Google’s Unsatisfying Explanation for Retaining User Search Data

Following up on their recent decision to “anonymize” its server logs after 18-24 months, Google’s Global Privacy Counsel Peter Fleischer has posted an explanation about why Google captures and retains users’ search queries in the first place. While a good step towards greater transparency, it’s a bit unsatisfying. Let’s address each of the three points Fleischer makes.

Improve our services: Search companies like Google are constantly trying to improve the quality of their search services. Analyzing logs data is an important tool to help our engineers refine search quality and build helpful new services. Take the example of Google Spell Checker. Google’s spell checking software automatically looks at your query and checks to see if you are using the most common version of a word’s spelling. If it calculates that you’re likely to generate more relevant search results with an alternative spelling, it will ask “Did you mean: (more common spelling)?” We can offer this service by looking at spelling corrections that people do or do not click on. Similarly, with logs, we can improve our search results: if we know that people are clicking on the #1 result we’re doing something right, and if they’re hitting next page or reformulating their query, we’re doing something wrong. The ability of a search company to continue to improve its services is essential, and represents a normal and expected use of such data.

First, the claim that capturing and processing user data is “normal and expected” is fraught with assumptions about what people’s expectations are for the data-trail they leave behind. Many users don’t know they are leaving a data-trail to be collected. Many don’t know that such a trail is being collected. Many don’t understand that their data-trails from session-to-session can be aggregated, mined, and scrutinized. Many don’t understand that their data-trails can be retained for as long as Google wants. You get the point.

Second, and more fundamental, if the first purpose of collecting user data is to improve services such as Spell Checker or to measure the relevancy of results, there is little need for personally-identifiable information to be collected as well. Simply put, to accomplish these goals, Google does not need to collect the IP address of a search or click, just the search or click itself.

Maintain security and prevent fraud and abuse: It is standard among Internet companies to retain server logs with IP addresses as one of an array of tools to protect the system from security attacks. For example, our computers can analyze logging patterns in order to identify, investigate and defend against malicious access and exploitation attempts. Data protection laws around the world require Internet companies to maintain adequate security measures to protect the personal data of their users. Immediate deletion of IP addresses from our logs would make our systems more vulnerable to security attacks, putting the personal data of our users at greater risk. Historical logs information can also be a useful tool to help us detect and prevent phishing, scripting attacks, and spam, including query click spam and ads click spam.

I’ve been researching and writing about search data retention issues for a while now, and honestly, this is the first time I’ve heard the “security and fraud prevention” argument. I suppose I can understand the usefulness of having logs of server activity in case some kind of security or fraud concern arises, but if that’s the case, the data should only accessed in such cases. It seems Google has not placed such restrictions on the use of server logs, and I fear this reasoning is meant to scare users in acquiescence more than anything else.

Comply with legal obligations to retain data: Search companies like Google are also subject to laws that sometimes conflict with data protection regulations, like data retention for law enforcement purposes. For example, Google may be subject to the EU Data Retention Directive, which was passed last year, in the wake of the Madrid and London terrorist bombings, to help law enforcement in the investigation and prosecution of “serious crime”. The Directive requires all EU Member States to pass data retention laws by 2009 with retention for periods between 6 and 24 months. Since these laws do not yet exist, and are only now being proposed and debated, it is too early to know the final retention time periods, the jurisdictional impact, and the scope of applicability. It’s therefore too early to state whether such laws would apply to particular Google services, and if so, which ones. In the U.S., the Department of Justice and others have similarly called for 24-month data retention laws.

One can’t argue against the need for Google to comply with data retention laws….other than fighting to prevent such laws from being enacted.

In sum, I applaud Google for trying to be more transparent about why it collects user data and what it does with it, but they still keep much in the dark. I renew my call for a formal Google Data Privacy Center, where users can view all the data collected, selectively edit and purge their data, see exactly how it is being used, and selectively restrict its use, view any third-parties the data is being shared with, and selectively restrict the transferring of personal data to third-parties.

UPDATE: It appears I haven’t been critical enough of Google’s 3rd point above. Commenters familiar with the EU Data Directive point out below that the law covers only “communications,” and not necessarily search queries. And Seth Finkelstein points to this Ars Technica post that reminds us that in the US, of course, data retention laws don’t even exist yet, and certainly wouldn’t be retroactive if passed. So how does the apparent non-existence of these laws actually compel Google to keep user data? Got me….


  1. Hello Michael Zimmer,

    I agree with your criticism on Google’s new privacy policy + explanation. I was rather amazed by the data retention argument they came up with. After I saw Peter Fleischer’s blog posts I think it is his spin. I have been involved in the data retention debate in the EU and The Netherlands. Until now, the data retention laws in the EU do not apply to search services. They might apply to e-mail, but that’s a different story altogether, isn’t it?


    Joris van Hoboken

  2. Joris right. What is kind of amazing is that since Google played the EU Data Retention card, nobody writing about this stuff has bothered to check whether the EU law covers search engine queries. It doesn’t – it covers “COMMUNICATIONS services and networks” (telcos, ISPs, + webmail/e-mail/messaging). There is diddly squat requirement for Google to keep search query terms and IP addresses in respect of those searches.

    EU Data Retention makes a hideous travesty of the European human right to privacy, but it doesn’t compel Google to do what they have implied. It wouldn’t hurt for American commentators to ask a European privacy lawyer before reporting Google’s bilge at face value

    check it for yourself…

    Click to access …060413en00540063.pdf

    …the meat is in Article 5, but for avoidance of doubt…

    Recital 13: This Directive relates only to data generated or processed as a consequence of a communication or a communication service and does not relate to data that are the content of the information communicated…

    Recital 23: Given that the obligations on providers of electronic communications services should be proportionate, this Directive requires that they retain only such data as are generated or processed in the process of supplying their communications services. To the extent that such data are not generated or processed by those providers, there is no obligation to retain them…

  3. Good catch, HFI – I haven’t kept up with the precise language of the EU directive or the proposed US versions. I wonder, however, if the courts have ruled at all regarding what constitutes a “communication”: is it to mean “me communicating with someone else” via these systems, or might it also include “my computer communicating with the system” in order to complete a task. If the latter, then we might be in trouble….

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s