Enter the law
But beyond the search optimization rationale, Google has another justification behind its 18 months of data retention: the law. "While shorter retention periods are good for privacy, longer retention periods are needed for security, innovation and compliance reasons," wrote Peter Fleischer, Googles global privacy counsel, in the posting in which he announced that Google would anonymize data after 18 months.No doubt thats true, but the majority of data retention laws being discussed or implemented pertain to ISPs or telephony providers; only one, in Germany, appears to pertain to e-mail providers. "I would like Google to point out specific legislation that requires a private company in the search business to retain data," said PIs Simon Davies. "I cant. Im not aware of any such law. There is data retention in Europe, but it doesnt apply to keeping search strings for 18 months. If were talking about a week, perhaps well have room for negotiation. But I suspect Google, like other major players, is on the wrong highway. Whatever techniques theyre requiring shouldnt require retention for that long a time." Either way, Davies said, the process of data retention requires "full scrutiny." What does Google have to say about the validity of other criticisms in the PI report? The one thing that Google grants it could do better onmaybe, if the charge is in fact legitimateis being clear on its policies. "If were not being clear, shame on us because we should be," Wong said. "We try hard to be." One thing privacy advocates would like to see Google do is to get a privacy czar. One of PIs complaints was that nobody at Google got back to the organization when contacted about privacy concerns. "Google was invited to provide any data that would help its case," Davies said. "We tried to reach Google at Mountain View I suppose it would have been [in May]. Five, six days before publication of the report I called Peter Fleischer, [Googles] global privacy lead, and warned him the report was coming out and Google wasnt looking good. I asked Peter to send me anything we could take into consideration in finalizing the report, and nothing came back. Peter did ask me to come to Paris to meet, but it was a busy week. The last thing I was going to do was come to Paris to be one of 23 other organizations." If Google had provided the PI with a response, privacy advocates say, the company likely would have come off looking a lot better in the report. They point to this omission as being an indication that the company needs a clearer path to reporting privacy issues. "Google needs a privacy officer," said Beth Givens, director and founder of the Privacy Rights Clearinghouse, when asked what steps privacy experts believe would help Google shape up. Google finds the notion odd, pointing not only to on-staff privacy experts Fleischer and Wong but to the product development lifecycle now in place at Google, instituted when Wong was brought on-board, in which every product launched includes on its team a lawyer trained on privacy issues who works with product development from the get-go. The back and forth will continue for the foreseeable future, particularly given Googles proposed merger with DoubleClick. Some say that in the end its up to consumers to police the information they give to Google or to anybody, but in fact Google garners information from the simplest action as performing a search. Consumers always have options to Google. Or, rather, when it comes to privacy, given that Yahoo and Microsoft are hardly more privacy sensitive, there is only one option: Ixquick. Take your pick: If the choice comes down to being owned by Google and using Ixquick, given Googles overwhelming popularity, chances are that most consumers are going to put their privacy on the line. Editors Note: This story was updated to include comments from Google.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Legal compliance is a compelling justification for data retention. The problem is, nobody seems to be able to locate the laws that Google is talking about. Google acknowledges that its data retention period is based on parameters being discussed now in the European Union as opposed to any existing laws. A Google spokesperson points to a site run by European Digital Rights that tracks legal maneuverings around data retention in the EU, providing a round-up of implementation status on a country-by-country basis. "The status is changing almost daily," she wrote in an e-mail exchange.