Google will start making its records about users' searches anonymous after 18 to 24 months under a policy announced on Wednesday.
Until now, the dominant search company has indefinitely retained a log of every search, with identifiers that can associate it with a particular computer. The new policy, to be implemented within the next year, is intended to better protect users' privacy, two executives wrote in a Google Blog entry posted on Wednesday.
Privacy advocates have raised alarms over search providers and other internet companies retaining information about users' activities because that data could be subpoenaed by law enforcement, be lost by the provider, or fall into the hands of hackers.
Under the new policy, unless Google is legally required to retain them longer, server logs will still be retained but will be "anonymised" after 18 to 24 months so that they can't be identified with individual users, according to the blog entry. It was written by Peter Fleischer, Google's privacy counsel for Europe, and Nicole Wong, the company's deputy general counsel. Engineers are working out the technical details now, they wrote.
Google keeps the server logs so it can improve services and protect them from abuse and security threats, the company said. Each search record includes the query, IP (Internet Protocol) addresses and cookie details.
The Mountain View, California, company instigated the move on its own after talking to "leading privacy stakeholders" in Europe and the US, the blog entry said. Data retention laws may force the company to retain logs for a longer time, it said.
Two hi-tech civil rights groups called the move a good first step but said more work needs to be done.
"This is a big step in the right direction," said Ari Schwartz, deputy director of the Center for Democracy and Technology, in a written statement.
"Keeping the data around forever significantly compromises (Google's) users' privacy," said Kevin Bankston, a staff attorney at the Electronic Frontier Foundation, in San Francisco. The US government probably has subpoenaed search log data on individuals in criminal investigations, a move it wouldn't necessarily have to reveal, he said. Another danger is that an angry spouse or business partner could obtain the information in the course of a lawsuit, Bankston said.
"We'd love to see a shorter retention period and more complete anonymisation," Bankston said. Google should also extend the policy to its other products, which include Gmail, Google Calendar, Google Maps and other web-based tools.
Other major search providers, such as Yahoo and Microsoft's MSN, haven't even revealed as much as Google has about what they do with server logs, Bankston said.
AOL last year posted on its research website about 20 million search records from about 658,000 of its members. Each user was identified by a unique number. The move created a scandal that toppled AOL's chief technology officer and two other employees. Users later sued, asking a court to order the company to stop saving the records.
Bankston believes Google has a better method of anonymising records but said AOL does so after just 30 days. Still, Google could adopt a better technique, such as removing the associated IP address altogether, he said.