EU to Google: Drop data

• Posted by
• On October 07, 2008

      I read in the International Herald Tribune that European regulators are getting impatient with Google over its privacy practices. Actually, they're mad at Microsoft and Yahoo as well, but Google gets the most attention.

      According to the article: 

"For the moment, Google refuses to submit to European data protection law," said Alex Türk, the French data protection chief, who is also the chairman of a European Commission working group on the issue.

      The European Commission wants search engines to delete user data after six months. Google recently announced it was cutting data retention time from 18 months to nine months. (MSN LiveSearch holds data for 13 months, while Yahoo still keeps it for 18 months.) That's not good enough for European regulators.

      It makes me wonder; how did the EC come up with the six month time frame? Does it just sound good? I've never seen an explanation of why six months is better than nine.

      I recently had the opportunity to talk with Nicole Wong, Associate General Counsel and privacy lead at Google, about the company's policies. Google is not capricious in setting its policies, she insists. The company recognizes that "user trust is one of the biggest assets we have." All the negative publicity about the amount of information Google collects hurts that trust factor in the company. 

      She says that every time Google designs a product, her privacy team gets involved at the start, asking questions about privacy. "What information are you collecting? How are you using it? Who will you  share it with? How do you keep it secure?

      The goal of the privacy team is to make sure the developers are not asking for more than they should. Their feedback is designed into the products.

      On the issue of data retention, Google's first default was 18 months, implemented after privacy organizations raised complaints. "The 18 month announcement in 2007 was after hearing feedback from users, from regulators, from privacy advocates," says Wong. "By keeping things indefinitely, it doesn't give people enough certainty to trust [us]. We heard that and so we said, 'OK fine, we'll set a definite date, 18 months.' 

      Obviously, that was not enough. So, Wong says, she kept going back to the engineers to see if the company could do better, and if there was a good reason for the cutoff. 


      The main argument that came back was dealing with malicious attacks: security, spam, fraud, denial of service attacks. "The fact of the matter is that the person successfully attacking us today has probably been trying for two years," she says. Retaining data allows the engineers to go back through the data to find patterns leading up to the attacks, which helps them figure out what the next step in the attack might be, how best to end the attack and keep it from happening again.

      Of course, there's also the issues of tracking user patterns to deliver better search results and relevant ads -- even spell checking in languages not common on the Internet, such as Ukranian, get better if a Ukranian's history is kept.

      Wong says the engineers kept working on the problem, analyzing how to keep out evil hackers and how to provide a good service cutomized to specific IP addresses, and finally came back with nine months. "Our engineers said that they thought that they could still get pretty good results, pretty good robustness, pretty good security, based on nine months." 

      So several weeks ago, Google announced its new policy of anonymizing data after nine months. "And I'll be really candid, we're giving up stuff [by cutting back to 9 months,] she adds."

      So I raised the opposite question: Given Google's promise to put users first, and given the fact that it's privacy advocates, and rarely users themselves, who insist on these terms, doesn't that mean Google is giving in to political pressure and providing a lesser service to its users?

      The short answer is yes. But negative publicity is just as bad. "If [users] think that we are selfishly keeping data, that we're at risk of a hacking attack and all of this data is stored there, then we're going to lose the trust and they won't come either, no matter how good the service is."


      Still, Google is not likely to avoid criticism, no matter what it does. For one thing, many people are simply skeptical that Google needs those data logs, and don't trust what Google says about how it uses the data, despite its privacy policies, which it publishes on its site. (There's a link to a page detailing its privacy policies from Google's home page, including several videos talking about the issue.)

      Some people will never be satisfied. Wong told me of on privacy advocate that insisted Google should not keep any history of people's searches; if a user wants a history of her own searches, she should just write them down on paper.

      Personally, I don't care at all how much data Google collects. Nobody I've ever talked to has said why they're afraid of Google keeping data. Because they'll sell it to spammers? Turn it over to Homeland Security? Sell it to the Chinese? People just have a "bad feeling" about letting someone collect data. Google becomes Big Brother.

      It's a shame, because the end result is a service that doesn't work as well as it should. Google already offers privacy options, enabling people to limit what info Google collects. I'd be happy to choose the option "all of it, for as long as you want."

      But then, I'm kind of strange that way. Or maybe just not as paranoid as others. I'm sure Homeland Security has all the data about me as it is, with or without Google's help.

• Tags: google privacy search regulation europe

Vote and let your voice be heard!
Should users worry about the amount of data Google collects when they use its products -- and why?
YES      1	NO      3
Click to Vote Yes	Click to Vote No

• Comments (0)
• Email This
•