Google Updates IP Address Log Retention Policy

By Dino Tsibouris & Mehmet Munur

On September 8, 2008, Google announced that it will reduce the amount of time it retains distinct IP addresses from 18 months to 9 months due to pressure from European regulators. This is not the first time, and likely not the last time, Google will have to amend its IP log retention period in order to comply with the European regulators’ strict policies.

In June of 2007, Google had to reduce the amount of time it retained distinct IP addresses from 24 months to 18 months, due to pressure from the EU Article 29 Data Protection Working Party. After 18 months of obtaining the IP addresses, Google anonymized its IP logs by replacing the last byte of the IP address with hashes (for example 216.54.106.###). Then, Google “firmly reject[ed] any suggestions that [it] could meet [its] legitimate interests in security, innovation and anti-fraud efforts with any retention period shorter than 18 months.”

This recent change in IP log retention policy is certainly in part due to the Working Party’s Opinion on Data Protection Issues Related to Search Engines released in March 2008. The Working Party suggested that the “retention of personal data and the corresponding retention period must always be justified (with concrete and relevant arguments) and reduced to a minimum, to improve transparency to ensure fair processing, and to guarantee proportionality with the purpose that justifies such retention.” More importantly, if “search engine providers retain personal data longer than 6 months, they will have to demonstrate comprehensively that it is strictly necessary for the service.” The Working party then concluded that “[i]n view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond 6 months.” It appears that Google’s rejection was not firm enough.

Before issuing this opinion, the Working Party sent questionnaires to many search engines. Undoubtedly, Google was one of the search engines that received a questionnaire. Google must have predicted that the Working Party would issue an opinion on IP addresses and cookie use as a result of this questionnaire. Google probably provided all the justifications that it could, but the Working Party was not satisfied. Considering that the Working Party concluded that logs should be retained for 6 months—not 9—Google either has a better justification, or another revision to its privacy policy awaits Google in the near future.

Google may also have problems with the methods it uses to anonymize the logs. The Working Party opinion also commented on Google’s anonymization methods and suggested that they may not be satisfactory under all circumstances. “Currently, some search engine providers truncate IPv4 addresses by removing the final [byte], thus in effect retaining information about the user's ISP or subnet, but not directly identifying the individual. The activity could then originate from any of 254 IP addresses. This may not always be enough to guarantee anonymisation.”

Furthermore, Google has not finalized the methods it is going to use to anonymize IP addresses. In its recent announcement, Google stated that it had not “sorted out all of the implementation details, and [it] may not be able to use precisely the same methods for anonymizing as [it] d[id] after 18 months . . . .” In other words, the anonymization used after 18 months and anonymization used after 9 months are different methods of anonymization. Considering that the Working Party is not satisfied with the first method under all circumstances, arguably, the Working Party may not be satisfied with the new method, either.

One reason for this continuous disagreement over Google’s privacy policy may be about how Google and the European regulators think about privacy. IP address logs are an invaluable source of competitive information for Google; therefore, it would like to retain them unless they are shown to be personal data. In other words, presume the data to be non-personal unless proven otherwise. To support this view, Peter Fleischer, Google’s Global Privacy Counsel, argued in NY Times Bits and in his own blog that he did not think that IP addresses were private data under all circumstances. Both Mr. Fleischer and a Google engineer stressed that IP addresses did not always return to a unique individual but could shared among many users.

The Working Party disagreed. The Working Party opinion stated that “increasing number of ISPs distribute fixed IP addresses to individual users.” Then, the Working Party turned the presumption on its head by stating that “unless the [Search Engine] is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side.” In sum, Google would like a sliding scale approach to IP addresses privacy while the Working Party sees all IP addresses as personal data. This stark difference in approach to privacy is likely to result in more revisions for Google’s IP address logs.

Certainly, Google appears to be taking a serious approach to privacy by creating Google Privacy Channel on YouTube, and drafting a reader friendly Terms of Use. Despite all its efforts, Google’s actions are likely to stay on the spotlight for some time to come. One cannot expect Google to give up so easily on IP address logs that allow Google to provide better services and get the upper hand on its competitors.