News

Microsoft Reduces Bing Data Retention Times

• By Herb Torrens
• January 20, 2010

Microsoft on Monday announced moves to reduce data retention times for Internet queries initiated through the company's Bing search engine.

Peter Cullen, Microsoft's chief privacy strategist, said in a statement that the company will delete IP addresses after six months and will remove cookie IDs and other cross-session IDs after 18 months.

"It's definitely a step in the right direction," commented Peter Eckersley, staff technologist for the Electronic Frontier Foundation (EFF), in a telephone interview "However, there's still an enormous gulf between what a reasonable person expects in matters of personal data, and the reality of the types and amount of data search engine companies actually retain."

EFF is a nonprofit consumer and legal advocacy group headquartered in San Francisco that focuses on a number of Internet issues, including data retention by search providers.

According to Eckersley, America's top three search companies are all making efforts to "at least look like" they are reducing the hold periods and limiting the amount of data they retain.

Yahoo's current IP address retention is three months, while Microsoft and Google are now holding onto IP info for six and nine months, respectively.

Search engine providers typically explain that the data needs to be retained to improve their search services.

"Data from our search queries represents a crucial arm in our battle to protect the security of our services against hacks and fraud," stated Peter Fleischer, global privacy counsel at Google, in an e-mail. "It also represents a critical element allowing us to help users by innovating and improving the quality of our searches."

Google earlier reduced its retention time for IP addresses in search logs, cutting it from 18 months to the current nine months. However, Google's concern over Internet privacy generally seemed in question after Google's CEO Eric Schmidt stated in December that "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."

Questions remain about whether search queries typed by users might still be used to identify individuals, even with the precautions taken by search providers.

"What they [the search providers] aren't telling you is what they are keeping," Eckersley noted. "They can delete IP addresses, but keep cookie-based search histories, user strings and other bits of data that could lead to personal identities."

Such was the case in 2006 when AOL released Internet search histories for more than 600,000 unnamed individuals as part of a research project. According to an overview on the Privacy Rights Clearinghouse Web site, several people were identified, along with their medical records, interests, financial info and social security numbers.

Microsoft said it changed its search data retention policy after an evaluation of its business needs and as the result of an "ongoing dialogue with privacy advocates, consumer groups, and regulators -- including the Article 29 Working Party."

The Article 29 Working Party (PDF) was established by the European Union to oversee the EU's Data Protection Directive, which was written to regulate the processing of personal data within EU member states.

The United States still lags behind the EU in terms of legal data protections, according to Eckersley.

"There's no question the Europeans enjoy much better data protection than Americans," Eckersley said. "The big three [search providers] in the U.S. are making strides but they really need to address the gulf of what people expect, and what is actually happening….The problem is there are no magic glasses to see inside of the logs they [Google, Microsoft and Yahoo] keep, and there is no regulatory directive providing guidelines for what data is kept."

On Wednesday, Microsoft called for updating certain U.S. laws, including the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act. Brad Smith, Microsoft's senior vice president and general counsel, suggested that without greater national attention to law enforcement, liability and privacy rules affecting the Internet cloud, the future of cloud computing could be stunted.