In their own words: Search engines on privacy
CNET News.com tries to clear up recent privacy announcements by surveying Google, Yahoo, Microsoft, Ask.com and AOL. Here, they respond. How search engines rate on privacy
To help our readers evaluate the privacy differences between AOL, Ask.com, Google, Microsoft, and Yahoo, CNET News.com sent them a survey on August 6. We've published their answers--in the companies' own words--below.
In some cases, we asked follow-up questions for clarification. If you have any suggestions for a future survey, send them along. And for background, here's a similar survey we did last year.
AOL
Here are responses from Amy Call, a spokeswoman for Time Warner's AOL Internet unit, which apologized a year ago for
What search-related data--including IP addresses, cookie IDs, user identities, and search terms--do you retain?
Call: Under AOL's policy this kind of data may be retained for 13 months.
How long do you retain those data?
Call: 13 months.
If you retain data for a limited period of time, is it completely deleted (in such a way that the data and backups cannot be recovered, even under court order) or is it anonymized instead?
Call: After 13 months only aggregate search terms are retained.
If the data are anonymized, exactly how do you do this?
Call: Not applicable.
Do you do behavioral targeting, meaning showing ads to users based on
their behavior across multiple queries?
Call: Yes.
If you do, is there a way for users to opt out of behavioral
targeting?
Call: Yes.
Do you use knowledge about your users (such as ZIP code, e-mail
address, gender, or birth date) obtained through user registration to
deliver targeted ads on your search engine?
Call: No. We do use information provided by the user for localization
purposes to return more relevant search results for the specified
location, such as when a user enters a preferred location through
the AOL My Locations feature, or when the user enters a query with
explicit local intent (i.e. weather "20166")--such as local business
names.
Do you use knowledge about the identities of your users' instant
messaging or e-mail correspondents when using those services, or the
contents of those communications, to deliver targeted ads on your search
engine?
Call: No.
Ask.com
Here are responses from Nicholas Graham, a spokesman at IAC-owned Ask.com, which received accolades for
What search-related data--including IP addresses, cookie IDs, user
identities, and search terms--do you retain?
Graham: With the upcoming launch of AskEraser, a user's IP address, search data cookie ID and search query will be completely deleted and expunged.
How long do you retain those data?
Graham: Users of AskEraser will have their complete IP address, complete search data cookie ID, and complete search query eliminated in a few hours or
less.
If you retain data for a limited period of time, is it completely
deleted (in such a way that the data and backups cannot be recovered,
even under court order) or is it anonymized instead?
Graham: Users of AskEraser will have their complete search query data eliminated so that no one who requests it from Ask.com will be able to access it--ever.
If the data are anonymized, exactly how do you do this?
Graham: Since users of AskEraser have their complete search data totally
deleted, none of their data is ever anonymized.
Do you do behavioral targeting, meaning showing ads to users based on
their behavior across multiple queries?
Graham: No.
If you do, is there a way for users to opt out of behavioral
targeting?
Graham: Not applicable, per the above answer.
Do you use knowledge about your users (such as ZIP code, e-mail
address, gender, or birt hdate) obtained through user registration to
deliver targeted ads on your search engine?
Graham: No.
Do you use knowledge about the identities of your users' instant
messaging or e-mail correspondents when using those services, or the
contents of those communications, to deliver targeted ads on your search
engine?
Graham: No.
We
Graham: We don't have a more specific one.
Here are responses from Victoria Grand, a spokeswoman for Google. Of the companies subpoenaed by the U.S. Department of Justice for Web search data and random URLs last year, Google was the only search engine to challenge the order. In what was mostly a victory for Google, a judge said the company only had to turn over a subset of the random URLs the government sought and none of the Web search terms.
What search-related data--including IP addresses, cookie IDs, user
identities, and search terms--do you retain?
Grand: Like most Web sites, our servers record the page requests made when
users visit our sites in "server logs." These server logs typically
include a user's Web request, IP address, browser type, browser
language, the date and time of the user's request, and one or more
cookies that may uniquely identify a user's browser.
How long do you retain those data?
Grand: Google was the first leading search company to publicly announce a
finite data retention period for server log data. We will anonymize our
server logs after 18 months.
If you retain data for a limited period of time, is it completely
deleted (in such a way that the data and backups cannot be recovered
even under court order) or is it anonymized instead?
Grand: We are putting significant resources into creating processes for
reliably anonymizing server log data. Although we are still developing
our precise technical methods and approach, we can confirm that we will
delete some of the bits in logged IP addresses (i.e., the final octet)
to make it less likely that an IP address can be associated with a
specific computer or user. And while it is difficult to guarantee
complete anonymization, the network prefixes of IP addresses do not
identify individual users. We will also obfuscate cookie IDs.
Logs anonymization will not be reversible. We will intentionally erase, rather than simply encrypt, logs data so that no one (not even Google) can read it once it has been anonymized. Finally, logs anonymization will apply retroactively and will encompass all of Google's search logs worldwide.
If the data are anonymized, exactly how do you do this?
Grand: N/A.
Do you do behavioral targeting, meaning showing ads to users based on
their behavior across multiple queries?
Grand: We are committed to protecting user privacy. We also want to provide
users with a more rewarding online experience by making the advertising
and content users see relevant to them. We believe the targeting
capabilities, reporting and analytics we offer today provide advertisers
with an excellent ROI and provide a high-quality user experience.
Currently, our system incorporates a large number of signals (such as
the user's query, the user's location, type of site, content, and the
advertiser's landing page) when targeting and ranking ads. We have not
focused on demographic targeting to date for targeting ads on search
result pages.
If you do, is there a way for users to opt out of behavioral
targeting?
Grand: N/A.
We weren't able to figure out your answer to our question asking whether you do behavioral targeting. In other words, if I search for "New York City vacation" in one query and "vacation hotels" in a second query a moment later, does Google.com evaluate the two responses, figure out that I'm probably looking for New York City hotels, and display ads appropriately?
Grand: No.
Do you use knowledge about your users (such as ZIP code, e-mail address,
gender, or birthdate) obtained through user registration to deliver targeted
ads on your search engine?
Grand: No.
Do you use knowledge about the identities of your users' instant
messaging or e-mail correspondents when using those services, or the contents
of those communications, to deliver targeted ads on your search engine?
Grand: No.
Microsoft
Here are responses from Peter Cullen, chief privacy strategist at Microsoft. The company
What search-related data--including IP addresses, cookie IDs,
user identities, and search terms--do you retain?
Cullen: Live Search records what was queried, the type of search
(image, Web, local, etc.), the date and time that it was processed, the
IP address from which the query came, and a cookie-based unique ID. We
store our Live Search service search terms (and the cookie IDs
associated with search terms) separately from any account information
that directly identifies the user, such as name, e-mail address, or phone
numbers. Further, we have built in technological and process safeguards
designed to prevent the unauthorized correlation of this data.
Our commitments to privacy in the search and advertising arenas are outlined in detail in our Privacy Principles for Live Search and Online Ad Targeting(PDF). Furthermore, Microsoft has called on the industry and the privacy community to come together to engage in a dialogue regarding global privacy practices for data usage and protections related to search and online advertising. It is important for consumers that we create an online environment where people can search and surf online without having to navigate a complicated patchwork of privacy protections.
How long do you retain those data?
Cullen: In July, we announced that we will retain search records
associated with identifiers such as IP addresses for 18 months, unless
we receive user consent to a longer time period. After 18 months, we
will permanently anonymize the data, and it will only be retained in this
anonymous form. Microsoft believes this time frame strikes the right
balance between protecting the privacy of our customers and enabling us
to help protect our customers and the broader ecosystem from security
threats, including botnet attacks, spam, denial-of-service attacks,
click fraud and worms.
If you retain data for a limited period of time, is it completely deleted (in such a way that the data and backups cannot be recovered even under court order) or is it anonymized instead?
Cullen: The data is anonymized permanently and irreversibly, which means that it cannot be traced to an IP address or to an individual. From the beginning, Microsoft never stores search terms with personal information, to help protect privacy.
If the data are anonymized, exactly how do you do this?
Cullen: After 18 months, we will permanently remove the entirety
of the IP address and all other cross-session identifiers, such as
cookie IDs, from the search terms. This strict approach reflects
Microsoft's belief that to protect privacy and make search query data
truly anonymous, all cross-session identifiers and IP addresses must be
removed in their entirety from the data.
Do you do behavioral targeting, meaning showing ads to users
based on their behavior across multiple queries?
Cullen: Through our adCenter service, Microsoft offers
behavioral targeting to bring relevant advertising to consumers and to
enable advertisers to connect with more people who are likely to be
interested in their products and services. At the same time, Microsoft
maintains a strong focus on protecting customers' privacy and adheres to
high privacy standards.
Cullen: Once Microsoft begins to offer behavioral ad targeting on third-party sites, we will offer customers the ability to opt out of the behavioral ad targeting by Microsoft's network-advertising service on those Web sites. This is consistent with the privacy principles of the Network Advertising Initiative, which Microsoft announced it will join. We will also continue to develop new user controls that will enhance privacy, such as letting people search and surf our sites without being associated with a personal and unique identifier used for behavioral ad targeting.
(Editor's note: We followed up with a phone call to ask for details. Microsoft replied that it does do behavioral targeting on its own Web sites, and users must log out to avoid it. Once Microsoft begins offering behavioral targeting of ads on third-party sites-something that's not currently done--it'll offer the ability to opt out.)
Do you use knowledge about your users (such as ZIP code, e-mail
address, gender, or birthdate) obtained through user registration to
deliver targeted ads on your search engine?
Cullen: To provide the most relevant ads possible, Microsoft's
ad-serving technologies use some user-provided demographic data (like
gender, age or ZIP code) shared during Hotmail and Windows Live services
registration, but they do not utilize information that could personally
and directly identify a user in order to choose which advertisement a
user should receive. Our ad platform's architecture relies on
mathematical algorithms which disassociate personal information from
demographic and behavioral attributes used in ad targeting.
No individual customer data of any kind is passed by Microsoft to any advertiser unless customers have asked us to do so.
Do you use knowledge about the identities of your users' instant
messaging or e-mail correspondents when using those services, or the
contents of those communications, to deliver targeted ads on your search
engine?
Cullen: Microsoft does not use knowledge of users'
correspondents or the contents of their instant messaging or e-mail
communications to target ads on our search engine.
In terms of behavioral ad targeting, is there a way to opt-out on your primary search engine or just on third-party sites?
Cullen: Consistent with the Microsoft Online Privacy Statement, we currently
utilize behavioral targeting on our Windows Live sites and services. If
customers wish to disable behavioral targeting and not receive targeted
ads on our network, they can log out of their Windows Live ID and delete
their cookies.
We will continue to develop new user controls that will enhance privacy. Such controls may include letting individuals use our search service and surf Microsoft sites without being associated with a personal and unique identifier used for behavioral ad targeting, or allowing signed-in users to control personalization of the services they receive.
Yahoo
Here are responses from Yahoo spokesman Jim Cullinan. The company--which is No. 2 in search--has incorporated user-generated content from its question-and-answer site Yahoo Answers into its main search results.
What search-related data--including IP addresses, cookie IDs, user identities, and search terms--do you retain? Cullinan: Our privacy policy makes it clear that we "automatically receive and record information on our server logs from your browser including your IP address, Yahoo cookie information, and the page you requested."
How long do you retain those data?
Cullinan: Yahoo's global policy is: all search log data will be anonymized
within 13 months of collection except where users request otherwise or
where Yahoo is required to retain the information to comply with legal
obligations.
If you retain data for a limited period of time, is it completely
deleted (in such a way that the data and backups cannot be recovered, even under court order) or is it anonymized instead?
Cullinan: It is anonymized after 13 months.
If the data are anonymized, exactly how do you do this?
Cullinan: We remove portions of the IP address and personally identifiable
cookie IDs.
Do you do behavioral targeting, meaning showing ads to users based on
their behavior across multiple queries?
Cullinan: Yes, we do.
If you do, is there a way for users to opt out of behavioral targeting?
Cullinan: No.
Do you use knowledge about your users (such as ZIP code, e-mail
address, gender, or birth date) obtained through user registration to
deliver targeted ads on your search engine?
Cullinan: Per our privacy policy, when a user is logged into a Yahoo
product or service, they are not anonymous to us. Logged-in users may
receive customized ads based on general demographic categories such as
geo-location, gender, and/or age range.
Do you use knowledge about the identities of your users' instant
messaging or e-mail correspondents when using those services, or the
contents of those communications, to deliver targeted ads on your search
engine?
Cullinan: The Yahoo practice to date is not to use content of personal communication for ad targeting.
You said Yahoo removes "portions of the IP Address." But details are important. IPv4 addresses are 32 bits. If you remove any four bits of the IP address, it's not much of an anonymization because it narrows down the user to 1 of 16 addresses (24 is 16). If you removed any 16 bits, however, it would be more privacy-protective because it narrows down the user to 1 of 65,536 addresses (216 is 65,536). Can you elaborate?
Cullinan: Our policy will mean that anonymous is anonymous and we will put
safeguards in place to ensure that. Other details will come very soon.
Do you remove the beginning or end portion of the IP address?
Cullinan: Same as above.
Do you plan to give users any way to opt out of behavioral targeting in the future?
Cullinan: Yahoo currently offers users the ability to opt out of off-network behavioral targeting in accordance with NAI principles, but we are considering many different options to best help our users be in control of their online experience and their information.