Google scrambles to avoid EU privacy regulators

Google could soon be forced to delete identifying user information from its search logs, statements by the European Union data regulators suggest. How has the search engine responded: denial.

Chris Soghoian
Christopher Soghoian delves into the areas of security, privacy, technology policy and cyber-law. He is a student fellow at Harvard University's Berkman Center for Internet and Society , and is a PhD candidate at Indiana University's School of Informatics. His academic work and contact information can be found by visiting www.dubfire.net/chris/.
Chris Soghoian
5 min read

Google could soon be forced to delete identifying user information from its search logs, statements by the European Union data regulators suggest. The search engine's lawyers have long argued that network addresses don't really count as personal information, and even if they did, the company's policy of masking the last few digits of an IP address after 18 months is more than sufficient. European regulators don't appear to be buying Google's claims.

According to an Associated Press report, European data privacy regulators confirmed this past Thursday that Internet search engines based outside Europe must also comply with EU rules dictating how person's Internet address or search history is stored.

The EU's rules insist that Net surfers must consent to their data being collected and that the search engines give a person the right to object or verify their information. As long as Google has an office or data center within EU territory, the stricter European rules apply.

With intense pressure coming from European regulators, Google seems to be scrambling to defend itself. However, instead of adapting its privacy policies to match the changing political climate, the search giant has opted for an alternative approach: denial. In a major public relations push this week, multiple Google employees have publicly stated that network IP addresses are not private identifying information.

An engineer speaks
On Friday, Dr. Alma Whitten, an engineer in Google's security team added her two cents to the debate, in a lengthy post on Google's Public Policy Blog. According to Whitten:

"If you're an ISP...and you know the name and address of the person who holds that account, then that IP address is more like personal data, even though multiple people could still be using it. On the other hand, the IP addresses recorded by every Web site on the planet without additional information should not be considered personal data, because these Web sites usually cannot identify the human beings behind these number strings."

Whitten's statement has been thoroughly debunked by the tech media, members of the blogosphere and even The New York Times. I won't rehash the things that have been covered elsewhere, but I will make the following four points:

  • If the millions of IP addresses in Google's logs are not identifying information, why is the company fighting so hard to keep them? Instead of following Microsoft, Yahoo and Ask.com's lead in deleting the entire IP address after 18 months, Google instead smudges out the last octet (up to 3 digits) of an IP address after that same period.
  • The IP address may not be identifying when Google possesses it, but when subpoenaed by law enforcement, it can easily lead to a subscriber name and address when coupled with ISP log data.
  • An IP address is enough probable cause for law enforcement to get a search warrant for someone's home. One court confirmed this, stating that "though it was possible that the transmissions originated outside of the residence to which the IP address was assigned, it remained likely that the source of the transmissions was inside that residence."
  • The Recording Industry Association of America (RIAA) seems to think that an IP address is identifying information. Using just an IP and an allegation of copyright infringement, the RIAA has been able to force Internet service providers and universities into giving up the names and addresses of the alleged pirates.

Of course, this entire IP address debate only applies to people who do not have a Google account. Anyone who uses Google's free email service and does a search while they are logged into their email account will find their searches logged, and associated with their name. The company is even nice enough to opt users in to this handy feature by default, providing one-click access to every search issued by a logged in user.

One British tech news site sarcasticly compared Whitten's argument to the Chewbacca defense from TV's South Park. A tip for those in charge of strategy at the Googleplex: when your policy positions are being compared to OJ Simpson defense lawyer Johnny Cochran, you have a problem.

Adios Alberto
For the last few years, Peter Fleischer, the company's Paris-based Global Privacy Counsel has been the public face for Google's privacy policies--most frequently offering his views on the company's official Public Policy Blog. Fleischer is a forceful advocate of his employer, who has in the past engaged in public shouting matches with critics of the company. It was Fleischer who first introduced the company's log "anonymization" policy, as well as the decision to reduce the length of cookies from 30 years to 2 - a move ridiculed as only useful to the dead or those confined to a maximum security prison.

In one notable case, Fleischer passed the buck to the EU, and said that the only reason that Google kept its log data for so long was because it was forced to by EU regulations. In response to these claims, Fleischer was sharply criticized by the online press, with one journalist calling his statements "misleading" and "dishonest." Wired's Ryan Singel wrote at the time of Fleischer:

It's simply dishonest to continually imply otherwise in order to hide the real political and monetary reasons that Google chooses to hang onto this data.

I think it's quite reasonable to state that at this point, Peter Fleischer has little to no credibility with the privacy community or members of the technology press. When that is taken into consideration, it is not so surprising that Google chose to rebrand its privacy policy, and have a PhD wielding engineer lend her name by repeating the company's Politburo issued talking points.

Fleischer's statements, like those of Attorney General Alberto Gonzales in his final weeks at the job, are simply no longer trusted. Which, of course, makes Google's recent hire of a Gonzales appointed Department of Justice privacy czar all the more interesting.

A request for comment sent to Whitten was forwarded to a member of Google's public relations staff, who had yet to respond to my questions by press time.

Disclosure: I worked as an intern for Google in 2006 in the same group as Alma Whitten. I received a patent invention payment from Google in 2007, and have twice received a $5000 tuition fellowship from Google and the Hispanic College Fund. I interviewed for an internship with Google's Policy team in Washington DC in February of 2008. I have also applied for a Google funded Public Policy Fellowship.

Finally, I am currently a paid technology policy fellow with the Electronic Privacy Information Center, a group that has repeatedly criticized Google in the past. I did not speak with anyone at EPIC while writing this blog post, nor does it reflect the opinions or policy of EPIC.