Search engines race to update privacy policies

Microsoft and Yahoo are the latest to announce limits on how long they will keep Web search data.
Written by Elinor Mills, Contributor
The major search engines are racing to outdo each other in updating their data retention policies in an attempt to assuage concerns that they keep consumer search data too long.

The latest to go public with their moves are Microsoft and Yahoo.

Microsoft and Ask.com also are proposing an industry effort to create voluntary standards for protecting consumer privacy with search and online ads, a move that is likely spurred by Google's plan to acquire a leader in the online ad market.

Microsoft is set to announce on Monday plans to permanently remove the Internet Protocol address and other identifying data associated with Web searches after 18 months unless the searcher wants the information stored for longer. The company will also store search terms separately from account information that personally identifies a user, such as name, e-mail address and phone number, gathered as part of other Microsoft services.

In addition, Microsoft is promising that it will give people the ability to opt out of behavioral ad targeting it offers on third-party Web sites and it will allow people to search and surf its Web sites without being associated with a personal and unique identifier used for such ad targeting.

Meanwhile, Yahoo is vowing to remove portions of IP addresses and personally identifiable cookie IDs within 13 months except when users want the data retained for longer or when the company is required to retain it for law enforcement or legal processes, said Yahoo spokesman Jim Cullinan.

Cookies are small files stored on a computer so that the computer can be recognized when it revisits Web sites, enabling the site to remember the user's preferences for things like e-commerce and sites that require a log-in.

The news comes days after changes at Ask and Google. On Thursday, Ask said it would allow people to search anonymously and would not retain a user's Web search history at all if the searcher didn't want it to. Searchers will be able to change their preferences using a new AskEraser tool, which will reside on the Ask servers and will work with all the major operating systems. Ask said it will retain the search log data for 18 months for people who don't want to be anonymous and then it will disassociate the search terms from the IP address.

Also last week, Google said it would have cookies expire after two years instead of 2038, although for anyone who visits Google even once in the next two years, the cookie expiration date will be extended another two years.

In March, Google said it would start anonymizing the final eight bits of the IP address and the cookie data after somewhere between 18 months and 24 months, unless legally required to retain the data for longer. That would make it much harder to identify the specific computers used for searches.

The risks associated with retaining search data were illustrated last year when AOL inadvertently exposed the searches of more than 650,000 users. The New York Times was able to discover the identity of at least one of the users, highlighting the risks associated with retaining search data logs.

Microsoft and Ask also said they would work together and are asking other companies and organizations to join them in creating industry guidelines for protecting consumer privacy in the areas of search and online advertising. They said they would provide an update on the effort in September.

The moves come amid discussion in the industry over privacy concerns related to Google's proposed $3.1 billion of online ad provider DoubleClick. Privacy advocates have questioned the deal; Microsoft opposes it on antitrust grounds; and the U.S. Federal Trade Commission is looking into it.

"It's a topical area right now, and (the Google-DoubleClick plan) had some influence on us looking at this" now, said Brendon Lynch, director of privacy strategy at Microsoft. "We believe privacy is a very important aspect for our business going forward."

But where do Yahoo and Google stand on the self-regulation effort? Neither company would give a straight answer to that question.

"We're certainly open to having conversations about technical issues, but we don't think this is the right time to participate in that," said Yahoo's Cullinan, without elaborating.

A Google spokeswoman provided this statement: "Our goal is to improve privacy protection and data security for all Internet users by continuing to innovate in the area of privacy."

Editorial standards