CNet news sent Google, Yahoo!, Microsoft, Ask.com and AOL a survey on privacy issues.
Each one was asked the same questions the format of which were:
- What search-related data–including IP addresses, cookie IDs, user identities, and search terms–do you retain?
- How long do you retain those data?mit
- If you retain data for a limited period of time, is it completely deleted (in such a way that the data and backups cannot be recovered, even under court order) or is it anonymized instead?
- If the data are anonymized, exactly how do you do this?
- Do you do behavioral targeting, meaning showing ads to users based on their behavior across multiple queries?
- If you do, is there a way for users to opt out of behavioral targeting?
- Do you use knowledge about your users (such as ZIP code, e-mail address, gender, or birth date) obtained through user registration to deliver targeted ads on your search engine?
- Do you use knowledge about the identities of your users' instant messaging or e-mail correspondents when using those services, or the contents of those communications, to deliver targeted ads on your search engine?
AOL's answers to each were:
- Under AOL's policy this kind of data may be retained for 13 months.
- 13 months
- After 13 months only aggregate search terms are retained.
- Not applicable
- No. We do use information provided by the user for localization purposes to return more relevant search results for the specified location, such as when a user enters a preferred location through the AOL My Locations feature, or when the user enters a query with explicit local intent (i.e. weather "20166")–such as local business names.
- With the upcoming launch of AskEraser, a user's IP address, search data cookie ID and search query will be completely deleted and expunged.
- Users of AskEraser will have their complete IP address, complete search data cookie ID, and complete search query eliminated in a few hours or less.
- Users of AskEraser will have their complete search query data eliminated so that no one who requests it from Ask.com will be able to access it–ever.
- Since users of AskEraser have their complete search data totally deleted, none of their data is ever anonymized.
- Not applicable, per the above answer.
- We wrote last month that AskEraser will launch by the end of the year. Do you have a more specific date?
- We don't have a more specific one.
- We retain search server logs for 18 months for a number of reasons, including: to improve our search algorithms for the benefit of users; to defend our systems from malicious access and exploitation attempts; to maintain the integrity of our systems by fighting click fraud and Web spam; to protect our users from threats like spam and phishing; to respond to valid legal orders from law enforcement as they investigate and prosecute serious crimes like child exploitation; and to comply with data retention legal obligations.
- Google was the first leading search company to publicly announce a finite data retention period for server log data. We will anonymize our server logs after 18 months.
- We are putting significant resources into creating processes for reliably anonymizing server log data. Although we are still developing our precise technical methods and approach, we can confirm that we will delete some of the bits in logged IP addresses (i.e., the final octet) to make it less likely that an IP address can be associated with a specific computer or user. And while it is difficult to guarantee complete anonymization, the network prefixes of IP addresses do not identify individual users. We will also obfuscate cookie IDs.Logs anonymization will not be reversible. We will intentionally erase, rather than simply encrypt, logs data so that no one (not even Google) can read it once it has been anonymized. Finally, logs anonymization will apply retroactively and will encompass all of Google's search logs worldwide.
- Not applicable.
- We are committed to protecting user privacy. We also want to provide users with a more rewarding online experience by making the advertising and content users see relevant to them. We believe the targeting capabilities, reporting and analytics we offer today provide advertisers with an excellent ROI and provide a high-quality user experience. Currently, our system incorporates a large number of signals (such as the user's query, the user's location, type of site, content, and the advertiser's landing page) when targeting and ranking ads. We have not focused on demographic targeting to date for targeting ads on search result pages.
- Not applicable.
- We weren't able to figure out your answer to our question asking whether you do behavioral targeting. In other words, if I search for "New York City vacation" in one query and "vacation hotels" in a second query a moment later, does Google.com evaluate the two responses, figure out that I'm probably looking for New York City hotels, and display ads appropriately?
- Do you use knowledge about your users (such as ZIP code, e-mail address, gender, or birthdate) obtained through user registration to deliver targeted ads on your search engine?
Microsoft Corp's answers were:
- Live Search records what was queried, the type of search (image, Web, local, etc.), the date and time that it was processed, the IP address from which the query came, and a cookie-based unique ID. We store our Live Search service search terms (and the cookie IDs associated with search terms) separately from any account information that directly identifies the user, such as name, e-mail address, or phone numbers. Further, we have built in technological and process safeguards designed to prevent the unauthorized correlation of this data.Our commitments to privacy in the search and advertising arenas are outlined in detail in our Privacy Principles for Live Search and Online Ad Targeting(PDF). Furthermore, Microsoft has called on the industry and the privacy community to come together to engage in a dialogue regarding global privacy practices for data usage and protections related to search and online advertising. It is important for consumers that we create an online environment where people can search and surf online without having to navigate a complicated patchwork of privacy protections.
- In July, we announced that we will retain search records associated with identifiers such as IP addresses for 18 months, unless we receive user consent to a longer time period. After 18 months, we will permanently anonymize the data, and it will only be retained in this anonymous form. Microsoft believes this time frame strikes the right balance between protecting the privacy of our customers and enabling us to help protect our customers and the broader ecosystem from security threats, including botnet attacks, spam, denial-of-service attacks, click fraud and worms.
- The data is anonymized permanently and irreversibly, which means that it cannot be traced to an IP address or to an individual. From the beginning, Microsoft never stores search terms with personal information, to help protect privacy.
- After 18 months, we will permanently remove the entirety of the IP address and all other cross-session identifiers, such as cookie IDs, from the search terms. This strict approach reflects Microsoft's belief that to protect privacy and make search query data truly anonymous, all cross-session identifiers and IP addresses must be removed in their entirety from the data.
- Through our adCenter service, Microsoft offers behavioral targeting to bring relevant advertising to consumers and to enable advertisers to connect with more people who are likely to be interested in their products and services. At the same time, Microsoft maintains a strong focus on protecting customers' privacy and adheres to high privacy standards.
- Once Microsoft begins to offer behavioral ad targeting on third-party sites, we will offer customers the ability to opt out of the behavioral ad targeting by Microsoft's network-advertising service on those Web sites. This is consistent with the privacy principles of the Network Advertising Initiative, which Microsoft announced it will join. We will also continue to develop new user controls that will enhance privacy, such as letting people search and surf our sites without being associated with a personal and unique identifier used for behavioral ad targeting.
- To provide the most relevant ads possible, Microsoft's ad-serving technologies use some user-provided demographic data (like gender, age or ZIP code) shared during Hotmail and Windows Live services registration, but they do not utilize information that could personally and directly identify a user in order to choose which advertisement a user should receive. Our ad platform's architecture relies on mathematical algorithms which disassociate personal information from demographic and behavioral attributes used in ad targeting. No individual customer data of any kind is passed by Microsoft to any advertiser unless customers have asked us to do so.
- Microsoft does not use knowledge of users' correspondents or the contents of their instant messaging or e-mail communications to target ads on our search engine.
- In terms of behavioral ad targeting, is there a way to opt-out on your primary search engine or just on third-party sites?
Ans: Consistent with the Microsoft Online Privacy Statement, we currently utilize behavioral targeting on our Windows Live sites and services. If customers wish to disable behavioral targeting and not receive targeted ads on our network, they can log out of their Windows Live ID and delete their cookies. We will continue to develop new user controls that will enhance privacy. Such controls may include letting individuals use our search service and surf Microsoft sites without being associated with a personal and unique identifier used for behavioral ad targeting, or allowing signed-in users to control personalization of the services they receive.
- Yahoo's global policy is: all search log data will be anonymized within 13 months of collection except where users request otherwise or where Yahoo is required to retain the information to comply with legal obligations.
- It is anonymized after 13 months.
- We remove portions of the IP address and personally identifiable cookie Ids.
- Yes, we do.
- The Yahoo practice to date is not to use content of personal communication for ad targeting.
Furthermore, Yahoo Inc was asked:
- You said Yahoo removes "portions of the IP Address." But details are important. IPv4 addresses are 32 bits. If you remove any four bits of the IP address, it's not much of an anonymization because it narrows down the user to 1 of 16 addresses (24 is 16). If you removed any 16 bits, however, it would be more privacy-protective because it narrows down the user to 1 of 65,536 addresses (216 is 65,536). Can you elaborate?
Ans: Our policy will mean that anonymous is anonymous and we will put safeguards in place to ensure that. Other details will come very soon.
- Do you remove the beginning or end portion of the IP address?
Ans: Same as above.
- Do you plan to give users any way to opt out of behavioral targeting in the future?
Ans: Yahoo currently offers users the ability to opt out of off-network behavioral targeting in accordance with NAI principles, but we are considering many different options to best help our users be in control of their online experience and their information.
Now that results are out, you can decide which search engine takes most steps towards ensuring privacy.