Group says Ask's privacy feature is flawed
Privacy advocates seek changes to better protect consumers during Web searches, like using an opt-in cookie instead of an opt-out for company's AskEraser tool.
A group of privacy advocates is asking Ask.com to make some changes to its new AskEraser feature so that it better protects consumers' privacy when they conduct Web searches.
Ask launched its AskEraser feature last week, touting it as a tool that erases traces of a consumer's search activity within hours.
"After a more careful review of AskEraser, we have found at least three significant flaws," a letter addressed to Ask.com Chief Executive Jim Lanzone states. It is signed by Marc Rotenberg, executive director of the Electronic Privacy Information Center, as well as representatives from the Center for Digital Democracy, Consumer Action, Fairfax County Privacy Council, National Workrights Institute, Privacy Rights Now Coalition, Privacy Times, and World Privacy Forum.
"We believe that the flaws are correctable, and hope that you will work to bring the reality of AskEraser in line with your stated objective of protecting your customers' privacy," the letter says.
Ask.com spokesman Nicholas Graham said the company had just received an e-mailed copy of the letter and was in the process of reviewing it.
"On first glance, we think the issues raised in the letter are not new, and are addressed already in our FAQ and our Privacy Policy. That said, we're happy to talk to Mr. Rotenberg and others about it and address any questions they have," Graham said, adding that Ask has collaborated on the feature with "respected privacy advocates" such as the Center for Democracy & Technology.
The letter lists three main problems. The first one is the fact that AskEraser uses an opt-out cookie. Cookies are bits of software left on a consumer's computer that are used to authenticate the user and maintain information such as the user's site preferences.
Usually, people concerned with privacy delete cookies, so creating an opt-out cookie is "counter-intuitive," the letter states. Once the AskEraser opt-out cookie is deleted, the privacy setting is lost and the consumer's search activity will be tracked. Why not have an opt-in cookie instead, the letter suggests.
The second problem is that Ask inserts the exact time that the user enables AskEraser and stores it in the cookie, which could make identifying the computer easier and make it easy for third-party tracking if the cookie were transferred to such parties. The letter recommends using a session cookie that expires once the search result is returned.
Ask's Frequently Asked Questions for the feature notes that there may be circumstances when Ask is required to comply with a court order and if asked to, it will retain the consumer's search data even if AskEraser appears to be turned on. Ask should notify consumers when the feature has been disabled so that people are not misled into thinking their searches aren't being tracked when they actually are, the letter said.
Ask announced plans for AskEraser in July, just days after Google said search cookies would expire after two years instead of in 2038. Earlier in the year, Google had said it would anonymize the final eight bits of the IP address and the cookie data after somewhere between 18 months and 24 months.
Privacy has become a hot topic for search engines this year following a mishap at AOL last year that exposed the searches of hundreds of thousands of consumers. Lawmakers in the U.S. have held hearings about online privacy, particularly with regard to Google's proposed acquisition of online ad firm DoubleClick, while a hearing is planned for January in Europe.