Google Updates IP Address Log Retention Policy
By Dino Tsibouris & Mehmet Munur
On September 8, 2008, Google announced that it will reduce the amount of time it retains distinct IP addresses from 18 months to 9 months due to pressure from European regulators. This is not the first time, and likely not the last time, Google will have to amend its IP log retention period in order to comply with the European regulators’ strict policies.
In June of 2007, Google had to reduce the amount of time it retained distinct IP addresses from 24 months to 18 months, due to pressure from the EU Article 29 Data Protection Working Party. After 18 months of obtaining the IP addresses, Google anonymized its IP logs by replacing the last byte of the IP address with hashes (for example 216.54.106.###). Then, Google “firmly reject[ed] any suggestions that [it] could meet [its] legitimate interests in security, innovation and anti-fraud efforts with any retention period shorter than 18 months.”
This recent change in IP log retention policy is certainly in part due to the Working Party’s Opinion on Data Protection Issues Related to Search Engines released in March 2008. The Working Party suggested that the “retention of personal data and the corresponding retention period must always be justified (with concrete and relevant arguments) and reduced to a minimum, to improve transparency to ensure fair processing, and to guarantee proportionality with the purpose that justifies such retention.” More importantly, if “search engine providers retain personal data longer than 6 months, they will have to demonstrate comprehensively that it is strictly necessary for the service.” The Working party then concluded that “[i]n view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond 6 months.” It appears that Google’s rejection was not firm enough.
Google may also have problems with the methods it uses to anonymize the logs. The Working Party opinion also commented on Google’s anonymization methods and suggested that they may not be satisfactory under all circumstances. “Currently, some search engine providers truncate IPv4 addresses by removing the final [byte], thus in effect retaining information about the user's ISP or subnet, but not directly identifying the individual. The activity could then originate from any of 254 IP addresses. This may not always be enough to guarantee anonymisation.”
Furthermore, Google has not finalized the methods it is going to use to anonymize IP addresses. In its recent announcement, Google stated that it had not “sorted out all of the implementation details, and [it] may not be able to use precisely the same methods for anonymizing as [it] d[id] after 18 months . . . .” In other words, the anonymization used after 18 months and anonymization used after 9 months are different methods of anonymization. Considering that the Working Party is not satisfied with the first method under all circumstances, arguably, the Working Party may not be satisfied with the new method, either.
The Working Party disagreed. The Working Party opinion stated that “increasing number of ISPs distribute fixed IP addresses to individual users.” Then, the Working Party turned the presumption on its head by stating that “unless the [Search Engine] is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side.” In sum, Google would like a sliding scale approach to IP addresses privacy while the Working Party sees all IP addresses as personal data. This stark difference in approach to privacy is likely to result in more revisions for Google’s IP address logs.