Yesterday, Google announced a revised log retention policy, saying "we'll anonymize IP addresses on our server logs after 9 months," instead of the previous 18-24 months. Other information, like cookies, will stay on the longer retention plan. The announcement was in conjunction with Google's response to the European Union's Article 29 Working Party. The Working Party had previously said "In view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond 6 months."
Google's original 18 month log retention policy was a good first step, and the 9 month policy is an excellent second step towards bring their policy in line with EFF's Best Practices for Online Service Providers, which recommends a combination of obfuscation, aggregation and deletion.
We appreciate that Google continues to re-assess its data retention policy, and hope it will further reduce the time period that the search giant keeps personally identifiable logs. The importance of eliminating logs was recently illustrated by the Viacom-Google lawsuit, in which federal court ordered Google to produce to Viacom (over Google's objections) the Logging Database for YouTube, showing who watched each and every video on YouTube. The court's ruling violated the Video Privacy Protection Act, and, after EFF brought the user viewing data controversy issue to light, Viacom narrowed its request. In yesterday's announcement, Google acknowledged that "privacy leaders also highlighted the risks of litigants using court-ordered discovery to gain access to logs, as in the recent Viacom suit."
In addition, Google announced that it was changing its retention policy with the Google Suggest feature. EFF and others were concerned because, in order to implement Google Suggest, the Google Chrome browser sends anything typed in the browser's Omnibox back to Google. Google Suggest is also used in Google Search, Google Toolbar, Firefox, and the Google Search application on the iPhone. Google said "given the concerns that have been raised about Google storing this information -- and its limited potential use -- we decided that we will anonymize it within about 24 hours."
Google did not provide the technical details of its new policies, writing it had not "sorted out all of the implementation details, and we may not be able to use precisely the same methods for anonymizing as we do after 18 months, but we are committed to making it work." As we know from the AOL search history debacle, anonymization is not easy. Under the announced policy, only IP addresses will be directly anonymized, and effective anonymization will be especially challenging since Google retains cookie information for longer than the IP information. We look forward to seeing the details.