Google to Anonymize Users' Search Data

Google's official blog states they are on an effort to anonymize their search data after 18-24 months. After previously fighting turning over search data to the feds, it looks like they are striking another blow to the "think of the children" crowd. Any bets on whether MSN or Yahoo! will follow suit?

The real WTF is..

[b100dian (771163)]

..the "off the record" button, in the first place!

Re:

[jacquesm (154384)]

I never got why google needs to keep all that history without anonymizing it.

There is - as far as I can see - no rational argument that has to do with improving search results because you have them tied to individuals.

And yes, keeping tabs on half the globe is evil too...

Re:

[LiquidCoooled (634315)]

Not only that, but is the history of searches you made over 2 years ago relevant to your current searches performed today?

Re:The real WTF is..

[Dunbal (464142)]

Not only that, but is the history of searches you made over 2 years ago relevant to your current searches performed today?

      Studies have shown that 43% of all people who search for "Donkey Love" will buy our product within 3 years if they see our ads.

Re:The real WTF is..

[Peter Trepan (572016)]

Studies have shown that 43% of all people who search for "Donkey Love" will buy our product within 3 years if they see our ads.

...and that number rises to 98.3% if we mention we found that item in their search history.

ADVERTIZING

[everphilski (877346)]

it's all about the advertising. Google's knowlege of you lets them advertise to you more effectively.

It Is About Context

[EXTomar (78739)]

It isn't that Google necessarily care that it is "you" (actually they might but that is another thread...), but "you" are doing a search and then clicking on links in a particular order which is a context that is important for ranking. At an abstract level, the relationship between what you searched and the links you tried is stuff Google wants to track to help enhance relevancy and search results. The problem is that with modern technology to do this they need to know somethings that aren't anonymous whi

Uhm

[giorgiofr (887762)]

All they have to do is erase the logs every day or just not keep them. It doesn't "take an effort". Anonymous proxies have been doing this for years.

Re:Uhm

[Rakishi (759894)]

And anonymous proxies do not need to make money or provide much of a service unlike google, logs are very useful for such things.

Re:Uhm

[Whiney Mac Fanboy (963289)]

All they have to do is erase the logs every day or just not keep them. It doesn't "take an effort". Anonymous proxies have been doing this for years.

I know where you're coming from, but that would kinda fuck with their targetting advertising business model dontcha think?

Re:

[jacquesm (154384)]

it doesn't have to, after all the targetted ads are supposedly targetted to the *content* of the pages and your search query. No need to keep that for two years in order to target it better unless you have other plans with my data (such as selling my 'profile').

Re:Uhm

[daeg (828071)]

I'm between the two extremes of agreeing with you and agreeing that data needs to be retained. As any of us who have taken a statistics class (or four) can tell you, you don't need access to the whole sample to provide accurate data. So, say, for instance, the Google engineers were working on a specific niche of the web, say, dog lovers. If I were designing something to better suit dog lovers, my first step would be pulling a report on the common search patterns of people that search for dog-related topics.

Historical data that identifies a unique user is extremely useful. I do the same thing with our Intranet search and report tools. If I want to improve something, oftentimes the logs will give a very telling tale. (This accounting department employee searched for "expense", then "expense excel", then "expense spreadsheet", then "expense log", finally getting his document. I can then add the keywords 'excel' 'spreadsheet' to the actual document entry.) That said, you don't actually need to know who the unique user is, for all intents and research purposes, User5486734067 is just as useful as an IP+Cookie.

Re:

[jacquesm (154384)]

Even for the example you give I would not need to know *who* made those searches.

There are two good reasons to keep the data, as far as I can see, the first is to avoid sending
the same ad to someone twice (but for that you only need a history of what ads they've seen, not
what they have searched for, though of course that does help to tag a user as a 'programmer' or
an 'accountant'), the second is when you go in to the massive selling of profiles business.

There are some companies that do this (Schober comes t

Mine already is

[solevita (967690)]

Although I did have to install the AnonymizeGoogle Firefox plugin to get it.

Re:Mine already is

[solevita (967690)]

Ignore that post above - I'm a moron. I meant to say CustomizeGoogle Firefox plugin .Get it here [customizegoogle.com].

I guess that's what happens when you Slashdot before caffeine. I'm sorry.

Re:Mine already is

[solevita (967690)]

Your IP usually isn't the problem, especially in my case where my ISP sends it all through their regional proxy anyway. What CustomizeGoogle does is randomize your Google UID. Take another look at the recent AOL breach - people weren't suffering privacy loss due to their IP address, but rather because AOL gave each and every user a number that could be tracked through the system. Thanks to CustomizeGoogle, that won't happen to me and my searches.

How about

[squoozer (730327)]

anonymizing it straight away! That would be an even quicker solution to the problem.

0 months?

[pr0nbot (313417)]

Why not anonymise the data after zero months? Are they required by law not to?

Re:

[Barny (103770)]

In some countries, yes, they are required to.

Re:0 months?

[cdrudge (68377)]

My guess is they don't do it immediately is because there is internal business value in mining the data. User patterns, length of stay, etc. After 18 or 24 months, the internal value has dropped significantly as things change quickly. I would have thought that the value would have dropped even quicker then that, say after 6 months or maybe a year.

Re:

[Rakishi (759894)]

Even if they weren't legally required it makes more business sense to keep as much data as possible as you never know when someone will need it for some project.

Because Google's primarily a media company...

[xxxJonBoyxxx (565205)]

Why not anonymise the data after zero months?

Because Google's primarily a media company, like NBC, only with much finer detail about what you want to see. Like any media company, Google finds demographic data incredibly valuable because it allows them to "connect" you with the "correct" advertisers. There's no way in hell Google would let people be completely anonymous; it goes against their business plan. (I'd also bet three years from now we'll find through some court case that backup tapes somewhere really extend "anonymous after 18 months" to 4-5 years.)

Shouldn't be collecting that info anyway

[by Anonymous Coward]

Google should not be collecting any of that huge pile of information AT ALL, not just anonymising it after 18 months. As the AOL case showed, search queries can be used to identify individuals even after AOL anonymized them, so it's not IP addresses they are recording, it's PEOPLE.

There is no need to collect the IP addresses of searchers that haven't opted in to Google's personalized search. There is no law, that requires it.

There is no need to store the IP addresses of individual visitors to websites when

Re:

[GweeDo (127172)]

There is no need? What about the monetary need? Google doesn't really care who you are, but they do care about what you are looking for. The more they know about what you are looking for the better their AdSense program can do. The better it does, the more money they make.

As for your whole you "we have privacy" bit, sure you do. In your own home while using your stuff. The moment you sent your request out over the internet in plain text to a third party (that is a corporation out to make money you kno

No Consent

[by Anonymous Coward]

Exactly, it's to Google's MONETARY benefit that they record this information. The EU Privacy law says THEY CANNOT RECORD MORE PERSONAL INFORMATION THAN IS NEEDED FOR A TRANSACTION. Now that it's clear that search data is personally identifiable, the EU Privacy law should be used to FORCE GOOGLE TO QUIT IT.

"The moment you sent your request out over the internet in plain text to a third party (that is a corporation out to make money you know) you lost that."

Not so, the law says we have to consent and we didn't consent!

And what about when that party isn't Google? Google analytics is not on Google's site, it's embedded on third party sites, Google's adsense is on other people's site too. I didn't consent to handing my data to Google when I surfed to third parties site, Google took that data and recorded it in violation of EU privacy laws.

This has also been sued for before resulting in Doubleclick backing down over exactly this issue.

http://archives.cnn.com/2000/TECH/computing/01/28/ double.click.lawsuit.idg/ [cnn.com]

"A California woman has filed suit against DoubleClick, accusing the U.S.-based online advertising company of unlawfully obtaining and selling consumers' personal information, according to a statement issued by her attorney's office."

"Hariett M. Judnick filed the suit in Marin County Superior Court in California, on behalf of the "general public of the state of California," the statement said.
The suit alleges that DoubleClick employs Internet cookies to identify users and track their movements on the Internet. The company tracks and records the sites an individual visits, as well as the information transmitted on the sites, such as names, ages, addresses, shopping patterns and financial information."

Re:

[rtb61 (674572)]

Technically speaking you as the search end user can make better use of personalised search history and refinement of results. Everybody tends to use search phrases and search styles in a different manner, especially in relation to the experience level of the user.

Searching will only get more and more complex as time progresses and things like automatic language translations finally start to appear. Privacy on one hand or the search engine adapting to your search style, not really as clear cut a choice as

According to TFA

[ReallyEvilCanine (991886)]

Google plan to make it "more anonymous". Like pregnancy, data either ARE anonymous or they ain't. You can't qualify an absolute, and "anonymous" is an absolute condition indicating lack of information.

Re:

[DrEldarion (114072)]

we will anonymize our server logs

so that it can no longer be identified with individual users

Sounds anonymous to me.

Re:

[Cytlid (95255)]

So you're saying "Data are either impregnated with anonymity or they ain't?"

I need another cup of coffee.

It's there servers

[tomstdenis (446163)]

Stop googling for "jihad death to american president" if you're worried about getting caught.

I should point out that your google query goes over plaintext HTTP so anyone inbetween can eavesdrop on your queries.

Tom

Re:It's there servers

[solevita (967690)]

Stop googling for "jihad death to american president" if you're worried about getting caught.

You're correct. The only people that demand privacy are those up to no good. How about I come over to your house later, sit in your bed for a bit, go through your draws and your phone records, take some pictures of you and your friends, ask the neighbours some pressing questions?

If you've got nothing to hide, you should have no problem with this.

Re:

[tomstdenis (446163)]

Ah, the out of context argument. My house is private by the definition that I have locks on the doors and blinds on the windows. Your analogy may make sense if, say, a public walkway passed through my living room.

I'm not saying people shouldn't have privacy, I'm saying if you export your secrets outside of your domain, you shouldn't expect privacy.

You don't do your personal finances on a city bus do you?

Re:It's there servers

[Dunbal (464142)]

Ah, the out of context argument. My house is private by the definition that I have locks on the doors and blinds on the windows.

      Funny - my computer is in my house, behind locks and blinds too. Hey Google's computers also are behind lock and key, and they even have security guards and alarm systems. I don't ever remember giving Google permission to disclose any information shared between them and I - oh and heaven forbid I go around giving away the information Google found for me - I'd get sued!

      Why would the whole world automatically be party to the information Google and I shared one evening? My computer sent that information to a specific internet address, and the answer came back specifically to my computer.

      Not so out of context...

Re:It's there servers

[tomstdenis (446163)]

This is why it pays to have a modicum of computer knowledge.

Assuming you're not trolling...

When you send a query to google, it goes over the "internet" in the clear. That is, not encrypted. Anyone who can see it can read it. Well who can read it? Turns out a lot of people. Between me and google are probably 10 different boxes. 5 of which are just my ISPs routers. The other five are boxes on other networks, not even related to Google.

There is no inherant requirement for privacy like there is with telephones (maybe their ought to be one). But that said, you're giving your data to Google, willingly no less. That gives them every right to record it. You gave them permission by using their service, I guess you never read their TOS [google.ca] which is your fault, not theirs. Think about the analogy in the real world. This is like you handing your drivers license to every stranger you meet, then getting upset when some of them write it down.

If you don't want your assets [IP, location, name, platform, etc] leaked to Google you should use an anonymous proxy.

Tom

Re:

[kjart (941720)]

Stop googling for "jihad death to american president" if you're worried about getting caught.

When you use language like "caught" you are obviously not referring to Google, but rather some external agency (i.e. the government) rather than by Google. You are changing the parties involved to strengthen your argument.

Re:

[Dunbal (464142)]

If you've got nothing to hide, you should have no problem with this.

      Yeah while we're there we can install the webcam in his bathroom and broadcast on the net every time he takes a crap. I have a pair of guys willing to do the commentary on wiping techniques to add to the video...

Re:

[garcia (6573)]

Stop googling for "jihad death to american president" if you're worried about getting caught.

Excuse me?! I live in America and if I want to research the results of the search terms "jihad death to american president" I'm well within my fucking rights.

Fuck you for saying otherwise.

Re:

[tomstdenis (446163)]

Well you're describing a law enforcement problem not a privacy issue.

Google is within their rights to gather as much information as you feed them (your ip, time of day, host strings, query string, etc).

My point was if you were planning on committing crimes, you shouldn't use google to find tips.

Tom

Re:

[solevita (967690)]

Google is within their rights to gather as much information as you feed them (your ip, time of day, host strings, query string, etc).

I see the problem now; you clearly don't understand the extent of Google's monitoring. They're not logging just IP address', they're logging people. The AOL data that came out showed how you could follow tracking cookies to see exactly what people, not IP address', were searching for.

I don't see why you have such a problem with it anyway. Many people around the world asked fo

Re:

[tomstdenis (446163)]

I'm not against google cleaning their logs. I'm against people claiming this is a privacy issue.

Google logging all your queries: Not a privacy problem.

Bank leaking your SSN via stolen laptop: Privacy problem.

AOL knowing that you like midget porn: Not a privacy problem.

Government using sub-standard contractor to manage passport data, later turns up on broken into computer: Privacy problem.

By screaming wolf every time "data" is mentioned you desensitize people to real privacy problems.

18-24 months?

[JackMeyhoff (1070484)]

Which is it? 18, 19, 20, 21, 22, 23 or 24?

Yeah Right

[Psx29 (538840)]

This means nothing. If you click the link.."By anonymizing our server logs after 18-24 months..." That's still far too long and is most likely motivated more by logistical concerns in retaining so much data than out of any act of benevolence. However it definately makes good PR to paint this as 'Taking steps to improve privacy'...

You won't be anonymous, and it doesn't matter

[guanxi (216397)]

To quote them:

"It is difficult to guarantee complete anonymization, but we believe these changes will make it very unlikely users could be identified."

"Changing the bits of an IP address makes it less likely that the IP address can be associated with a specific computer or user. Cookie anonymization makes it less likely that a cookie can be used to identify a user."

"[I]t's possible that data retention laws will obligate us to retain logs for longer periods."

"How many subpoenas for server log data does Google receive each year?
As a matter of policy, we don't provide specifics on law enforcement requests to Google."

I don't think it will mean much unless they publish their anonymization technique. Even Google seems to have doubts about it, and considering the resources of some attackers (e.g., national governments), if the anonymization can be broken it will be.

But Google's anonymization does not have to be perfect: Google isn't the only place your google.com activity is recorded: There's your personal computer, possibly your ISP, other sites (referrer links show Google search terms), etc. As long as Google makes their anonymity difficult enough to break that it's significantly easier to go elsewhere for the information, they've done their job. If you need to be anonymous, I hope you are taking other steps.

I, for one, welcome the merciful intentions of our benign new overlords.

Things That Bit Butts, Part Deux

[WED Fan (911325)]

List of nifty little phrases that have bitten their speakers in the ass:

• They will never bomb Berlin
• Read my lips, no new taxes
• I did not have sex with that woman
• Mission accomplished
• Don't be evil

Now Google brings us:

Let's just be less evil, now that we've been caught.

127.0.0.1

[supun (613105)]

Just hard code the function that grabs "HTTP_REMOTE_ADDR" to return "127.0.0.1." That way the feds will think all the kiddie p0rn searches came from the computer they are using.

Re:right....

[skrolle2 (844387)]

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do? uri=CELEX:32006L0024:EN:NOT [europa.eu]

The data retention directive only applies to ISPs, and only deals with who you "communicate" with. It does not explicitly say that a record of which websites you visit should be retained, and it explicitly says that the content of the communication must not be retained.

However, as for all EU directives, it only contains the baseline of regulation. Directives are never law themselves, but have to be implemented in each respective member state by each respective legislative body. These, in turn, are free to implement whatever they want ABOVE the baseline, so some member states may have longer retention periods for this data, some member states may require ISPs to retain additional data.

The deadline for this directive is September this year, but if you read it, a few member states have reserved the option to postpone parts of the directive, typically of the internet-related traffic. This basically means that they recognize the difficulties in implementing it, and want more time to think about on how to do it, or possibly obstruct it.

What all of this boils down to is that maybe, sometime in the future, if you have an European ISP, they may be required to store all the URLs that you access. Google search data is transmitted as querystring parameters that are part of the URL, which means that your search data may be stored by your ISP, in a non-anonymized way. There's nothing in this possible future that Google has to comply with, as long as they are not an European ISP.

Re:

[ObsessiveMathsFreak (773371)]

Lobbyists

Re:right....

[ag0ny (59629)]

Why would Google have to comply with EU regulations? :?

Maybe because they do business in Europe?

Re:

[Dunbal (464142)]

"Goldfish porn" and "Kinky sofa covers"

      Funny you mention that, I was searching just the other day for "sofa porn" and "kinky Goldfish covers"...

Re:Hash the IP addresses?

[santiago (42242)]

There's 2^32 IP addresses under IPv4. If Google is doing the hashing, then they know the hash function. How long do you think it would take them to brute-force break the hash by hashing every possible IP address and creating a map from the hashed values back to the originals? Express your answer in microseconds.

(If your solution is to increase the space of inputs by adding a variable salt value, please explain how this allows them to use the resulting hashes for aggregation.)