The European Union’s Data Protection Working Party last month asked Google not to keep these server logs for any length of time, unless it had the explicit consent from users to do so. Registered Google users have their search data stored by the company, as well data about the way they use other Google products. Unregistered users, that is, those who do not have a Google account, have a cookie that lives for about 30 years to track some of their search habits.
Google’s global privacy lawyer Peter Fleischer said, on the company’s web site, long retention periods of user data are needed for security, innovation and compliance reasons. He added that Google’s retention policies were consistent with EU data protection laws.
However, some privacy industry observers have charged that Google actually holds onto data to better target its users. Among Google’s list of reasons for retaining search server logs is to improve its search algorithms for the benefit of users, Fleischer said. Also, to defend its system from malicious access and exploits, and to protect users from click fraud, web spam and phishing, he said.
Others have questioned whether this information would eventually be targeted by third-parties, including the US government or legal system.
Google acknowledges that it shares statistics about its users’ search habits, but has said it does not – and would not – share personally-identifiable data with anyone outside the company. Responding to valid legal orders from law enforcement as they investigate and prosecute serious crimes like child exploitation is among the reasons Google keeps personal-search records, Fleischer said yesterday.
On the issue of cookies, he said Google was considering the regulator’s concerns over cookie expiration periods, and was exploring ways to redesign cookies and to reduce their expiration without artificially forcing users to re-enter basic preferences such as language preference. The Mountain View, California-based company plans to announce privacy improvements for its cookies in coming months, he said.
Fleischer also pointed out that future data retention laws may obligate Google to raise its data retention period to 24 months. We also firmly reject any suggestions that we could meet our legitimate interests in security, innovation and anti-fraud efforts with any retention period shorter than 18 months, he said.
Late last week, a new report called A Race to the Bottom, published by a London-based advocacy outfit ranked Google as the worst offender of Internet users’ privacy, based on its six-month study of 23 Web services companies.
Our View
As Google continues to expand into new areas, such as IP telephony and web conferencing, for example, it becomes increasingly important that the company is held accountable for what it does with all that personal data.
Enterprises should care because chances are their workers use at least Google’s search engine. It may only be a matter of time before they begin using Google also for email or some other service. It also is likely only a matter of time before, for example, a remote worker decides to send a confidential corporate document or presentation from their personal gmail account because the company’s VPN is down.
When Google indexes this information, it matters how that information is being stored and, even more, how it is being protected.
