In their own words: Search engines on privacy

(continued from previous page)

We retain search server logs for 18 months for a number of reasons, including: to improve our search algorithms for the benefit of users; to defend our systems from malicious access and exploitation attempts; to maintain the integrity of our systems by fighting click fraud and Web spam; to protect our users from threats like spam and phishing; to respond to valid legal orders from law enforcement as they investigate and prosecute serious crimes like child exploitation; and to comply with data retention legal obligations.

How long do you retain those data?
Grand: Google was the first leading search company to publicly announce a finite data retention period for server log data. We will anonymize our server logs after 18 months.

If you retain data for a limited period of time, is it completely deleted (in such a way that the data and backups cannot be recovered even under court order) or is it anonymized instead?
Grand: We are putting significant resources into creating processes for reliably anonymizing server log data. Although we are still developing our precise technical methods and approach, we can confirm that we will delete some of the bits in logged IP addresses (i.e., the final octet) to make it less likely that an IP address can be associated with a specific computer or user. And while it is difficult to guarantee complete anonymization, the network prefixes of IP addresses do not identify individual users. We will also obfuscate cookie IDs.

Logs anonymization will not be reversible. We will intentionally erase, rather than simply encrypt, logs data so that no one (not even Google) can read it once it has been anonymized. Finally, logs anonymization will apply retroactively and will encompass all of Google's search logs worldwide.

If the data are anonymized, exactly how do you do this?
Grand: N/A.

Do you do behavioral targeting, meaning showing ads to users based on their behavior across multiple queries?
Grand: We are committed to protecting user privacy. We also want to provide users with a more rewarding online experience by making the advertising and content users see relevant to them. We believe the targeting capabilities, reporting and analytics we offer today provide advertisers with an excellent ROI and provide a high-quality user experience. Currently, our system incorporates a large number of signals (such as the user's query, the user's location, type of site, content, and the advertiser's landing page) when targeting and ranking ads. We have not focused on demographic targeting to date for targeting ads on search result pages.

If you do, is there a way for users to opt out of behavioral targeting?
Grand: N/A.

We weren't able to figure out your answer to our question asking whether you do behavioral targeting. In other words, if I search for "New York City vacation" in one query and "vacation hotels" in a second query a moment later, does Google.com evaluate the two responses, figure out that I'm probably looking for New York City hotels, and display ads appropriately?
Grand: No.

Do you use knowledge about your users (such as ZIP code, e-mail address, gender, or birthdate) obtained through user registration to deliver targeted ads on your search engine?
Grand: No.

Do you use knowledge about the identities of your users' instant messaging or e-mail correspondents when using those services, or the contents of those communications, to deliver targeted ads on your search engine?
Grand: No.

Microsoft

Here are responses from Peter Cullen, chief privacy strategist at Microsoft. The company saw its search market share get a boost recently as a result of a Microsoft program that offers rewards to people for using the Live Search site.

What search-related data--including IP addresses, cookie IDs, user identities, and search terms--do you retain?
Cullen: Live Search records what was queried, the type of search (image, Web, local, etc.), the date and time that it was processed, the IP address from which the query came, and a cookie-based unique ID. We store our Live Search service search terms (and the cookie IDs associated with search terms) separately from any account information that directly identifies the user, such as name, e-mail address, or phone numbers. Further, we have built in technological and process safeguards designed to prevent the unauthorized correlation of this data.

Our commitments to privacy in the search and advertising arenas are outlined in detail in our Privacy Principles for Live Search and Online Ad Targeting(PDF). Furthermore, Microsoft has called on the industry and the privacy community to come together to engage in a dialogue regarding global privacy practices for data usage and protections related to search and online advertising. It is important for consumers that we create an online environment where people can search and surf online without having to navigate a complicated patchwork of privacy protections.

How long do you retain those data?
Cullen: In July, we announced that we will retain search records associated with identifiers such as IP addresses for 18 months, unless we receive user consent to a longer time period. After 18 months, we will permanently anonymize the data, and it will only be retained in this anonymous form. Microsoft believes this time frame strikes the right balance between protecting the privacy of our customers and enabling us to help protect our customers and the broader ecosystem from security threats, including botnet attacks, spam, denial-of-service attacks, click fraud and worms.

If you retain data for a limited period of time, is it completely deleted (in such a way that the data and backups cannot be recovered even under court order) or is it anonymized instead?
Cullen: The data is anonymized permanently and irreversibly, which means that it cannot be traced to an IP address or to an individual. From the beginning, Microsoft never stores search terms with personal information, to help protect privacy.

If the data are anonymized, exactly how do you do this?
Cullen: After 18 months, we will permanently remove the entirety of the IP address and all other cross-session identifiers, such as cookie IDs, from the search terms. This strict approach reflects Microsoft's belief that to protect privacy and make search query data truly anonymous, all cross-session identifiers and IP addresses must be removed in their entirety from the data.

Do you do behavioral targeting, meaning showing ads to users based on their behavior across multiple queries?
Cullen: Through our adCenter service, Microsoft offers behavioral targeting to bring relevant advertising to consumers and to enable advertisers to connect with more people who are likely to be interested in their products and services. At the same time, Microsoft maintains a strong focus on protecting customers' privacy and adheres to high privacy standards.

[Dolphie1]

Re: Google

This article appears flawed. Google does utilize behavior based tactics. Conduct a search on any topic and notice the ads on the search page. Wath the type of ads which appear relative to one's search habits.

[declan00]

not behavioral targeting

That's not what people mean by behavioral targeting. Read the question and the response more closely.

[spothannah]

"a few hours"

When your talking Whooping Cranes a few = 2. When your talking Population of China a few = a couple of million. Please make them define "few" with at least an upper limit like "24 hours."