Yesterday I posted that Cuil, the supposed “Google-killer” search engine that once took pride in not keeping any logs of its users’ activities, had dramatically altered its privacy policy, effectively stripping it of the strong privacy-protecting language it originally contained. Since then, I’ve received 3 communications from Cuil.
The first was a tweet promising an email (not yet received) as well as the assertion that “For the record, we still don’t keep logs or store personal info”. It is kind of them to tell me this via Twitter, but unless their official privacy policy states such, this utterance has little value or legal authority. Cuil’s original privacy statement stated this explicitly: “We do not keep logs of our users’ search activity”. That clear and incontrovertible statement is no longer present in the current policy.
The second communication was also a tweet, confirming what I already revealed in my original blog post: “Our advertising partner can see your IP and query, but if you opt-out then they cannot and you remain completely anonymous”. Yes, if you click the right places you can opt-out of Cuil’s new practice of sending all your search terms and your IP address to some unknown advertising partner.
The third communication was a comment left on my original post by Anna Patterson, Cuil’s President and Founder. She states: “I rewrote it making it less legalistic and shorter. I figured instead of re-stating everything three times in three different ways, I’d just state things once. We still don’t keep track of users.”
While I appreciate Patterson’s forthrightness, her explanation is quite unsatisfactory.
First, Cuil’s original privacy policy could hardly be criticized for being legalistic or particularly long. Clocking in at 518 words, is it largely absent of any legal or technical jargon typical of most privacy policies. Microsoft Word calculates its Flesch Reading Ease at 54.1. By comparison, Facebook’s current privacy policy has over 3,500 words, and a Flesch score of 37.4 (the lower the score, the more difficult the text). Cuil’s policy was clear and concise.
Besides the empirical comparisons, Cuil’s original policy was very plainly written, with the thrust of the policy in bold font: “when you search with Cuil, we do not collect any personally identifiable information, period. We have no idea who sends queries: not by name, not by IP address, and not by cookies“. There’s no legalese present here. But now, the privacy policy simply begins with this statement: “When you search with Cuil, we do not keep any personally identifiable information, period.” Notice Cuil now claims they don’t “keep” any personally identifiable information (they do, now, collect it and share it with 3rd parties), and they don’t explicitly include IP addresses among the items they don’t collect. Simply “personally identifiable information”, and who knows what they mean by that.
I suppose this claim that Cuil doesn’t “keep any personally identifiable information” is meant to mean the same as the missing “We do not keep logs of our users’ search activity.” That latter statement — so clear and so concise — was apparently removed in the spirit of shortening the policy and purging it of any legalese? I just don’t get it.
Usually when a search engines starts a new kind of advertising initiative, they go out of their way to be more open, explicit, and explanatory when it comes to user privacy (see, for example, Google’s proactive steps when they launched behavioral targeting earlier this year). Instead, Cuil stripped down their privacy policy. Further, I can’t find any press release or announcement regarding their new advertising partner(s) or how the advertising system works. There was some chatter in the field about possible partners earlier this year, but nothing I can find from Cuil itself. Who is this advertising partner that is getting my search terms and IP address? What are they doing with it?
Not cool.
UPDATE: I received another tweet from Cuil: “You have good points, and we appreciate the feedback. We’ll be discussing the policy more internally to further clarify.”
I’m hoping they’ll enter into a broader dialogue that isn’t limited to 140 characters, and directly address the issues I’ve raised. I replied to them suggesting, at the least, to re-insert the “We do not keep logs of our users’ search activity” language into their privacy policy, if it does indeed still apply. I’ve also urged more transparency regarding who their advertising partner is and how it works. We’ll see….
MichaelZimmer.org 