Federal Trade Commission to investigate whether the three search engines have violated US data retention laws. In the press release announcing its letters to the search engines, the EU called out Google in particular. "Considering Google’s dominant position in almost every EU Member State, with a market share of up to 95% in some national search engine markets, the company has a significant role in European citizens’ daily lives. The company’s apparent lack of focus in data retention is concerning," it said.

"Fair and lawful processing of personal data by search engines is becoming more crucial due to the explosion and proliferation of audiovisual data (digital images, audio and video content) and the increasing use of location services on the internet." ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.