EU says Google and Microhoo still violate data protection law
'Your anonymization doesn't anonymize'
A panel of European Union data protection authorities has told Google, Microsoft, and Yahoo! that their data retention policies still do not comply with EU law.
On Tuesday, the Article 29 Data Protection Working Party — an independent advisory body on data protection and privacy — sent public letters to the three major search engines saying that although it welcomes their efforts to bring their data retention policies in line with the law, they haven't gone far enough. With the letters, the Working Party — or W29 — urges Google, Microsoft, and Yahoo! to bring in outside auditors to ensure that they properly anonymize user data.
"On behalf of the data protection authorities in the EU united in WP29, I call on you to improve the protection of the online privacy of users of your search engine services," reads the letter from the chairman of the Working Party to Google.
"Besides limiting the retention period of personal data, measures include a reduction of the possibility to identify users in the search logs and the creation of an external audit process to reassure users that you are delivering on your privacy promises, i.e. by involving an independent and external auditing entity."
WP29 was set up under Article 29 of the EU's Data Protection Directive 95/46/EC (PDF), and it includes representatives from the data protection authorities of the EU member states as well as the European Data Protection Supervisor and the European Commission. In its letters to the big-name search engines, the Working Party says that all three still fail to comply with the Data Protection Directive, which says that user search data should be anonymized after six months.
Since 2007, the EU has urged the big name search engines to reduce the amount of time they hold data linked to individual users, and though all three have done so, they've yet to satisfy the letter of the law.
Google is now erasing the last octet of a user's IP address from its server logs after nine months, and it removes cookie data after 18 months. This policy was announced in the fall of 2008, and it was implemented sometime before November of 2009.
Google has long claimed that under the new policy, it "anonymizes" IPs after nine months. But that word doesn't mean what they think it means. If a cookie stays intact for 18 months, then restoring those missing eight bits is trivial. Though Google erases the bits on your nine-month-old search queries, they remain intact on your newer queries - and both sets of queries carry the same cookie info.
The W29 is wise to this — not to mention the fact that Google has completely ignored the Directive's six-month limit.
"Deleting the last octet of the IP-addresses is insufficient to guarantee adequate anonymisation," reads the Working Party's letter to Google. "Such a partial deletion does not prevent identifiability of data subjects. In addition to this, you state you retain cookies for a period of 18 months. This would allow for the correlation of individual search queries for a considerable length of time. It also appears to allow for easy retrieval of IP-addresses, every time a user makes a new query within those 18 months."
In January, Microsoft said that it plans to remove IP addresses entirely after six months, but that it will retain cookie data for a Google-like 18 months. It expects to implement this policy sometime next year. "While the decision to make this change in policy was significant, turning this policy into actionable steps for each of the various security, product and business teams requires a substantial investment of time and resources," the company told us in January. "The systems and processes that support this policy must not only meet a clear standard of compliance, they must ensure our continued ability to innovate."
The company also told us it does "not reconnect an IP Address once it has been removed as part of our standard processes." But again, WP29 wants cookies deleted after six months to ensure this sort of thing doesn't happen. "The policy to delete IP addresses completely after 6 months is a significant improvement," WP29 told Redmond. "However, in order to be able to point to true privacy protection in this area, you should apply the same procedure to all cookies."
Yahoo! has said that it's "now reducing our retention time to 90 days with limited exceptions for fraud, security, and legal obligations," and this means the deletion of the entire IP address. But the Working Party says that Yahoo! has not provided enough information on how it intends to handle cookies and other unique identifiers.
WP29 also said it would ask the US Federal Trade Commission to investigate whether the three search engines have violated US data retention laws. In the press release announcing its letters to the search engines, the EU called out Google in particular. "Considering Google’s dominant position in almost every EU Member State, with a market share of up to 95% in some national search engine markets, the company has a significant role in European citizens’ daily lives. The company’s apparent lack of focus in data retention is concerning," it said.
"Fair and lawful processing of personal data by search engines is becoming more crucial due to the explosion and proliferation of audiovisual data (digital images, audio and video content) and the increasing use of location services on the internet." ®
Sponsored: Becoming a Pragmatic Security Leader