Feeds

EU says Google and Microhoo still violate data protection law

'Your anonymization doesn't anonymize'

Reducing security risks from open source software

A panel of European Union data protection authorities has told Google, Microsoft, and Yahoo! that their data retention policies still do not comply with EU law.

On Tuesday, the Article 29 Data Protection Working Party — an independent advisory body on data protection and privacy — sent public letters to the three major search engines saying that although it welcomes their efforts to bring their data retention policies in line with the law, they haven't gone far enough. With the letters, the Working Party — or W29 — urges Google, Microsoft, and Yahoo! to bring in outside auditors to ensure that they properly anonymize user data.

"On behalf of the data protection authorities in the EU united in WP29, I call on you to improve the protection of the online privacy of users of your search engine services," reads the letter from the chairman of the Working Party to Google.

"Besides limiting the retention period of personal data, measures include a reduction of the possibility to identify users in the search logs and the creation of an external audit process to reassure users that you are delivering on your privacy promises, i.e. by involving an independent and external auditing entity."

WP29 was set up under Article 29 of the EU's Data Protection Directive 95/46/EC (PDF), and it includes representatives from the data protection authorities of the EU member states as well as the European Data Protection Supervisor and the European Commission. In its letters to the big-name search engines, the Working Party says that all three still fail to comply with the Data Protection Directive, which says that user search data should be anonymized after six months.

Since 2007, the EU has urged the big name search engines to reduce the amount of time they hold data linked to individual users, and though all three have done so, they've yet to satisfy the letter of the law.

Google is now erasing the last octet of a user's IP address from its server logs after nine months, and it removes cookie data after 18 months. This policy was announced in the fall of 2008, and it was implemented sometime before November of 2009.

Google has long claimed that under the new policy, it "anonymizes" IPs after nine months. But that word doesn't mean what they think it means. If a cookie stays intact for 18 months, then restoring those missing eight bits is trivial. Though Google erases the bits on your nine-month-old search queries, they remain intact on your newer queries - and both sets of queries carry the same cookie info.

The W29 is wise to this — not to mention the fact that Google has completely ignored the Directive's six-month limit.

"Deleting the last octet of the IP-addresses is insufficient to guarantee adequate anonymisation," reads the Working Party's letter to Google. "Such a partial deletion does not prevent identifiability of data subjects. In addition to this, you state you retain cookies for a period of 18 months. This would allow for the correlation of individual search queries for a considerable length of time. It also appears to allow for easy retrieval of IP-addresses, every time a user makes a new query within those 18 months."

In January, Microsoft said that it plans to remove IP addresses entirely after six months, but that it will retain cookie data for a Google-like 18 months. It expects to implement this policy sometime next year. "While the decision to make this change in policy was significant, turning this policy into actionable steps for each of the various security, product and business teams requires a substantial investment of time and resources," the company told us in January. "The systems and processes that support this policy must not only meet a clear standard of compliance, they must ensure our continued ability to innovate."

The company also told us it does "not reconnect an IP Address once it has been removed as part of our standard processes." But again, WP29 wants cookies deleted after six months to ensure this sort of thing doesn't happen. "The policy to delete IP addresses completely after 6 months is a significant improvement," WP29 told Redmond. "However, in order to be able to point to true privacy protection in this area, you should apply the same procedure to all cookies."

Yahoo! has said that it's "now reducing our retention time to 90 days with limited exceptions for fraud, security, and legal obligations," and this means the deletion of the entire IP address. But the Working Party says that Yahoo! has not provided enough information on how it intends to handle cookies and other unique identifiers.

WP29 also said it would ask the US Federal Trade Commission to investigate whether the three search engines have violated US data retention laws. In the press release announcing its letters to the search engines, the EU called out Google in particular. "Considering Google’s dominant position in almost every EU Member State, with a market share of up to 95% in some national search engine markets, the company has a significant role in European citizens’ daily lives. The company’s apparent lack of focus in data retention is concerning," it said.

"Fair and lawful processing of personal data by search engines is becoming more crucial due to the explosion and proliferation of audiovisual data (digital images, audio and video content) and the increasing use of location services on the internet." ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
L33t haxxors compete to p0wn popular home routers
EFF-endorsed SOHOpelessly Broken challenge will air routers' dirty zero day laundry
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.