FAQ: When Google is not your friend

Google's recent legal spat with the U.S. Department of Justice highlights not only what information search engines record about us but also the shortcomings in a federal law that's supposed to protect online privacy.

It's only a matter of time before other attorneys realize that a person's entire search history is available for the asking, and the subpoenas begin to fly. This could happen in civil lawsuits or criminal prosecutions.

That type of fishing expedition is not legally permitted for Web mail providers. But because search engines are not fully shielded by the 1986 Electronic Communications Privacy Act--concocted back in the era of CompuServe and bulletin board systems--their users don't enjoy the same level of privacy.

"Back then, providers were very different animals than they are now," says Paul Ohm, a former Justice Department attorney who teaches computer crime law at the University of Colorado at Boulder.

Two solutions are simple to describe, but not likely to happen. First, search engines could voluntarily--or be required by law to--delete search histories after a few months unless the customer objects. Second, federal law could be amended to make it clear that search engines, which serve as a window to the Internet, are fully protected.

CNET News.com has surveyed Google, Microsoft, Yahoo and AOL to find out their privacy practices, and assembled these answers to frequently asked questions.

Q: Does Google collect and record people's search terms whether they're logged in or not?
Yes. Google confirmed this week that it keeps and collates these results, which means the company can be forced to divulge them under court order. Whether Google does anything else with them is another issue.

Given the Department of Justice's recent subpoena to Google, it's likely the police or even lawyers in civil cases--divorce attorneys, employers in severance disputes--eventually will demand that Google, Microsoft, Yahoo, AOL, and other search engines cough up users' search histories.

Q: Has this happened before?
Almost. A North Carolina man was found guilty of murder in November in part because he Googled the words "neck," "snap," "break" and "hold" before his wife was killed. But those search terms were found on Robert Petrick's computer, not obtained from Google directly.

Also, attorneys have already begun introducing searches conducted on Google, Yahoo and AltaVista as evidence.

Q: When I use search engines, I type in a lot of search terms I consider private. What does this mean?
We go into all the details below. But the short answer is that when private companies collect reams of data all the time on nearly every American, and the government and curious attorneys can get to that with few obstacles, this becomes a problem. Search engines provide a look into people's personal lives, and privacy awareness has not kept pace.

Q: Aren't there any privacy laws that protect us?
Not really. There is a federal law called the Electronic Communications Privacy Act. But it was enacted in 1986, long before politicians knew about the Internet, and the wording doesn't prevent police and attorneys from targeting search engines.

Politicians wrote that law in a way that is technology-specific--one key part revolves around the meaning of the pre-Internet term "processing services"--instead of adopting a more flexible approach that would grow with technology. Some states may have laws that are more applicable.

Q: Why does Google store that information about me, anyway?
No law requires Google to delete it, and there are some business justifications for keeping it.

For instance, keeping detailed records can help in identifying click fraud (faking clicks on Web ads to drive up a rival's cost), and in optimizing search results for different geographic areas. Compiling a user profile can aid in tailoring search results in products like Google Personalized Search. Also, disk storage is cheap, and engineers tend to prefer to keep data rather than delete it.

But it's hardly clear that a compelling reason exists for keeping older records--beyond a few months--unless a customer voluntarily chooses options like personalization.

Q: Does that mean Google has the technical ability to link a person's searches together and divulge them when legally required?
Yes. Google says in its FAQ that it records Internet address, date, time, browser type, operating system and a cookie ID.

Author and entrepreneur John Battelle received word from Google this week that the company can perform two important types of matches. (We confirmed this with Google and followed up with additional questions.)

First, given a number of search terms, Google can produce a list of people (identified by Internet address or cookie) who searched for a given term. Second, given a collection of Internet addresses, Google can produce a list of the terms searched by the user of a given address. That effectively creates an electronic dossier of an individual.

Q: What about other search engines?
We surveyed AOL, Microsoft and Yahoo as well. Microsoft and Yahoo gave us the same response as Google did.

AOL's was a little different. Spokesman Andrew Weinstein said AOL could provide a list of search terms typed in by a user. But AOL does not have a system in place to perform the opposite mapping, which would find out what users typed in which search terms. Weinstein also said that AOL deletes personally identifiable search data after 30 days, which makes it unique among the quartet we surveyed.

Q: What about links people click on from search engine results? Can that information be turned over too?
Yes. Through a process known as redirection, Yahoo and AOL record what links people click. Unless the companies discard these records, they would be fair game for a subpoena.

Q: Let's say the Bush administration wanted to obtain a list of the names or Internet addresses of anyone who typed "how to grow marijuana" or "how to cheat on income taxes" into Google. Could that be done?
Probably. If the Electronic Communications Privacy Act does not apply, all that's required is a subpoena from a prosecutor, and no prior approval from a judge is necessary. One Harvard law professor calls the subpoena power "akin to a blank check."

"The threshold rule is relevance," says Paul Ohm, the University of Colorado law professor. "Relevance has been quite broadly construed. As long as you can show that something's relevant to a case or criminal investigation, I think the litigant would have a pretty good argument."

Using the examples of finding out who did searches like "how to make meth" or "how to kill the president," Ohm says prosecutors "would have a very good argument that it's relevant to an investigation."

Q: How can I protect my privacy from search engines?
First, to protect your privacy if your computer is stolen, you can clear your browser's history (sometimes called "private data"). In Firefox, select that option from the Tools menu and delete your browsing history and saved form information. Apple Computer's Safari has a similar option under the History menu. Encrypting your hard drive through OS X's FileVault or PGP's Whole Disk Encryption may be a good idea.

Second, you can clear the cookies that are set by search engines. In Firefox, go to Preferences and select Privacy. You have the option to delete cookies and even prevent certain sites from ever setting them again. Be warned, though, that adding Google.com to the list may prevent using options like personalization or Gmail.

Third, if you're really worried, go to Anonymizer.com and sign up for

one of its anonymous browsing options (they're primarily for Windows users). Tor is another option.

Danny Sullivan has posted a more extensive list of recommendations at SearchEngineWatch.com.

Q: Is Congress going to do anything?
Rep. Ed Markey, a Massachusetts Democrat, has pledged to introduce legislation to prevent storing search terms "beyond a reasonable period of time."

There are some political and practical problems with this approach. First, Markey is a liberal Democrat in a town controlled by Republicans, so his proposal isn't going anywhere. Second, any such law could be wildly disruptive--it could mean class-action lawyers would get rich suing tech companies on charges that their data-retention duration is not "reasonable."

Finally, it's hardly clear that the Bush administration will embrace such a proposal--search terms could prove useful in criminal prosecutions, and the Justice Department seems to like the ability to demand them from search engines.

Q: How are Internet addresses handed out? Do people always have the same one?
It depends. Many DSL and cable modem providers allocate Internet addresses only when they're in use (the methods are called DHCP and PPPoe). Those IP addresses can change frequently.

Other IP addresses tend to be fixed. Faculty and staff members at universities, and employees of corporations, are more likely to have fixed Internet addresses.

Q: If Google knows I'm connecting from a dynamically assigned Internet address of 192.1.1.1 one day, and 192.2.2.2 the next day and 192.3.3.3 the third, how can it link my queries together to create that dossier?
This is where "cookies" come in. A cookie is simply a device for a Web site to recognize people the next time they return. Google, Yahoo, AOL and Microsoft all set cookies by default. (Microsoft's expire in 2016; Yahoo's in 2010; Google's in 2038. AOL sets a third-party cookie that expires in 2011.)

In the above example, Google.com would set a cookie for whoever's connecting from Internet address 192.1.1.1 the first day, and then figure out that the same Web browser is connecting from 192.2.2.2 and 192.3.3.3 the next two days. If people are logged in to their Google account, this makes the process even easier, of course.

Q: Even if a search engine company knows my Internet address is 192.1.1.1, and links my previous searches together, how can they--or the government--get my name, home address or other information?
If you have a Google account for products like Gmail, Google Groups, Personalized Search or Google Alerts, Google knows your e-mail address and other personal information, which it can be forced to disclose. If a Web publisher signs up for Google AdSense for advertising revenue, Google will have the publisher's real name, mailing address and Social Security Number.

If a person doesn't use any other Google services, all the company can divulge in response to a subpoena is that person's Internet address. Then whoever's asking about the person will send a second subpoena to the person's Internet service provider to find out billing information. This is a relatively straightforward procedure used by the Recording Industry Association of America (RIAA) in thousands of file-swapping lawsuits.

Q: Has anyone ever sent search engines a subpoena or other kind of legal request for someone's search terms?
We don't know. Google and Yahoo refused to answer the question, though there is no law prohibiting them from doing so.

AOL said only that the Electronic Communications Privacy Act would apply. Microsoft was by far the most forthcoming. With the exception of the Justice Department subpoena for search terms (without user identities) last year, Microsoft said it has "not received either criminal or civil requests related to MSN Search data."

Microsoft also said it "has never received either criminal or civil requests" to produce the lists of people who typed in a search term. Oddly, the other companies were not nearly as open.

Q: How long do companies keep records of my search terms?
Microsoft, Google and Yahoo all said they keep data as long as it's necessary, which could mean forever. Microsoft did add that the company is "looking at ways" to provide users with the option to delete their search histories, and Yahoo made a similar statement.

AOL, on the other hand, says it deletes personally identifiable data after 30 days.

CNET News.com's Elinor Mills contributed to this report.