Feeds

EU says Google and Microhoo still violate data protection law

'Your anonymization doesn't anonymize'

3 Big data security analytics techniques

A panel of European Union data protection authorities has told Google, Microsoft, and Yahoo! that their data retention policies still do not comply with EU law.

On Tuesday, the Article 29 Data Protection Working Party — an independent advisory body on data protection and privacy — sent public letters to the three major search engines saying that although it welcomes their efforts to bring their data retention policies in line with the law, they haven't gone far enough. With the letters, the Working Party — or W29 — urges Google, Microsoft, and Yahoo! to bring in outside auditors to ensure that they properly anonymize user data.

"On behalf of the data protection authorities in the EU united in WP29, I call on you to improve the protection of the online privacy of users of your search engine services," reads the letter from the chairman of the Working Party to Google.

"Besides limiting the retention period of personal data, measures include a reduction of the possibility to identify users in the search logs and the creation of an external audit process to reassure users that you are delivering on your privacy promises, i.e. by involving an independent and external auditing entity."

WP29 was set up under Article 29 of the EU's Data Protection Directive 95/46/EC (PDF), and it includes representatives from the data protection authorities of the EU member states as well as the European Data Protection Supervisor and the European Commission. In its letters to the big-name search engines, the Working Party says that all three still fail to comply with the Data Protection Directive, which says that user search data should be anonymized after six months.

Since 2007, the EU has urged the big name search engines to reduce the amount of time they hold data linked to individual users, and though all three have done so, they've yet to satisfy the letter of the law.

Google is now erasing the last octet of a user's IP address from its server logs after nine months, and it removes cookie data after 18 months. This policy was announced in the fall of 2008, and it was implemented sometime before November of 2009.

Google has long claimed that under the new policy, it "anonymizes" IPs after nine months. But that word doesn't mean what they think it means. If a cookie stays intact for 18 months, then restoring those missing eight bits is trivial. Though Google erases the bits on your nine-month-old search queries, they remain intact on your newer queries - and both sets of queries carry the same cookie info.

The W29 is wise to this — not to mention the fact that Google has completely ignored the Directive's six-month limit.

"Deleting the last octet of the IP-addresses is insufficient to guarantee adequate anonymisation," reads the Working Party's letter to Google. "Such a partial deletion does not prevent identifiability of data subjects. In addition to this, you state you retain cookies for a period of 18 months. This would allow for the correlation of individual search queries for a considerable length of time. It also appears to allow for easy retrieval of IP-addresses, every time a user makes a new query within those 18 months."

In January, Microsoft said that it plans to remove IP addresses entirely after six months, but that it will retain cookie data for a Google-like 18 months. It expects to implement this policy sometime next year. "While the decision to make this change in policy was significant, turning this policy into actionable steps for each of the various security, product and business teams requires a substantial investment of time and resources," the company told us in January. "The systems and processes that support this policy must not only meet a clear standard of compliance, they must ensure our continued ability to innovate."

The company also told us it does "not reconnect an IP Address once it has been removed as part of our standard processes." But again, WP29 wants cookies deleted after six months to ensure this sort of thing doesn't happen. "The policy to delete IP addresses completely after 6 months is a significant improvement," WP29 told Redmond. "However, in order to be able to point to true privacy protection in this area, you should apply the same procedure to all cookies."

Yahoo! has said that it's "now reducing our retention time to 90 days with limited exceptions for fraud, security, and legal obligations," and this means the deletion of the entire IP address. But the Working Party says that Yahoo! has not provided enough information on how it intends to handle cookies and other unique identifiers.

WP29 also said it would ask the US Federal Trade Commission to investigate whether the three search engines have violated US data retention laws. In the press release announcing its letters to the search engines, the EU called out Google in particular. "Considering Google’s dominant position in almost every EU Member State, with a market share of up to 95% in some national search engine markets, the company has a significant role in European citizens’ daily lives. The company’s apparent lack of focus in data retention is concerning," it said.

"Fair and lawful processing of personal data by search engines is becoming more crucial due to the explosion and proliferation of audiovisual data (digital images, audio and video content) and the increasing use of location services on the internet." ®

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.