On the eve of the RSA security conference, there's a showdown in the offing between "Old Europe" and U.S. search operators. Earlier Monday word leaked about a European regulatory plan to press search engine providers to dump personal search data after six months.
Barring the unforeseen, it's likely the European Commission will look kindly upon the plan. This would be quite a big deal, setting the stage for a continent-wide challenge to the way big search engine companies set procedures handling log deletion and browser cookies.
Until now, privacy advocates haven't gotten very far convincing search companies to drastically curtail the length of time they retain data. For instance, the argument made by Google is that keeping log data around can keep you safe, help prevent fraud, and improve search results (using the argument that "better data makes for better science").
That all may be true--though I've known more than a few security experts who argue otherwise--but this is less a matter of computer science than of public policy. And it's not a fight the search engine companies are going to win. Can you see some congressman campaigning back in the home district for reflection on the campaign plank, "What's good for Google is good for all the rest of us?" I don't think so.
On its public policy blog, Google sounded less than thrilled with the news, although it boiled any bitterness out of its official reaction.
We believe that data retention requirements have to take into account the need to provide quality products and services for users, like accurate search results, as well as system security and integrity concerns. We have recently discussed some of the many ways that using this data helps improve users' experience, from making our products safe, to preventing fraud, to building language models to improve search results. This perspective -- the ways in which data is used to improve consumers' experience on the web -- is unfortunately sometimes lacking in discussions about online privacy.
The Working Party's findings also stated that IP addresses should be treated as personal information, with the full weight of data protection laws. Based on our own analysis, we believe that whether or not an IP address is personal data depends on how the data is being used.
The findings are another important step in an ongoing dialogue about protecting user privacy online -- a discussion in which Google will continue to be engaged. It's also a debate in which we hope our users will participate.
Google figures that it's already met privacy advocates' demands by reducing to 18 months from 24 months the length of time it stores private data. I imagine Microsoft, which similarly retains data for 18 months and Yahoo, which keeps data for 13 months, feel the same. They can't be thrilled with what's going on because it presents a threat to their Internet business. Unfortunately for them, there's not a really good counter-argument. (Here's a good primer News.com assembled on the companies' respective privacy policies.)
Greg Sterling of SearchEngineLand.com offered a quote to Bloomberg that was spot on:
"Today's decision may threaten "the golden goose" of the broader business of Internet advertising, which uses customers' online records to offer personally targeted ads, Greg Sterling, an analyst at Sterling Market Intelligence in San Francisco, said in a telephone interview."
That's why you can expect search engine companies to fight as hard as they can, enlisting support from political and business allies. But when it comes to privacy, most people are less concerned with the stock price of big tech powerhouses than they are in keeping their personal data safe.