Feeds

EU says Google and Microhoo still violate data protection law

'Your anonymization doesn't anonymize'

Top 5 reasons to deploy VMware with Tegile

A panel of European Union data protection authorities has told Google, Microsoft, and Yahoo! that their data retention policies still do not comply with EU law.

On Tuesday, the Article 29 Data Protection Working Party — an independent advisory body on data protection and privacy — sent public letters to the three major search engines saying that although it welcomes their efforts to bring their data retention policies in line with the law, they haven't gone far enough. With the letters, the Working Party — or W29 — urges Google, Microsoft, and Yahoo! to bring in outside auditors to ensure that they properly anonymize user data.

"On behalf of the data protection authorities in the EU united in WP29, I call on you to improve the protection of the online privacy of users of your search engine services," reads the letter from the chairman of the Working Party to Google.

"Besides limiting the retention period of personal data, measures include a reduction of the possibility to identify users in the search logs and the creation of an external audit process to reassure users that you are delivering on your privacy promises, i.e. by involving an independent and external auditing entity."

WP29 was set up under Article 29 of the EU's Data Protection Directive 95/46/EC (PDF), and it includes representatives from the data protection authorities of the EU member states as well as the European Data Protection Supervisor and the European Commission. In its letters to the big-name search engines, the Working Party says that all three still fail to comply with the Data Protection Directive, which says that user search data should be anonymized after six months.

Since 2007, the EU has urged the big name search engines to reduce the amount of time they hold data linked to individual users, and though all three have done so, they've yet to satisfy the letter of the law.

Google is now erasing the last octet of a user's IP address from its server logs after nine months, and it removes cookie data after 18 months. This policy was announced in the fall of 2008, and it was implemented sometime before November of 2009.

Google has long claimed that under the new policy, it "anonymizes" IPs after nine months. But that word doesn't mean what they think it means. If a cookie stays intact for 18 months, then restoring those missing eight bits is trivial. Though Google erases the bits on your nine-month-old search queries, they remain intact on your newer queries - and both sets of queries carry the same cookie info.

The W29 is wise to this — not to mention the fact that Google has completely ignored the Directive's six-month limit.

"Deleting the last octet of the IP-addresses is insufficient to guarantee adequate anonymisation," reads the Working Party's letter to Google. "Such a partial deletion does not prevent identifiability of data subjects. In addition to this, you state you retain cookies for a period of 18 months. This would allow for the correlation of individual search queries for a considerable length of time. It also appears to allow for easy retrieval of IP-addresses, every time a user makes a new query within those 18 months."

In January, Microsoft said that it plans to remove IP addresses entirely after six months, but that it will retain cookie data for a Google-like 18 months. It expects to implement this policy sometime next year. "While the decision to make this change in policy was significant, turning this policy into actionable steps for each of the various security, product and business teams requires a substantial investment of time and resources," the company told us in January. "The systems and processes that support this policy must not only meet a clear standard of compliance, they must ensure our continued ability to innovate."

The company also told us it does "not reconnect an IP Address once it has been removed as part of our standard processes." But again, WP29 wants cookies deleted after six months to ensure this sort of thing doesn't happen. "The policy to delete IP addresses completely after 6 months is a significant improvement," WP29 told Redmond. "However, in order to be able to point to true privacy protection in this area, you should apply the same procedure to all cookies."

Yahoo! has said that it's "now reducing our retention time to 90 days with limited exceptions for fraud, security, and legal obligations," and this means the deletion of the entire IP address. But the Working Party says that Yahoo! has not provided enough information on how it intends to handle cookies and other unique identifiers.

WP29 also said it would ask the US Federal Trade Commission to investigate whether the three search engines have violated US data retention laws. In the press release announcing its letters to the search engines, the EU called out Google in particular. "Considering Google’s dominant position in almost every EU Member State, with a market share of up to 95% in some national search engine markets, the company has a significant role in European citizens’ daily lives. The company’s apparent lack of focus in data retention is concerning," it said.

"Fair and lawful processing of personal data by search engines is becoming more crucial due to the explosion and proliferation of audiovisual data (digital images, audio and video content) and the increasing use of location services on the internet." ®

Remote control for virtualized desktops

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.