In their own words: Search engines on privacy

Trying to learn how your favorite search engine protects your privacy can be as frustrating as a Where's Waldo book: it's not easy to find what you're looking for, and doing it on multiple sites is even more irksome.

To help our readers evaluate the privacy differences between AOL, Ask.com, Google, Microsoft, and Yahoo, CNET News.com sent them a survey on August 6. We've published their answers--in the companies' own words--below.

In some cases, we asked follow-up questions for clarification. If you have any suggestions for a future survey, send them along. And for background, here's a similar survey we did last year.

AOL

Here are responses from Amy Call, a spokeswoman for Time Warner's AOL Internet unit, which apologized a year ago for inadvertently exposing the Web searches made by a large group of users. The company retains personally identifiable Web search histories for up to 30 days, after which time the identifying information is obscured using a hashing technique, Call said. It also announced last month that it would buy Tacoda, which delivers behavioral targeted ads.

What search-related data--including IP addresses, cookie IDs, user identities, and search terms--do you retain?
Call: Under AOL's policy this kind of data may be retained for 13 months.

How long do you retain those data?
Call: 13 months.

If you retain data for a limited period of time, is it completely deleted (in such a way that the data and backups cannot be recovered, even under court order) or is it anonymized instead?
Call: After 13 months only aggregate search terms are retained.

If the data are anonymized, exactly how do you do this?
Call: Not applicable.

Do you do behavioral targeting, meaning showing ads to users based on their behavior across multiple queries?
Call: Yes.

If you do, is there a way for users to opt out of behavioral targeting?
Call: Yes.

Do you use knowledge about your users (such as ZIP code, e-mail address, gender, or birth date) obtained through user registration to deliver targeted ads on your search engine?
Call: No. We do use information provided by the user for localization purposes to return more relevant search results for the specified location, such as when a user enters a preferred location through the AOL My Locations feature, or when the user enters a query with explicit local intent (i.e. weather "20166")--such as local business names.

Do you use knowledge about the identities of your users' instant messaging or e-mail correspondents when using those services, or the contents of those communications, to deliver targeted ads on your search engine?
Call: No.

Ask.com

Here are responses from Nicholas Graham, a spokesman at IAC-owned Ask.com, which received accolades for the redesign of its search site in June.

What search-related data--including IP addresses, cookie IDs, user identities, and search terms--do you retain?
Graham: With the upcoming launch of AskEraser, a user's IP address, search data cookie ID and search query will be completely deleted and expunged.

How long do you retain those data?
Graham: Users of AskEraser will have their complete IP address, complete search data cookie ID, and complete search query eliminated in a few hours or less.

If you retain data for a limited period of time, is it completely deleted (in such a way that the data and backups cannot be recovered, even under court order) or is it anonymized instead?
Graham: Users of AskEraser will have their complete search query data eliminated so that no one who requests it from Ask.com will be able to access it--ever.

If the data are anonymized, exactly how do you do this?
Graham: Since users of AskEraser have their complete search data totally deleted, none of their data is ever anonymized.

Do you do behavioral targeting, meaning showing ads to users based on their behavior across multiple queries?
Graham: No.

If you do, is there a way for users to opt out of behavioral targeting?
Graham: Not applicable, per the above answer.

Do you use knowledge about your users (such as ZIP code, e-mail address, gender, or birt hdate) obtained through user registration to deliver targeted ads on your search engine?
Graham: No.

Do you use knowledge about the identities of your users' instant messaging or e-mail correspondents when using those services, or the contents of those communications, to deliver targeted ads on your search engine?
Graham: No.

We wrote last month that AskEraser will launch by the end of the year. Do you have a more specific date?
Graham: We don't have a more specific one.

Google

Here are responses from Victoria Grand, a spokeswoman for Google. Of the companies subpoenaed by the U.S. Department of Justice for Web search data and random URLs last year, Google was the only search engine to challenge the order. In what was mostly a victory for Google, a judge said the company only had to turn over a subset of the random URLs the government sought and none of the Web search terms.

What search-related data--including IP addresses, cookie IDs, user identities, and search terms--do you retain?
Grand: Like most Web sites, our servers record the page requests made when users visit our sites in "server logs." These server logs typically include a user's Web request, IP address, browser type, browser language, the date and time of the user's request, and one or more cookies that may uniquely identify a user's browser.

We retain search server logs for 18 months for a number of reasons, including: to improve our search algorithms for the benefit of users; to defend our systems from malicious access and exploitation attempts; to maintain the integrity of our systems by fighting click fraud and Web spam; to protect our users from threats like spam and phishing; to respond to valid legal orders from law enforcement as they investigate and prosecute serious crimes like child exploitation; and to comply with data retention legal obligations.

How long do you retain those data?
Grand: Google was the first leading search company to publicly announce a finite data retention period for server log data. We will anonymize our server logs after 18 months.

If you retain data for a limited period of time, is it completely deleted (in such a way that the data and backups cannot be recovered even under court order) or is it anonymized instead?
Grand: We are putting significant resources into creating processes for reliably anonymizing server log data. Although we are still developing our precise technical methods and approach, we can confirm that we will delete some of the bits in logged IP addresses (i.e., the final octet) to make it less likely that an IP address can be associated with a specific computer or user. And while it is difficult to guarantee complete anonymization, the network prefixes of IP addresses do not identify individual users. We will also obfuscate cookie IDs.

Logs anonymization will not be reversible. We will intentionally erase, rather than simply encrypt, logs data so that no one (not even Google) can read it once it has been anonymized. Finally, logs anonymization will apply retroactively and will encompass all of Google's search logs worldwide.

If the data are anonymized, exactly how do you do this?
Grand: N/A.

Do you do behavioral targeting, meaning showing ads to users based on their behavior across multiple queries?
Grand: We are committed to protecting user privacy. We also want to provide users with a more rewarding online experience by making the advertising and content users see relevant to them. We believe the targeting capabilities, reporting and analytics we offer today provide advertisers with an excellent ROI and provide a high-quality user experience. Currently, our system incorporates a large number of signals (such as the user's query, the user's location, type of site, content, and the advertiser's landing page) when targeting and ranking ads. We have not focused on demographic targeting to date for targeting ads on search result pages.

If you do, is there a way for users to opt out of behavioral targeting?
Grand: N/A.

We weren't able to figure out your answer to our question asking whether you do behavioral targeting. In other words, if I search for "New York City vacation" in one query and "vacation hotels" in a second query a moment later, does Google.com evaluate the two responses, figure out that I'm probably looking for New York City hotels, and display ads appropriately?
Grand: No.

Do you use knowledge about your users (such as ZIP code, e-mail address, gender, or birthdate) obtained through user registration to deliver targeted ads on your search engine?
Grand: No.

Do you use knowledge about the identities of your users' instant messaging or e-mail correspondents when using those services, or the contents of those communications, to deliver targeted ads on your search engine?
Grand: No.

Microsoft

Here are responses from Peter Cullen, chief privacy strategist at Microsoft. The company saw its search market share get a boost recently as a result of a Microsoft program that offers rewards to people for using the Live Search site.

What search-related data--including IP addresses, cookie IDs, user identities, and search terms--do you retain?
Cullen: Live Search records what was queried, the type of search (image, Web, local, etc.), the date and time that it was processed, the IP address from which the query came, and a cookie-based unique ID. We store our Live Search service search terms (and the cookie IDs associated with search terms) separately from any account information that directly identifies the user, such as name, e-mail address, or phone numbers. Further, we have built in technological and process safeguards designed to prevent the unauthorized correlation of this data.

Our commitments to privacy in the search and advertising arenas are outlined in detail in our Privacy Principles for Live Search and Online Ad Targeting(PDF). Furthermore, Microsoft has called on the industry and the privacy community to come together to engage in a dialogue regarding global privacy practices for data usage and protections related to search and online advertising. It is important for consumers that we create an online environment where people can search and surf online without having to navigate a complicated patchwork of privacy protections.

How long do you retain those data?
Cullen: In July, we announced that we will retain search records associated with identifiers such as IP addresses for 18 months, unless we receive user consent to a longer time period. After 18 months, we will permanently anonymize the data, and it will only be retained in this anonymous form. Microsoft believes this time frame strikes the right balance between protecting the privacy of our customers and enabling us to help protect our customers and the broader ecosystem from security threats, including botnet attacks, spam, denial-of-service attacks, click fraud and worms.

If you retain data for a limited period of time, is it completely deleted (in such a way that the data and backups cannot be recovered even under court order) or is it anonymized instead?
Cullen: The data is anonymized permanently and irreversibly, which means that it cannot be traced to an IP address or to an individual. From the beginning, Microsoft never stores search terms with personal information, to help protect privacy.

If the data are anonymized, exactly how do you do this?
Cullen: After 18 months, we will permanently remove the entirety of the IP address and all other cross-session identifiers, such as cookie IDs, from the search terms. This strict approach reflects Microsoft's belief that to protect privacy and make search query data truly anonymous, all cross-session identifiers and IP addresses must be removed in their entirety from the data.

Do you do behavioral targeting, meaning showing ads to users based on their behavior across multiple queries?
Cullen: Through our adCenter service, Microsoft offers behavioral targeting to bring relevant advertising to consumers and to enable advertisers to connect with more people who are likely to be interested in their products and services. At the same time, Microsoft maintains a strong focus on protecting customers' privacy and adheres to high privacy standards.

If you do, is there a way for users to opt out of behavioral targeting?
Cullen: Once Microsoft begins to offer behavioral ad targeting on third-party sites, we will offer customers the ability to opt out of the behavioral ad targeting by Microsoft's network-advertising service on those Web sites. This is consistent with the privacy principles of the Network Advertising Initiative, which Microsoft announced it will join. We will also continue to develop new user controls that will enhance privacy, such as letting people search and surf our sites without being associated with a personal and unique identifier used for behavioral ad targeting.

(Editor's note: We followed up with a phone call to ask for details. Microsoft replied that it does do behavioral targeting on its own Web sites, and users must log out to avoid it. Once Microsoft begins offering behavioral targeting of ads on third-party sites-something that's not currently done--it'll offer the ability to opt out.)

Do you use knowledge about your users (such as ZIP code, e-mail address, gender, or birthdate) obtained through user registration to deliver targeted ads on your search engine?
Cullen: To provide the most relevant ads possible, Microsoft's ad-serving technologies use some user-provided demographic data (like gender, age or ZIP code) shared during Hotmail and Windows Live services registration, but they do not utilize information that could personally and directly identify a user in order to choose which advertisement a user should receive. Our ad platform's architecture relies on mathematical algorithms which disassociate personal information from demographic and behavioral attributes used in ad targeting.

No individual customer data of any kind is passed by Microsoft to any advertiser unless customers have asked us to do so.

Do you use knowledge about the identities of your users' instant messaging or e-mail correspondents when using those services, or the contents of those communications, to deliver targeted ads on your search engine?
Cullen: Microsoft does not use knowledge of users' correspondents or the contents of their instant messaging or e-mail communications to target ads on our search engine.

In terms of behavioral ad targeting, is there a way to opt-out on your primary search engine or just on third-party sites?
Cullen: Consistent with the Microsoft Online Privacy Statement, we currently utilize behavioral targeting on our Windows Live sites and services. If customers wish to disable behavioral targeting and not receive targeted ads on our network, they can log out of their Windows Live ID and delete their cookies.

We will continue to develop new user controls that will enhance privacy. Such controls may include letting individuals use our search service and surf Microsoft sites without being associated with a personal and unique identifier used for behavioral ad targeting, or allowing signed-in users to control personalization of the services they receive.

Yahoo

Here are responses from Yahoo spokesman Jim Cullinan. The company--which is No. 2 in search--has incorporated user-generated content from its question-and-answer site Yahoo Answers into its main search results.

What search-related data--including IP addresses, cookie IDs, user identities, and search terms--do you retain? Cullinan: Our privacy policy makes it clear that we "automatically receive and record information on our server logs from your browser including your IP address, Yahoo cookie information, and the page you requested."

How long do you retain those data?
Cullinan: Yahoo's global policy is: all search log data will be anonymized within 13 months of collection except where users request otherwise or where Yahoo is required to retain the information to comply with legal obligations.

If you retain data for a limited period of time, is it completely deleted (in such a way that the data and backups cannot be recovered, even under court order) or is it anonymized instead?
Cullinan: It is anonymized after 13 months.

If the data are anonymized, exactly how do you do this?
Cullinan: We remove portions of the IP address and personally identifiable cookie IDs.

Do you do behavioral targeting, meaning showing ads to users based on their behavior across multiple queries?
Cullinan: Yes, we do.

If you do, is there a way for users to opt out of behavioral targeting?
Cullinan: No.

Do you use knowledge about your users (such as ZIP code, e-mail address, gender, or birth date) obtained through user registration to deliver targeted ads on your search engine?
Cullinan: Per our privacy policy, when a user is logged into a Yahoo product or service, they are not anonymous to us. Logged-in users may receive customized ads based on general demographic categories such as geo-location, gender, and/or age range.

Do you use knowledge about the identities of your users' instant messaging or e-mail correspondents when using those services, or the contents of those communications, to deliver targeted ads on your search engine?
Cullinan: The Yahoo practice to date is not to use content of personal communication for ad targeting.

You said Yahoo removes "portions of the IP Address." But details are important. IPv4 addresses are 32 bits. If you remove any four bits of the IP address, it's not much of an anonymization because it narrows down the user to 1 of 16 addresses (2⁴ is 16). If you removed any 16 bits, however, it would be more privacy-protective because it narrows down the user to 1 of 65,536 addresses (2¹⁶ is 65,536). Can you elaborate?
Cullinan: Our policy will mean that anonymous is anonymous and we will put safeguards in place to ensure that. Other details will come very soon.

Do you remove the beginning or end portion of the IP address?
Cullinan: Same as above.

Do you plan to give users any way to opt out of behavioral targeting in the future?
Cullinan: Yahoo currently offers users the ability to opt out of off-network behavioral targeting in accordance with NAI principles, but we are considering many different options to best help our users be in control of their online experience and their information.