The following text is copyright 2008 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

 

Telling Google and others to do less evil

 

By: Scott Bradner

 

The search engine companies Google, Yahoo and others are in the data gathering business.  The fact that they offer you and me the service of locating things on the Internet is a means to an end, and that end is data about what you & I do on line.  They are like the folks that hoard string - the more string they gather the better they feel even if there is little of no actual use for most of what they gather.

 

Left to their own devices the search engine companies would keep the data they collect about you forever but they are slowly waking up to the fact that the Orwellian aspects of their business was beginning to get to people.  (See Orwell did not guess the worse half of it - http://www.networkworld.com/columnists/2006/022706bradner.html)  Recently Google decided to reduce the time it kept data about your searches to 18 months, an improvement but not a cure for the problem.  (See "Google: looking good by doing less evil" - http://www.sobco.com/nww/2007/bradner-2007-03-26.html)

 

Europe feels differently about privacy than the US does.  In the US there are almost no controls on the information companies collect about you. There are a few controls on what data government can collect but it looks like the government can get around the restrictions by buying access to the same date from the private sector.  In Europe they have the quaint idea that people have a right to some level of privacy and they enforce it in law.  The best that the US government is willing to do is to establish voluntary guidelines.

 

The EU has now fired a warning shot across the bows of the search engine companies.  A draft report (http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2008/wp148_en.pdf) on the relationship between search engine business models and European privacy laws has found plenty to worry about.  The report concludes that search engine companies have not shown that they actually need to retain info collected about us for more than 6 months.  The search engine companies put forth a number of reasons that they want to keep the data longer than that but the report (in Section 5.2) effectively demolishes the reasons.  For what it's worth, I find it very hard to imagine how data older than some small number of months (6 sounds fine) can contribute meaningfully to predicting what I'm interested in so that I can be shown ads that might attract my attention (which, after all, is the reason to collect the data in the first place).

 

Google posted a reaction to the EU draft report (http://googlepublicpolicy.blogspot.com/2008/04/european-commissions-data-protection.html) in which they repeated some of the arguments that the draft report, in my opinion, properly dismissed. 

 

The draft report also concluded that IP addresses are personal info because they can help identify a person.  The Google response referred to a previous posting on the topic (http://googlepublicpolicy.blogspot.com/2008/02/are-ip-addresses-personal.html).  But this posting, given the best possible spin, is deeply misleading.  It is patently absurd to ignore the vary large number of IP addresses that are not dynamic and to ignore the fact that even dynamic addresses can be stable for months at a time (as mine was when I had cable-based Internet service.  There is not question in any reasonable person's mind that very many IP addresses do identify a person.  It is just this kind of clever but purposefully misleading "information posting" that has destroyed the creditability of the search engine companies when it comes to privacy related topics.

 

As a final note, the EU draft report also requires that search engines include a link to their privacy policies on their home page and the search results.  Such links are also required under California law (http://info.sen.ca.gov/pub/03-04/bill/asm/ab_0051-0100/ab_68_bill_20031012_chaptered.html).  Yahoo complies with this requirement - Google does not.  Google does have a privacy policy (http://www.google.com/privacy) and it's clear and too long. But maybe hiding the policy is just another indication on what Google actually thinks about privacy.

 

disclaimer: Harvard is required by law to protect the privacy of its students and has not offered an opinion that this is not a good idea, in any case the above review is my own.