Google shortens IP address retention on server logs to nine months

9 Sep 2008

Google has revealed plans to anonymise IP addresses on its server logs after nine months from the previous 18-month retention policy.

The search giant – which regularly comes in from scrutiny from privacy advocates over its access to knowledge of user activity – said it is taking the step to address regulatory concerns and improve privacy for users.

In March last year the company unveiled a policy to anonymise its search server logs, a move that was quickly followed by other search giants including MSN and Yahoo!

“Although that was good for privacy, it was a difficult decision because the routine server log data we collect has always been a critical ingredient of innovation,” explained Google’s global privacy counsel, Peter Fleischer, in a blog post this morning.

“Over the last two years, policy-makers and regulators – especially in Europe and the US – have continued to ask us (and others in the industry) to explain and justify this shortened logs retention policy. We responded by open letter to explain how we were trying to strike the right balance between sometimes conflicting factors like privacy, security and innovation.

“Some in the community of EU data protection regulators continued to be sceptical of the legitimacy of logs retention and demanded detailed justifications for this retention. Many of these privacy leaders also highlighted the risks of litigants using court-ordered discovery to gain access to logs, as in the recent Viacom suit.

“Today, we are filing this response to the EU privacy regulators. Since we announced our original logs anonymisation policy, we have had literally hundreds of discussions with data protection officials, government leaders and privacy advocates around the world to explain our privacy practices and to work together to develop ways to improve privacy.”

Fleisher said that when Google began anonymising after 18 months, it meant sacrifices in future innovations.

“We believed further reducing the period before anonymising would degrade the utility of the data too much and outweigh the incremental privacy benefit for users.

We didn’t stop working on this computer science problem, though. The problem is difficult to solve because the characteristics of the data that make it useful to prevent fraud, for example, are the very characteristics that also introduce some privacy risk.”

He said Google engineers have developed methods for preserving more of the data’s utility, while also anonymising IP addresses sooner.

“While we’re glad this will bring some additional improvement in privacy, we’re also concerned about the potential loss of security, quality and innovation that may result from having less data.”

Fleischer said that as the period prior to anonymisation gets shorter, the added privacy benefits are less significant and the utility lost will grow.

“Technology will certainly evolve, and we will always be working on ways to improve privacy for our users, seeking new innovations and also finding the right balance between the benefits of data and advancement of privacy.”

By John Kennedy

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years