

The net's search engines may soon have to develop a long-term memory loss program, after European regulators found that companies such as Google and Yahoo violate European data protection rules by keeping data for too long and not telling users how stored search queries and clicks help target advertisements.

If adopted by the European Commission, the findings (.pdf) are likely to lead to the first stringent regulation of search engines.

The rules' reach would also likely extend to cover Americans' net use, due to the technical difficulty of determining whether a particular user is or isn't a citizen of an EU country.

Jeffery Chester, who heads the Center for Digital Democracy, hailed the new rules as reasonable limits that may force more meaningful privacy rules by U.S. companies.

"After Google bought DoubleClick, it now owns the biggest cookie jar in the universe, and it doesn't want to empty it out every six months," Chester said.

Instead of discarding or obfuscating some details after 13 to 18

months, search engines need to purge personal data after six months or explain very carefully why it needs to keep data longer, according to a

Friday report from the European Union's Article 29 Data Working Party.

Additionally, search engines will have to get explicit permission to cross-correlate information from various services – such as Yahoo's news, email and fantasy baseball site. The commission also determined that IP addresses that a search engine logs are also considered personal information, because civil litigants or the police could tie that IP address to a person through legal process.

If adopted, those rules would sharply curtail the hungry data collection of companies like Google, which say they need long term data to fight fraud and improve search relevance.

Chester and other privacy groups have been unsuccessfully pushing the U.S.'s Federal Trade Commission to impose similar conditions on search engines via their review of mergers like Google's recent acquisition of DoubleClick, an ad-delivery and tracking giant. The FTC approved that merger in December without attaching conditions.

"Here you had reasonable intelligent people who listened to the argument and came up with a moderate course of action, saying you have to explain what you are doing and have reasonable limits on how you collect this information," Chester said. "When we say the same thing to

U.S. regulators or Google or Yahoo, they look at us like we are the children of Karl Marx."

Google signaled that it intended to fight the adoption of the rules in a blog response from its global privacy lawyer Peter Fleischer.

"We believe that data retention requirements have to take into account the need to provide quality products and services for users, like accurate search results, as well as system security and integrity concerns," Fleischer wrote Monday.

"This perspective – the ways in which data is used to improve consumers' experience on the web – is unfortunately sometimes lacking in discussions about online privacy."

The Working Party also took issue with Google's data retention practices, where Google attempts to anonymize search engine logs after

18 months by removing the last section of an IP address (e.g.

71.202.117.xxx). That may not be enough to anonymize users, the group found, since it only rules out 254 possible IP addresses. It is possible, the commission argued, for law enforcement to re-identify a person by combining queries and the slightly redacted IP address.

The Working Party's recommendations are based on Europe's Data

Protection directive, which are based on the core data privacy practices of notice, consent and choice.

However, search engines companies that also offer web mail have to comply with a different EU directive, the Data Retention Directive, that compels them to store communications data for six months to two years.

The U.S. has no such policy, though the Justice Department has pushed for such rules in the past.

Image: Danny Sullivan

See Also: