Imagine wandering in a big city, with many winding streets, all connected. Imagine now that the streets are covered with snow and that you leave deep, dark footprints behind you wherever you go, footprints that stay up for to 18 months.
This city with winding streets is the web and your foot steps are your online whereabouts, or IP addresses, which are stored for months by search engines.
Google in its privacy policy states: “We may combine personal information collected from you with information from other Google services or third parties to provide a better user experience, including customizing content for you.”
The search king introduced an 18-month data retention policy in 2007. An improvement from past years when the company kept the search data logs indefinitely.
In an effort to further increase users’ privacy, Google on Tuesday announced its decision to reduce data retention time from 18 to nine months.
“We'll anonymize IP addresses on our server logs after 9 months … to improve privacy for our users,” Mountain View, California-based Google announced in a corporate blog.
The move to grant users more privacy comes as a response to pressure from European regulators who in a 29-page report in April urged search engines to delete data collected about their users after six months.
“In view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, we do not see a basis for a retention period beyond 6 months,” the European advisory body on data protection and privacy said.
But the world’s biggest search engine claims that the data collected from users is necessary to make improvements to search quality, security, and to fight fraud, and reduce spam. It also fears that reducing data retention time could have an impact on the company’s ability to provide quality products and services to its users.
"While we're glad that this will bring some additional improvement in privacy, we're also concerned about the potential loss of security, quality, and innovation that may result from having less data,” Google said in the statement.
But the European advisory body on data protection and privacy doubts these reasons, saying they aren't well-defined enough to justify vast long-term data collection.
The core of the problem is maybe the definition of privacy itself, and Google seems to disagree with the European commission on that matter.
“Based on our own analysis, we believe that whether or not an IP address is personal data depends on how the data is being used,” Google said in a public policy blog.
The European court is more precise and believes there is a threat to privacy when search engines allow profiles of natural persons to be created and used by a third party for profiling.
Until both bodies arrive at a common definition on privacy, how long Google keeps data in its servers is relevant, as nine months gives the company plenty of time to build a detailed portrait of its users based on their online wanderings.