Google to Anonymize Search Data

Posted on April 10, 2007

Google has posted that they plan to start anonymizing their server logs after 18-24 months in a move towards more privacy for Google search users.
When you search on Google, we collect information about your search, such as the query itself, IP addresses and cookie details. Previously, we kept this data for as long as it was useful. Today we're pleased to report a change in our privacy policy: Unless we're legally required to retain log data for longer, we will anonymize our server logs after a limited period of time. When we implement this policy change in the coming months, we will continue to keep server log data (so that we can improve Google's services and protect them from security and other abuses)-but will make this data much more anonymous, so that it can no longer be identified with individual users, after 18-24 months.

Just as we continuously work to improve our products, we also work toward having the best privacy practices for our users. This includes designing privacy protections into our products (like Google Talk's "off the record" feature or Google Desktop's "pause" and "lock search" controls). This also means providing clear, easy to understand privacy policies that help you make informed decisions about using our services.
There has been an overall positive reaction to Google's privacy move. Wired Threat Level blog has a comment from Kevin Bankston of the Electronic Frontier Foundation who called Google's move a good first step.
"Google seems to have finally realized that keeping detailed logs of users' online activities threatens their privacy. We are very glad to see Google is taking these first steps to limit their retention of data which can intimately detail users' private online activities .We hope this is only a first step and we hope they will expand this to retain this data for even less time."
The data needs to be anonymized to the point where search patterns cannot be determined. Some people were identified from their search keywords during the AOL search datda fiasco. That incident really highlighted how crucial it is that user's search data remain private and be destroyed by search providers. The best reality for users would be if the search information was never recorded or linked to an account number or IP number at all.