Europe warns Google, Microsoft, others about search data retention

Google, Microsoft and Yahoo are retaining detailed search engine data for too long and not making it sufficiently anonymous later, in violation of European law, the European Union's data protection advisory body has warned.

The three companies received letters Wednesday from the Article 29 Data Protection Working Party, which oversees data protection issues in the E.U.

Since 2008, the working party has pressured search companies to retain highly detailed search records for no longer than six months. Google, Yahoo and Microsoft all agreed to modify how long they store the detailed data. Their policies currently vary, but some data is kept for up to 18 months.

The data collected by search engines can include a host of details, including the search terms, the date and time of the search, the searcher's IP address and the brand of browser, operating system and language used.

Google keeps the full data for nine months and then obscures the last octet of the IP address. The working party wrote to Google and said that the company's policy does not protect the "identifiability of data subjects." Also, Google retains cookies -- data files used to track how a person moves around a Web site -- for 18 months, which would also allow for the correlation of search queries, the working party said.

In a news release, the working party singled out Google, saying that company's 95% market share in some European countries means it "has a significant role in European citizens' daily lives."

"The company's apparent lack of focus in data retention is concerting," it said.

In response, Google said "we develop our policies based on what provides the best experience for users -- both in terms of respect for their privacy and the quality and security of our services."

The E.U.'s Data Protection Directive, which the working party accused the companies of violating, does not dictate a specific time period for how long data should be retained. But data protection authorities in individual countries could opt to force companies to abide by the working party's recommendations.

By mid-year, Yahoo expects to fully implement a policy that would "de-identify" most of its user log files after three months. Other log files are stored in an "identifiable form" for up to six months for reasons of fraud detection, abuse management and legal obligations, according to the company.

The working party told Yahoo that the company has not provided enough information about its user identifiers and cookies.

In late 2008, Microsoft called on its rivals to observe the six-month recommendation. Today, it said it will delete entire IP addresses from search queries at six months. But the working party also found fault this week with the way Microsoft handles cookies for registered and unregistered users of its search engine.

Microsoft also took a veiled swipe at Google on Thursday, saying the working party should ensure that "the whole search market, including the 95% that in some markets is held by a single company, is held to a single standard."

The working party is calling for the companies to use an outside auditor to verify if search engine data is being adequately scrubbed.

The working party has also sent a letter to the U.S. government's Federal Trade Commission, asking if the companies' practices are in conflict with the Federal Trade Commission Act, which deals with unfair and deceptive practices.

Send news tips and comments to jeremy_kirk@idg.com.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies