EFF Asks FTC To Limit How Long AOL Can Store Search Records

The Electronic Frontier Foundation has asked the US Federal Trade Commission to investigate AOL's release of search records last week and prevent the company from storing search data for longer than two weeks.

The formal complaint (PDF) asks for the FTC to:

order AOL to refrain from collecting or storing logs of its users' search activity except where necessary incident to the rendition of AOL's services or the protection of AOL rights and property, and to refrain in any case from storing logs of its users' search activity in personally identifiable form or for more than fourteen (14) days;

The EFF also wants all those whose searches were revealed through the data to be notified by AOL, which sounds like a good idea and something you'd think AOL would already want to do. Other things are requested, such as one year's worth of credit monitoring to protect against identity theft. That seems far-fetched, but I suppose you never know.

Coinciding with the complaint, the Wall Street Journal has a debate between the EFF and an internet lobbying group NetCoalition that apparently represents Yahoo and Google, among others.

The debate, Should Web Search Data Be Stored?, is free to anyone to view. It's well worth a read, if only to read that the US Department Of Justice is apparently arguing that access to search records might not require a search warrant, as the EFF says the Electronic Communication Privacy Act requires.

Overall, I'm much more on the side of the EFF in the debate. Some highlights from it and my remarks about them.

NetCoalition: Search queries are stored and used by Internet companies for internal purposes.

Me: Search queries have been shared by various companies in different ways with third parties over the years. More important, even if these are stored for internal purposes, there's no guarantee that they'll be perfectly protected. Leaks, accidental or intentional, do happen.

NetCoalition: There are good, legitimate reasons why an Internet company would use historical search queries for internal uses. For example, search query information can be used in research and development to make improvements to search technology, to better tailor and make more efficient users' online requests. Companies also analyze historical query information to detect and protect against click fraud -- an activity that involves faking clicks on Web advertisements to drive up costs.

Me: Excellent points, but the major search engines are going to have to step up now with better proof that there's no way data can be tied back with an individual, even when made "anonymous" in the way AOL has shown doesn't work. Click fraud refunds typically aren't given for activity longer than 60 days, so that provides a time horizon for how long data might be associated with actual users/IP activity.

NetCoalition: Search queries are essentially "directory assistance" requests from users to companies that help them find locations on the Internet. The Electronic Communications Privacy Act is meant to protect communications between and among users -- not to protect requests from customers for directions on the Internet.

Me: Wow, I think the search engines need a new lobbying group that understands search better. Searches can be directory assistance and much more than that. Search engines are confidents, trusted friends that we effectively tell secrets to in order to get advice. They aren't about getting location. They are about getting information.

NetCoalition: The Video Privacy Protection Act is a bad analogy. Internet companies do not match up the user's personal information (e.g., name, address and phone number) with search queries the way a video rental record would.

Me: Except they do. If you're logged in to a search engine, then any personal information you've provided is associated with your search query in some way.

EFF: The public needs to know the facts about how their data is being stored and used before they can make informed decisions as consumers as to whether and how to use a particular search engine, and to make informed decisions as citizens as to whether and how Congress needs to update the law. I think the best route would be hearings in Congress to get to the bottom of the issue.

Me: I think the best route would be for the search engines themselves to act in conjunction with privacy groups right now to get protections and standards in place. But if they can't act, then hopefully laws covering the entire search spectrum -- from ISP to search engine -- will be enacted.

NetCoalition: Search queries are not being linked to users' personal information and shared for marketing purposes.

Me: Except they are. Showing ads in response to a query, while long-standing and generally accepted, is a marketing purpose. Showing ads based on search profiles, such as the New York Times wrote about today, is a more extreme example.

EFF: My organization also strongly opposes proposals by the DOJ and Congresswoman DeGette that would force companies to store this kind of sensitive data for government use. That's like asking the post office to keep copies of our mail, or phone companies to keep recordings of our phone calls, just in case investigators might find it useful. The bottom line is that Americans deserve the same privacy protections online that they've always had offline, and that includes the ability to be able to speak and consume speech freely and privately, without fear that their deepest secrets might be shared with the government or published to the world. Yet when search engines accumulate this kind of data, such disclosures are bound to happen, as this week's news has demonstrated.

Me: Well said!

Postscript: I'd sent some questions over to the EFF and just got answers back from EFF staff attorney Kevin Bankston. Here they are:

Q. Why just AOL? Why aren't you asking for all search engines to be limited? I did see that you want federal laws to expand to cover them, but what happened with AOL could happen with the others as well.

A. Why aren't we asking the FTC to investigate and take action against other search engines? Because we can't, just like we can't go to court and demand that Google pay for AOL's mistake. The FTC isn't a suggestion box. We had a specific complaint about AOL--we think this disclosure violated their policy and therefore constitutes an unfair and deceptive trade practice--and we filed that complaint with the FTC. If other companies engaged in similar disclosures, we'd file similar complaints.

If you are familiar with our work, you know that we've been complaining about the logging practices of search engines as a category for a long while. In fact, I'm usually the one trying to explain to Google-hungry journalists that your Yahoos and AOLs and MSNs and other multi-service portals pose most if not all of the same privacy threats, so it's funny to be accused of singling out one of them for some sort of special mistreatment. We're merely reacting to a specific incident that happened to involve AOL rather than Google or Yahoo or MSN.

We want strong, clear legal rules that cover all the search engines; we want all the search engines to limit retention.

Q. Why just the search engines? Many ISPs are recording the same data but aren't being limited on data retention. It's actually more worrisome to me in that many ISPs are happily selling this data to third parties.

Again, if you are familiar with our work, you know that we are generally concerned about data retention by all stripes of online service providers (see, e.g., our white paper on best practices for online service providers, http://www.eff.org/osp/). So, in short, we share your worry. But again, we are reacting to a specific incident concerning a search engine, so our discussion right now is focused on search engines.

BTW, if you are specifically aware of any ISP that routinely collects the searches its users submit to other search engines, we'd love to hear more about it. I think that without very clear consent from the customer, that would be an unauthorized interception of your communications, and therefore a felony.

Q. How long does the EFF retain search data? You've got a search box. People do sensitive searches on your sites. I want to ensure AOL isn't being held to a higher standard than the EFF itself meets.

We don't retain search terms. Of course, since we use Google, Google does undoubtedly retain them. But we proxy everyone's requests so that their IP addresses and cookies are not transmitted to Google, therefore individual search terms are only identifiable to EFF visitors as a population and not personally or uniquely. In fact, we call this out on our site: if you click on the link next to our search box that says "about EFF's search," you'll see a pop-up that says "EFF uses Google for search functionality on www.eff.org. To protect your privacy, EFF proxies search requests to Google with a special CGI script on our server, thus hiding your IP address and your Google cookie (if any) from Google's servers."