[LINK] Ars: 'Great strides made in search engine privacy'

Roger Clarke Roger.Clarke at xamax.com.au
Fri Aug 17 14:18:08 AEST 2007 

[Comments embedded]

Great strides made in search engine privacy, says report
By Jacqui Cheng | Published: August 09, 2007 - 11:27AM CT
http://arstechnica.com/news.ars/post/20070809-great-strides-made-in-search-engine-privacy-says-report.html

"Privacy" is the name of the game among US search engines these days,
and the Center for Democracy and Technology (CDT) is pleased with the
progress that has been made so far. In a report released yesterday,
titled "Search Privacy Practices: A Work in Progress" (PDF), the CDT
outlined some of the changes that the five major search engines have
made in order to be more conscious of privacy concerns. The organization
also pointed out that the major search engines are beginning to
aggressively compete with each other in order to provide the "best"
privacy protections for their users.

"We hope this signals the emergence of a new competitive marketplace for
privacy," said CDT president Leslie Harris in a statement. "By
themselves, these recent changes represent only a small step toward
providing users the full range of privacy protections they need and
deserve, but if this competitive push continues it can only stand to
benefit consumers."

The report reiterated many of the recent search policy changes that have
made headlines in the last several months. In June, Google agreed to
anonymize its search records after 18 months instead of 24 (or previous
to that, never). That announcement was followed by one from Ask.com in
July, which also said that it would also anonymize its data after 18
months, and then Microsoft just days later-also 18 months. Both AOL and
Yahoo! have also agreed to shorten the length of time they keep records
around, undercutting the others by anonymizing records after just 13
months.

[18 month and even 13 month retention periods are wildly excessive. 
By applauding such inadequate provisions, CDT is at dire risk of 
criticism as being too close to business.]

The report also cited Ask.com's new AskEraser tool as offering a level
of user control that the others do not. AskEraser is a preference that
users can set on the site, ensuring that absolutely no search records
will be retained for that user past a few hours. CDT praises Ask.com for
AskEraser and points out that while the others offer options to their
users to extend the length of time their search records are stored, no
others currently allow users to choose not to have records retained. CDT
recommends that other search engines "continue to work towards providing
controls that allow users to not only extend but also limit the
information stored about them."

[*Much* better.  The test is 'retention for the period needed and no more':
-   you want a one-hit search, then no retention at all (other than
     incidental caching, with no systematic mechanisms for retrieval)
-   you want to leave your search-session open for a minute, one minute;
     for one hour one hour
-   you consent to or request the building of a 'searcher's profile',
     then retention of what's needed in order to implement it

[i.e. 'with genuine, informed, non-coerced consent' trumps whatever a 
'privacy absolutist' may want for themselves.]

The CDT provides other recommendations as well. While the organization
acknowledges that some search engines have legitimate reasons for
keeping data around for advertising purposes, ...

[If that reporting it correct, then CDT is being *far* too friendly 
to business, and risks losing the respect of privacy advocates.

[Search-engine operators don't have 'legitimate' reasons for keeping 
data;  they have natural desires to do so, but the great god of 
profit-making does not represent legitimacy.]

... [CDT] says that those
companies need to store the data securely (hello, AOL) and provide
notice to their users about what is being stored and for how long. The
CDT also says that the search engines should work together to promote
privacy protections "across the board" with smaller partners.

['Notice' is part of an opt-out scheme, not a consent/opt-in scheme, 
and is completely inadequate.]

Despite the progress that has been made, however, the CDT still feels
that there is a need for stronger privacy legislation. "No amount of
self-regulation in the search privacy space can replace the need for a
comprehensive federal privacy law to protect consumers from bad actors,"
the report says. "With consumers sharing more data than ever before
online, the time has come to harmonize our nation's privacy laws into a
simple, flexible framework."

[Here, CDT has sprung into the strong advocacy position, and *gains* 
advocate respect.  Even EPIC has hesitated to declare the position 
that clearly - because of the longstanding 'realpolitik' in DC that 
saw privacy law as unachievable.  The tide is clearly turning, and 
9-year-old business is being resumed:
http://www.anu.edu.au/people/Roger.Clarke/DV/CACM99.html ]

[Caveat:  time-pressure means that this post has been done at face 
value on the (normally pretty reliable) Ars report, without reference 
to CDT's actual document]

-- 
Roger Clarke                  http://www.anu.edu.au/people/Roger.Clarke/

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW

More information about the Link mailing list