EU Recommends Slashing Search Data Retention

Wayland writes "The European Union's Article 29 Working Group has completed its PDF report on data protection and search engines. The group recommends that search engines only be allowed to hold onto search data for six months. 'To hang onto data for longer, search engine operators will need to show that such data is "strictly necessary" to offer the service. Google and others have long said that they need to retain data in order to refine search results, prevent click fraud, and launch new services like spell check (which, in Google's case, was built from user search data). In addition, the data that is kept will need to be guarded more closely. The working group concluded that IP addresses could be used to identify individuals; if not by the search engine itself, then by law enforcement or after a subpoena.'"

Tracking and identifying a piece of data.

[Thanshin]

How much do you have to process the data so it stops counting for data protection issues?

In six months you can intermingle the data items so much there's no way of proving you're actually storing the data and you'd still have what you need of that data.

How does law track the identity line of a data item? Data has no memory and leaves no trace.

This isn't SE-exclusive

[FornaxChemica]

They're so concerned by the search engines that they seem to forget any website can get search queries and the IPs who performed them just by looking at the referrer field in the server logs. Why would it be less a "threat" for privacy than search engines ?

"strictly necessary"

[Mr2cents]

"search engine operators will need to show that such data is "strictly necessary" to offer the service."

If that is the law to follow, they will make it "strictly necessary" by adding features using that data, I guess. Just making it a bit harder is a lot of lawmaking for little effect.

Re:This isn't SE-exclusive

[Dada Vinci]

Search engines are more of a concern because they hold so much data that is so concentrated. Sure, any given website might know your IP address and when you visited, but Google knows _all_ of the things you searched for, all of the sites you visited (if you have the toolbar or clicked search links), all of your emails (if you use Gmail), all of your chats (if you use Gchat), etc. One subpoena by a government to Google can reveal more data than 50 to other websites. And Google can mine that data for far more than slashdot ever could. It makes a lot of sense to worry most about Google / Yahoo / Microsoft.

How come EU is always more consumer-protectionist

[freedom_india]

I have been noticing one thing over many years now:
EU seems to protect its citizens and consumers from the rapacious hungry corporates more than US, as beacon of freedom, does.
Whether it is kicking Microsoft's ass all the way back to US, or
Forcing Apple to unblock its iTunes service in France, or
Cheaper medicine and medicare that keeps the private insurers at bay, or
Privacy laws and zealous courts (in germany) that force the government to disband its secret spyware projects, or
Libel laws that force newspapers to pay huge penalties to citizens for reckless lie mongering about their private lives, or
Airplane laws that force airlines to pay financial compensation to passengers for ditching them, or
Laws that jail CEOs and even the board for criminal conviction of corporations,...

While US zealously preserves corporate rights and treats them above human beings, allowing and authorizing torture, etc.

How come the so-called stiff-lip society values human freedoms so much, when the so-called Beacon of Democracy incarcerates its own citizens without trial.

And that too many EU nations don't even have constitutions that embody something like our First Amendment, etc.

Re:How come EU is always more consumer-protectioni

[SwedishPenguin]

It's simple, the US is (still, for some reason) afraid of the "communist" boogieman, and dismisses anything even remotely good for society as a whole, instead of rich individuals corporations, as communist propaganda.

Re:The state vs freedom of information

[PinkyDead]

Under Data Protection Legislation I can go to Google's (etc) offices and for a small fee they are required to provide me with every piece of information that they have on me, and if any of it is incorrect they must correct it.

It is not the state controlling access - it is the state, acting on my behalf, to ensure that large organizations (including the state itself) are not entitled to use my personal information against me. If you are not covered by such protection then anyone can use your information to do you untold damage and there is nothing you can do about it.

RTFA, lemming

[Moraelin]

Last year's data is extremely helpful in predicting this year's searches, and debugging any changes you've made before a season hits.

RTFA, lemming. The summary _again_ is inflammatory crap, yes, what else is new? But that's not what TFA says.

They're _not_ required to delete data completely, they're required to delete data that can identify you personally. Like IP, grouping between those searches, etc.

They do _not_ need that to refine their searches. If I search for, say, "Oracle auto-tuning", that's that. I expect the same result regardless of what my IP is, regardless of whether I searched for "WebSphere XA configuration" before, or "Fluffy tail buttplugs" or whatever. You can tune the search with just the search string. You don't need to track me for that.

_That_ is the friction between the EU and Google: that Google wants to keep that kind of identifiable information like the pair of IP and timestamp. Google has been playing bullshit handwaving games along the lines of "but we really need the IPs", then "but some people change IPs, so it won't identify them for ever", then "wait, would it be ok if we changed a bit or two of the IP?" along with a good helping of "but we'll keep it for 18 month before changing those bits anyway!"

And seeing Google protest at every step when they're told to stop tracking google, and, yes, exactly such bullshit fallacies as that they really need that IP to refine the search algorithm... is kinda funny. I guess "do no evil" was for when they were small and cuddly. Now that they're the 800 pound gorilla of the online advertising market, heh, turns out that they get as big a boner as any other PHBs out of trying to rape people's private data for a quick buck.

But, hey, I'm willing to be educated. _You_ tell me how deleting the IP information is gonna make search engines tank. Exactly which search algorithm relies on knowing my IP? No, seriously.

How well would financial markets work with only 6 months of history?

They can keep their statistic history for as long as they want to, but they can't keep your personal data. It's that simple, so let's stop handwaving strawman scenarios. They can (and should) keep information like "Shares of Moraelin Buttplugs Corp peaked at 1.50 Euro a share last year." But they have no reason to retain info like "Freddy Krueger lives on 22 Elm Street, and bought 2 shares of Dr Kevorkian's Suicide Clinic last year," just because he bought those 2 shares last year.

A financial advisor's or stock broker's job is to trade on the stock market. It's _not_ to collect your personal data and sell it to the highest bidder. It's not their job to data-mine your private information. It's that simple: stick to selling those shares.

Mind you, even for data mining, there's a fine line between information and trivia. Stuff like "which team won the most games last year" is information. You can make an informed prediction for this year based on it. Stuff like "which team won the most games on a Wednesday, in rain, under artificial light" is trivia.

Similarly, "people from Germany buy more economic games than those in the USA" is information. Stuff like "people living on odd numbered houses, and on streets whose name ends in a 'e', and are born on a rainy thursay, buy more economic games" is useless trivia.

"50% of the gamers are between 25 and 50 years old" is information. You can decide a target demographic based on that. "People born on a Tuesday the 14'th have the most gamers, at a whole 0.01% of the total" is trivia. Even if you figured out how to make games especially fit for people born on a Tuesday the 14'th, it's too thin a slice to individually bother with. Etc.

Going too deep into details, slices your data too thin, and produces meaningless trivia.

There simply is _no_ sane justification for the kinds of personal information that especially the USA PHB's try to collect. Other than spamming you personally

Re:RTFA, lemming

[eikonos]

Very nice post, but I would like to point out that all kinds of information follow from IP (e.g. where you live) which helps search for things like restaurants.

I search for restaurants by typing "{restaurant type} {city name}" and there's no need for them to check my IP address.