Recall that in early 2007, Google announced it would “anonymize” its user search logs after 18-24 months. Later that year, Google reluctantly decided to add an expiration date to its web cookie, while Ask.com (unsuccessfully) tried to gain market share by giving users almost complete control over whether any data is collected. Then, in 2008, under pressure from EU regulators, Google announced it would anonymize its search logs after 9 months. Later, Microsoft endorsed the EU’s  Article 29 Working Party’s position that search companies should anonymize data retention logs after 6 months, but only if the other major search engines follow suit. None did, but Yahoo did agree to anonymize its logs after 90 days.

Microsoft has now decided to take the lead in search privacy and agree to the European Union’s demand that data retention be cut to six months. Previously, Microsoft de-identified its search logs immediately, but didn’t purge the IP address until 18 months. Now, de-identification still takes place immediately, and the IP addresses are completely removed in 6 months. Here’s the chart included with Microsoft’s announcement:

Microsoft’s bold move puts significant pressure on Google. Currently Google merely “anonymizes” IP addresses on its server logs after nine months, arguing it must retain user logs to improve their services, fight spam and abuse, and comply with legal obligations. I, of course, have been critical of this reasoning on various occasions, and now Microsoft appears to be confirming that long-term data retention isn’t necessary to run a successful search engine.

Google, the ball is in your court.

(Hat tip to Jules Polonetsky at the Future of Privacy Forum)

From the announcement:

In an effort to protect and advance the human rights of freedom of expression and privacy, a diverse coalition of leading information and communications companies, major human rights organizations, academics, investors and technology leaders today launched the Global Network Initiative.

From the Americas to Europe to the Middle East to Africa and Asia, companies in the information and communications industries face increasing government pressure to comply with domestic laws and policies that require censorship and disclosure of personal information in ways that conflict with internationally recognized human rights laws and standards.

The Initiative is founded upon new Principles on Freedom of Expression and Privacy – supported by specific implementation commitments and a framework for accountability and learning – that provide a systematic approach for companies, NGOs, investors, academics and others to work together in resisting efforts by governments that seek to enlist companies in acts of censorship and surveillance that violate international standards.

The Initiative’s website includes a full list of participants and three core documents that describe the Initiative’s objectives and key commitments, including a statement of Principles, Implementation Guidelines, and a Governance, Accountability & Learning Framework.

There is a lot to parse here, but I’ll provide some initial reactions below.

Participants

The list of participants includes the usual suspects in initiatives like these, including Google, Microsoft, Yahoo!, Berkman Center for Internet & Society, Center for Democracy & Technology, Electronic Frontier Foundation, Human Rights Watch, etc. It also includes a variety of (sociall-minded) investment firms, like Domini Social Investments, F&C Asset Management, and Trillium Asset Management, perhaps indicating a new focus on brining the financial sector of the ICT industry into the fold on these vital issues.

Noticeably absent from the list of partners are other major tech companies who commonly confront issues of privacy and freedom of expression, such as Facebook (ahem), AT&T (ahem), Cisco (ahem), or Skype (ahem). Also absent are other major advocacy groups like EPIC or Amnesty International. It is unkown whether these groups we asked to join and declined, or haven’t been approached to contribute to these efforts.

Principles

The GNI’s Principles outline its commitment to the protection and advancement of freedom of expression and privacy online, largely based on international human rights laws and standards including the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and the International Covenant on Economic, Social and Cultural Rights.

The Principles statement opens with a strong endorsement of protecting human rights:

All human rights are indivisible, interdependent, and interrelated: the improvement of one right facilitates advancement of the others; the deprivation of one right adversely affects others. Freedom of expression and privacy are an explicit part of this international framework of human rights and are enabling rights that facilitate the meaningful realization of other human rights.

And then continues to outline how freedom of expression and privacy fit into that human rights perspective. Notably, it defines “privacy” as:

Privacy is a human right and guarantor of human dignity. Privacy is important to maintaining personal security, protecting identity and promoting freedom of expression in the digital age.

Right on. Unfortunately, however, it frames the threat to privacy solely in terms of government interference:

The right to privacy should not be restricted by governments, except in narrowly defined circumstances based on internationally recognized laws and standards.

…

Participating companies will respect and protect the privacy rights of users when confronted with government demands, laws or regulations that compromise privacy in a manner inconsistent with internationally recognized laws and standards.

Given this language, it appears these principles are meant to provide guidelines to prevent unwarranted government access to personal information, but does little to address how the companies themselves might be impacting users’ privacy rights through their own collection and use of personal information.

Implementation Guidelines

The Implementation Guidelines provide more details on how the partners plan to put the Principles into practice. Notably, it calls for the boards of the participating companies to “incorporate the impact of company operations on freedom of expression and privacy into the Board’s review of the business”, as well as “employ human rights impact assessments to identify circumstances when freedom of expression and privacy may be jeopardized or advanced, and develop appropriate risk mitigation strategies”. This is to be achieved through the “creation of a senior-directed human rights team, including the active participation of senior management, to design, coordinate and lead the implementation of the Principles.”

This is incredibly similar to a recent shareholder proposal that Google’s board rejected (twice). What made them change their mind? Perhaps they wanted to make it appear as an inernal & altruistic move, rather than “giving in” to shareholder demands? One wonders…

With regard to privacy, the Implementation Guidelines outlines numerous steps for the Partners to follow, including some key items related to transparency:

Participating companies will seek to operate in a transparent manner when required to provide personal information to governments. To achieve this, participating companies will:

• Disclose to users in clear language what generally applicable government laws and policies require the participating company to provide personal information to government authorities, unless such disclosure is unlawful.
• Disclose to users in clear language what personal information the participating company collects, and the participating company’s policies and procedures for responding to government demands for personal information.
• Assess on an ongoing basis measures to support user transparency, in an effective manner, regarding the company’s data collection, storage, and retention practices.

Many of the partner companies have been working hard to make their data collection practices more transparent, and this is good stop towards codifying these efforts. In particular, I hope the first point above means that privacy policies will be more explicit when they state a company will disclose personal information to “satisfy any applicable law, regulation, legal process or enforceable governmental request.”

Finally, the Guidelines also call for the creation of a “confidential multi-stakeholder Advisory Forum [to] provide guidance to participating companies on emerging challenges and opportunities for the advancement of freedom of expression and privacy.” Why must this be confidential? I have no idea, and contradicts the efforts towards transparency stressed above.

Governance, Accountability & Learning Framework

The Governance, Accountability & Learning Framework outlines a multi-stakeholder governance structure, goals for collaboration and a system of company accountability to support the Principles, maximize opportunities for learning and ensure the integrity and efficacy of the Initiative.

Essentially, each of the Partners will contribute to the formation of an Organization to oversee the Initiative, “with equal representation from company and non-company participants that will strive to operate on a consensus basis.” A key task of this Organization will be to conduct “independent assessments” of the participating companies to ensure compliance with the Principles. Note, however, that the companies get to choose their independent assessor (“in close consultation with the Organization”). Hopefully the independence criteria to become an accredited assessor are sufficient to ensure fair assessments of the companies’ actions.

Summary

To summarize, this is an important (perhaps unprecedented?) step by members of the tech industry to recognize how their products and actions impact human rights, and I am thrilled that they are willing to sign on to such an initiative. I know many of the people who have been working on this (I’ve been hearing rumors of its creation), and I know they are committed to protecting both freedom of expression and privacy rights across the globe.

While there are gaps, this is an important step, and I hope momentum builds and real action emerges as a result.

• Scientific American has a nice special issue dedicated to “the future of privacy.” Nothing new here for most privacy scholars, but it is a nice treatment of the issues that is approachable to those who don’t spend every breathing moment thinking about privacy and surveillance theory. (Also very good for undergraduate courses!)
• Colorado Law School professor Paul Ohm has released an important new article on “The Rise and Fall of Invasive ISP Surveillance,” where he argues that “Nothing in society poses as grave a threat to privacy as the Internet Service Provider.”
• Google released a new version of Picasa, that now includes facial recognition technology to help you identify friends and family in your pictures without requiring you to tag them by hand each time you see them. Similar to Riya, Picasa’s facial recognition technology will ask you to identify people in your pictures that you haven’t tagged yet. Once you do and start uploading more pictures, Picasa starts suggesting tags for people based on the similarity between their face in the picture and the tags you already put in place for them. (I’ll blog more about this separately soon.)
• Google also released its own Web browser, Chrome. Many saw conspiracy when Google made the (bone-headed) mistake of simply copying its standard EULA to the Chrome site, which erroneously stated that users grant “Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services.” Of course, Google confirmed this was an error, and changed it. Meanwhile, others showed great concern over whether Google would be snooping on browser activity. Lauren Weinstein and Google’s own Matt Cutts helped diffuse those concerns.
• Speaking of browsers, the new version of Internet Explorer (IE8) includes an “InPrivate” mode that lets users control whether or not IE saves their browsing history, cookies, and other potentially sensitive data. This is in line with Safari’s “Private Browsing” feature, but has not avoided all criticism.
• As an iPhone user, I’ve often wondered whether the device “phones home” and what kind of usage statistics might be be shared with Apple. (Recall how the Mini-Store iTunes update from a few years ago caused a stir due the automatic transmission of users’ listening habits to Apple.) Turns out that the iPhone does take periodic screenshots of everything you do in order to make that “shrinking screen” effect work when you press the home key. While presumably that image isn’t stored or transmitted, Wired points out the larger concern: “The phone presumably deletes the image after you close the application. But anyone who understands data is aware that in most cases, deletion does not permanently remove files from a storage device.” Apple should make transparent how this works, where these images reside on the phone, and the process under which they are deleted from memory (including the cache).
• My friend and colleague Anders Albrechtslund has published an excellent article Surveillance and Ethics in Film: Rear Window and The Conversation in the Journal of Criminal Justice and Popular Culture 15(2), pp. 129-144.
• Finally, I’m sad to hear that Sivacracy is going on indefinite hiatus. The silver lining here is that Siva is inching closer to completion of his book The Googlization of Everything.

Privacy and Security – Due to the sensitive and personal nature of the data that will be stored in Google Health, we need to conduct our health service with the same privacy, security, and integrity users have come to expect in all our services. Google Health will protect the privacy of your health information by giving you complete control over your data. We won’t sell or share your data without your explicit permission. Our privacy policy and practices have been developed in thoughtful collaboration with experts from the Google Health Advisory Council.

The notion that Google will conduct their health service with “the same privacy, security, and integrity users have come to expect in all our services” causes me some pause. Google currently tracks my search queries in order to place advertising, scans the content of incoming Gmail messages for similar monetization, and, given their vast suite of products and services linked by a common Google Account, has the ability to create detailed dossiers on users online activities. I hope they treat my personal medical data with greater “privacy, security, and integrity” than how they track and monetize my general search activities and e-mail messages.

Google also states “We won’t sell or share your data without your explicit permission.” This is troubling to me as it signals the possibility exists that Google will want to sell or share my data with third parties. We need to learn more about what Google is contemplating here: What plans exist to sell or share my medical data if I do give explicit permission? How will my data be used, and by whom? How will my permission be granted? Will I know who is using the data and how? Can I decide I want to share it with certain parties and not others?

The note mentions the privacy policy for Google Health. A screenshot provided by Google also shows links to the service’s privacy policy. As far as I can tell, however, the actual policy hasn’t been made available, so we can’t evaluate its claims and promises. I urge Google to share this policy ASAP.

A bit more information as been made available via the press. This Cnet article notes that:

“Google won’t sell the data and won’t put ads on the site, but rather hopes to drive traffic to partner sites where there will be ads. In addition, Web searches will not be used to provide services or information to users of Google Health, Google representatives said.”

This provides a bit more clarity, but I still hope to be able to sit down with Google’s people to discuss these issues in more detail, much in the way Microsoft has made itself available on its HealthVault product.

(As an aside, I’m also tracking various conversations and debates over the extent to which HIPAA applies to these platforms – I hope to assemble my thoughts on that soon)

HealthVault is Microsoft’s attempt to provide an online platform where personal electronic health records can be stored, managed, and shared with various healthcare providers. HealthVault also features a topical search engine allowing users to search specifically for health-related information (Microsoft will use sponsored search ads on the search engine to monetize the HealthVault platform). Microsoft’s press release launching the service last fall can be found here; it has been covered by the New York Times, Washington Post, BusinessWeek, etc.

Any attempt to aggregate and store personal medical data online is fraught with privacy issues, and HealthVault has attracted its fair share of criticism and concern (especially given the bad taste Miscrosoft’s Passport/Hailstorm efforts left in privacy advocates mouths).

Some of the privacy concerns that immediately come to mind include:

• How secure are the personal health records stored online?
• Who has access to the data and under what conditions?
• Will users’ data be aggregated, data-mined, monetized, or sold?
• Are users’ health-related search queries logged?
• Are users’ clickstream activities on HealthVault logged?

Microsoft, of course, has been paying attention to all of this, and they’ve been trying to address HealthVault’s privacy-related issues through various policy, marketing, and design decisions. It was under this auspice that I met with HealthVault platform’s Product Manager George Scriban to share ideas about health privacy generally, and HealthVault specifically. Here’s some of what I learned Microsoft is doing to address the privacy issues surrounding HealthVault:

• To help protect user privacy, all search activity on HealthVault’s search engine is encrypted via HTTPS. This helps provide some security from having health-related searches viewable by employers or other network providers, in much the same way passwords are encrypted as they move across the Internet.
• Compared to many traditional search engines, where the sponsored ads are personalized and/or contextually tied to the specific search terms, the sponsored ads that subsidize HealthVault searches are only “bluntly targeted.” This is done by mapping the concepts that appear on top search result pages, and then targeting the ads to those concepts. For example, a search for “HIV and pregnancy” might provide results dealing with the broader concepts of sexual health and prevention. It is these concepts that trigger certain ads to be displayed, not the original search term. As a result, there is less motivation to track and log the specific search terms that might be more personally sensitive.
• Traditional search engines often go to great lengths to help understand the purpose and intent of ambiguous search queries, typically through the logging of search activities. For example, a simple search for the term “cold” could refer to an upper respiratory infection, a climate condition, or an emotional stance. By logging and comparing previous search activity, search engines can try to predict what the user actually was looking for. But with a health-specific search engine, it is much more likely the user is seeking medical information about the common cold. Given this drop in search term ambiguity, HealthVault’s search engine cookie only retains query data per session (the tracking cookie expiries if you close your browser or visit a different web page).
• Similarly, the more persistent cookies related to the search engine in HealthVault expire after 90 days. And their server logs, which might also contain clickstream data they store (to monitor interface usability, clicking of sponsored ads, etc), are destroyed after 90 days.
• Regarding users’ health records, they are given full control over what information is stored on the system, who can access it, and what they can do with it. Microsoft wil make themselves available for audits to ensure compliance with their privacy policies.
• Given that third-party applications will be built on top of the HealthVault platform, Microsoft’s goal is to make this much more transparent than similar execution on sites like Facebook, where users don’t really know what information applications are accessing or what they are doing with it. HealthVault provides the ability to see how a users’ individual health records have been accessed and used. If a user uploads a piece of health information, they can use a control panel to see who has accessed the data (only people they authorize can do so), when they accessed it, and what was done with it, whether it was modified, and so on.

I must note that I haven’t been able to verify these technical claims, and my research in this area is only beginning — many other harms could remain even if all the above are fully implemented. But if the above steps can be validated, it appears the developers of HealthVault have taken Microsoft’s “Privacy Guidelines for Developing Software Products and Services” to heart, and have consciously designed HealthVault to protect user privacy.

::

UPDATE: Fred Trotter provides the right kind of push-back on Microsoft’s claims I detail above. He also notes that my fellowship at the Yale ISP is funded by Microsoft. I should have provided this disclaimer earlier:

Microsoft is a funder of the Information Society Project (ISP) at Yale Law School, and their grant pays for my fellowship there. I can safely say that I have not personally felt any pressure or influence by Microsoft on my scholarship (or my blog posts).

Also, I don’t know if my being the “Microsoft Fellow” actually granted me any special access. The invitation I received from Robin Bender Ginn, from MSFT’s PR firm Edelman, seemed quite generic, identifying me as a “recognized technology privacy leader,” was sent to my blog e-mail (not my Yale account), and didn’t mention the relationship between ISP and MSFT. It honestly felt like the kind of invitation they probably sent to a dozen like-minded scholars/bloggers. I noted the connection between MSFT and the ISP in my reply, but I don’t know if they were aware of it beforehand.

Microsoft Makes $44.6 Billion Bid for Yahoo

Microsoft said Friday that it would offer $44.6 billion for Yahoo, the ailing search giant. The surprise offer of $31 a share represents a 62 percent premium to Thursday’s clsoing share price. Yahoo shareholders could elect to receive either cash or stock.

The proposed acquisition, the largest ever by Microsoft, would give some relief to Yahoo’s long-suffering shareholders, who have seen the company’s stock slide nearly 32 percent this year. It would also create the most formidable competitor yet for Google, the search engine giant.

Declan McCullagh and Elinor Mills at CNet have surveyed the major search engine providers about their privacy practices related to retention of user data and behavioral targeting. Full story here, and the search engines’ actual replies here.

Excellent summary, but much remains unknown…

Microsoft and Ask are also trying to step out in front of the issue. The companies today will announce their plans to try to bring together a broad swath of companies and advocacy groups to establish common practices about how and for how long search engines store personal data they glean from their users.

Executives at the companies said they expect to announce a more formal plan in September. Peter Cullen, chief privacy strategist for Microsoft, said the company hoped other search concerns, including Google, would participate in the discussions.

That Microsoft and Ask are trying to spearhead industrywide privacy standards could be in part a reflection of their place in the industry. Both lag far behind Google and Yahoo in Internet-search market share and thus have far less data about search behaviors than their rivals. By calling for more defined standards on privacy, Microsoft could indirectly limit Google’s ability to use its vast stores of information to improve its services. Google had 49.5% of the U.S. search market in June, according to comScore Inc.

Microsoft, whose sites were used for 13.2% of all U.S. Internet searches, will also today announce a variety of new policies, including making Live Search query data anonymous after 18 months by removing the entire IP address and other identifiers from the search terms. The company said it will continue to develop new controls that allow users to surf its sites without being tracked for behavioral advertising.

Recall that Ask.com recently announced new privacy procedures, while Google has been struggling to convince the public that data retention is essential. More news about this latest announcement here and here.

These latest efforts are a welcome shift of focus for the web search industry, and I hope we can ride this momentum and continue to work towards solutions that help give users more control over the collection of their personal data while using these vital tools. This is the task before me in the coming months…

The advertising software, which could be part of the operating system, a standalone app, or an application feature, would use information gleaned from documents, music, computer status messages, and e-mails as context for ads. However, the software could conceivably gather information on every file on a user’s hard drive and send it to advertisers, and the application does little to assuage security and privacy concerns.

The patent makes no mention of any method by which users might be able to control or even turn off the service, nor does it mention the multiple privacy and security concerns. Ars Technica, however, notes the cheerful propaganda MSFT deploys in support of the idea:

That’s okay. It’s still a good thing. It says so right in the application: “The ability to derive and process context data from local sources rather than monitor interactions with a remote entity, such as a server, benefits both consumers and advertisers by delivering more tightly targeted advertisements. The benefit to the user is the perception that the ads are more relevant, and therefore, less of an interruption. The benefit to the advertiser is better focus and a higher chance of conversion to a sale.”

As with the justifications given for personalized advertising in Web search engines, we’re confronted here with the claim consumers automatically benefit from having more targeted advertisements, without any consideration of what might be sacrificed by such a Faustian bargain. (Interrogating this belief is on my long-term research agenda.)

I also wonder how the research & development behind this patent application fits within Microsoft’s broader Privacy Guidelines for Developing Software Products and Services…

IF YOU thought you could protect your privacy on the web by lying about your personal details, think again. In online communities at least, entering fake details such as a bogus name or age may no longer prevent others from working out exactly who you are.

That is the spectre raised by new research conducted by Microsoft. The computing giant is developing software that could accurately guess your name, age, gender and potentially even your location, by analysing telltale patterns in your web browsing history.

…the software could get its raw information from a number of sources, including a new type of “cookie” program that records the pages visited. Alternatively, it could use your PC’s own cache of web pages, or proxy servers could maintain records of sites visited. So far it can only guess gender and age with any accuracy, but the team say they expect to be able to “refine the profiles which contain bogus demographic information”, and one day predict your occupation, level of qualifications, and perhaps your location.

This would be an unprecedented shift if the informational norms of the privacy of one’s online browsing activities. While cookies and IP logging allow some tracking of user’s habits, various tools exist to help users maintain some levels of privacy and anonymity as they browse, search, and communicate online. Microsoft’s proposal would be aimed specifically at overcoming these privacy enhancing technologies in order to monitor, capture, and aggregate user’s online habits and activities.

UPDATE: Kevin Schofield responds (found via CoD) to what he sees as a gross over-reaction and misunderstanding of this research. I concede to Mr. Schofield that many (including some of my rhetoric above) might be jumping the gun on Microsoft wanting to personally identify users based on their habits. But my general concern rests in the growing prevalence of this kind of research — the ever-constant aggregating, mining, and profiling of our everyday activities. This is yet another step down that troublesome path…