Today, Facebook announced that the results are in from an audit by the Office of the Irish Data Protection Commissioner (DPC). Facebook went with this organization because the company’s international headquarters are in Ireland, and the DPC oversees its legal compliance to to users outside of the U.S. and Canada.

Facebook says that while audits aren’t normally made public, the company and the DPC felt it would be in the interests of transparency to publicize this one in particular, given the FTC order and the concern among users and the media. Probably a good call.

Facebook says it has agreed to the following “key commitments”:

- Offer additional notifications to European users about Facebook’s photo Tag Suggest feature so that they can decide whether or not to use this feature to help people tag them in photos

- Work with the DPC to improve the information that people using Facebook are given about how to control their information both on Facebook and when using applications

Facebook says it is pleased with the DPC’s highlighting of the company’s “strengths,” which it lists as security protection, importance of real name authenticity, no profiling based on “tracking,” user control, tag suggest, advertising, third-party applications, and friend finder feature.

Carriers like AT&T, Verizon and Sprint play a huge role in most people’s daily lives. Just think about how often you text, make a phone call or surf the web from your mobile device. You are constantly using the provider’s service to function in your daily life – it’s unavoidable.

So just how long does a carrier hold on to the data it gathers about you? A leaked memo shows that it really depends on the carrier.

Wired has obtained a one page Department of Justice document called “Retention Periods of Major Cellular Service Providers.” They obtained it from the ACLU, who obtained it via a Freedom of Information Act claim.

The document is dated August 2010 and says “Law Enforcement Use Only.” So this document could possibly have been used by police and investigatory organizations to better understand how to pursue data collection from mobile providers.

After looking over the document, it’s hard to make a determination as to which carrier is the best when it comes to user privacy. Each carrier does something better and each carrier does something less desirable than the next. Here are the highlights -

• Subscriber Information: Verizon, 3-5 years.  AT&T, depends on service length.  T-Mobile, 5 years.  Sprint, forever.
• Call details (who, when you called) – Verizon, 1 year.  AT&T, 5 years for prepaid 7 years for post-paid.  T-Mobile, 2 years prepaid 5 years post-paid.  Sprint, 18-24 months.
• Text Message detail (who, when): Verizon, 1 year.  AT&T, 5-7 years.  T-Mobile, 2-5 years.  Sprint, 18-24 months.
• Text message content: Verizon is the only one who keeps this information, and they do it for 3-5 days.
• IP session information: Verizon, 1 year.  AT&T, only on non-public IPs for 72 hours.  T-Mobile, not retained.  Sprint, 60 days.

The same goes for IP destination information, except Verizon only keeps it for 90 days.

Wired quotes an ACLU lawyer who says, “People who are upset that Facebook is storing all their information should be really concerned that their cell phone is tracking them everywhere they’ve been. The government has this information because it wants to engage in surveillance.”

Facebook came under fire this week for a situation involving tracking cookies that were found to still exist even after users log out.

The fact that carriers know and keep this information shouldn’t shock anyone. But some of the periods of retention in the document are interesting. If there is anything to be gleaned from this, it’s that everything you do sticks around, probably for longer than you think.

The company says that it will extend the amount of time it holds on to user search records to 18 months.  Currently, the data is only held for 90 days before it is made anonymous.

From the Yahoo Policy Blog:

Today, Yahoo! is making an announcement of our intention to change our log file data retention policy to meet the needs of our consumers for personalization and relevance, while living up to their expectations of trust.

Over the last 3 years, the way we and other companies offer services online and the way consumers experience the Internet has changed dramatically.  So, we will keep our log file data longer than we have been – offering consumers a more robust individualized experience – while we continue our innovation in the areas of transparency and choice to protect privacy.  We believe it’s a move forward for Yahoo! and our users.

Yahoo is only announcing a change to how long they retain search data right now, but say that they are also evaluating how long other types of data should be kept:

We will hold raw search log files for 18 months and we will be closely examining what the right policy and time frame should be for other log file data.  In announcing this change, we have gone back to the drawing board to ensure that our policies will support the innovative products we want to deliver for our consumers.

Of course, data retention serves multiple purposes for search engines.  By recording statistics on search queries, pages clicks and ad clicks, search engines can better personalize search data as well as provide better targeting for online ads.

This announcement comes just a few days after big news regarding consumer privacy.  Apple was the latest to roll out Do Not Track features on the test version of its latest browser.  There is also mounting disagreement on whether a new comprehensive internet privacy bill proposed by Senators John Kerry and John McCain will do more harm than good for web development.

When is this extended data retention set to begin?  Apparently this summer, after a period of notifications.

In the next 4-6 weeks we will begin rolling out notifications across Yahoo! to ensure that we have given clear and understandable notice to our consumers of this change in our policy.  Thirty days after we have completed these notifications, we will put the new policy into effect.  We expect this will occur sometime in mid-to-late July.

With this law in place, people providing web/ phone services are now required to keep their website access logs, or their phone call logs, for half a year. This data can then be used by the authorities – police and secret services – if they suspect it may help in important criminal investigations, or when online crimes are committed. Self-proclaimed goal is to fight e.g. attacks against European cities, like the London or Madrid bombings. Some people now want to stop this law in Germany’s Federal Constitutional Court, which can overrule what is deemed anti-constitutional.

Now, the data you are required to keep doesn’t by itself contain the contents of the transmitted data, e.g. the words spoken in a phone call. It is mostly restricted to such things as the IP address, date and time of when e.g. an email account is accessed, or data like the email address of sender and recipients, according to Spiegel.de. However, some privacy experts, according to Tagesschau.de, say that with the connection data in hand, you can then locate other data, including sometimes the content of messages.

Google’s Global Privacy Counsel Peter Fleischer – who also has a blog – previously called such laws a “harsh attack on privacy” a while ago. He even went as far as saying “As a last fallback we will close Google Mail in Germany” should these laws be passed. Peter added that “Many users around the globe make use of this anonymity to defend themselves from spam, or government repression of free speech … If the web community won’t trust us with handling their data with great care, we’ll go down in no time.” He also said that users of Gmail may simply switch to foreign email service providers anyway to better protect their privacy (if I remember correctly, Google later somewhat back-pedaled from these statements as they were given in an interview in German Wirtschaftswoche).

On the surface, the German Federal Ministry of the Interior agrees with Google. To quote from their website:

Only if people have confidence in data protection on the Internet, can the information society unfold its advantages. For this reason, the Federal Government is undertaking a fundamental revision of German data protection legislation. The aim is efficient data protection requiring as little control effort as possible.

Also, they say:

Law enforcement activities must be adapted to the dynamics of technological developments and the boundlessness of technology and networks. On the one hand, they must safeguard effective prevention and prosecution of new criminal offences, while on the otherhand [sic], utilize the electronic options available for law enforcement, without infringing upon citizens’ rights of freedom.

In other, related news, minister of interior Schäuble was pushing for a law to allow secret tools – trojans – to be installed on user’s computers for online supervision**. Also, according to Tagesschau.de, a recent case revealed that some German journalists’ and lawyers’ phone calls had been secretly tapped by the police as they were talking to informations/ clients (these people were allegedly extreme left-wing, and the talks were in relation to the then upcoming G8 conference).

*The German word here is “Vorratsdatenspeicherung,” an issue heavily discussed in German mainstream/ blog news.

**Coined “Bundestrojaner” or “Online-Durchsuchung” in Germany. The more official name for such tools is “Remote Forensic Software,” as Wikipedia explains.

[Thanks Hebbet! Photo by Bundesregierung.de from a video where Schäuble introduced the new biometric data as part of the travel pass.]

Comments

Tag:

Microsoft Joins Ask In Call For Privacy

Few things are more painful for a company than the prospect of heightened levels of federally-mandated paperwork. New laws and bureaucratic oversight represent an expense that companies would rather not incur.

In the best case scenario, businesses convince the government they can police themselves. We have seen this in segments of the financial industry, where breaches of privacy have revealed millions of credit card numbers and other personal information to criminals.

That industry has well-financed lobbyists on Washington’s K Street, which is probably why large scale break-ins at CardSystems Solutions and TJX haven’t led to fast-track legislation to better regulate the handling and security of financial details.

The search industry hasn’t experienced those sorts of breaches. They do have access to information on millions of people, and until recently enjoyed a relatively free hand to keep that data as long as they liked.

The situation changed after an AOL researcher posted thousands of search queries in 2006, all organized by anonymous identifiers. It proved easy to build profiles of each identifier, with quite a few of those profiles rendering a very unflattering picture of the searcher.

Following Google’s announcement of their intent to anonymize search data after a period of time, and to make an essentially useless change to their cookie data, Microsoft and Ask want to encourage a dialogue on “development of these principles” with regards to privacy protection.

Dialogue, from the same companies that rolled over to federal subpoenas for search data a couple of years ago. The time for talk has passed. Anyone in search who seriously wants to protect the privacy of their users needs to be deleting search data after a period of time, in compliance with whatever retention periods exist as mandated by law.

Instead of dialogue, how about placing a shell script that wipes out log files on the relevant servers on an ongoing basis as time passes? That has to be an easier and faster solution than just talking about it.

Google To Watchdog: Mind Your Own Business

Data protection and data retention occupy different parts of the overall online security picture. When the Article 29 Working Party in Europe expressed its concerns about data retention, Google shifted its retention policy to an 18 month period, after which it would anonymize the data.

As for the rest of the group’s views on data retention, Fleischer politely suggested in an OUT-LAW.com podcast excerpted by The Register that Article 29 should stick to its data protection mandate:

“Remember the Data Retention Directive comes out of the security side of government, not the data protection side,” said Fleischer. “So it’s interesting to me to hear what an official from the data protection world thinks about data retention, but it’s like asking somebody who works for the railroad what they think of airline regulation. It’s just not their field.”

EU officials seem to agree:

“The Data Retention Directive applies only to providers of publicly available electronic communications services or of public communication networks and not to search engine systems,” Philippos Mitletton, who works for the European Commission’s Data Protection Unit, which itself is represented on the Article 29 Working Party, told OUT-LAW.COM. “Accordingly, Google is not subject to this Directive as far as it concerns the search engine part of its applications and has no obligations thereof,” he said.

Google intends to stick to its data retention plans. Fleischer said in the interview that Google would adhere to the 18 month retention even if the EU did away with its Data Retention Directive.

I’d like to direct a hat tip towards Barry Schwartz for this one, but the original source (as Schwartz notes) is Paul Meller of the IDG News Service.  “European data protection officials are expanding their examination of the impact search engines have on privacy, after initially targeting Google Inc. last month,” Meller stated.

And though information is scarce, this isn’t hearsay or a rumor – Meller managed to get an interview with European Data Protection Supervisor Peter Hustinx, who told him, “A panel of European data protection officials called the Article 29 Working Group decided Wednesday to request information from Google’s rivals amid concerns that search engines are holding onto information about the people who use them for too long.”

Google’s leaders might get a laugh out of this (turnabout being fair play and all that), but they’d probably much rather the EU had just dropped the whole matter; a good deal of negative publicity followed the EU’s original interactions with Google.

Yahoo and Microsoft on the other hand . . . well, it’s not likely that they’re finding this the least bit humorous.

EU Challenges Google On Data Retention

The Article 29 Working Group advises the European Union on data protection issues. They are not happy with the length of time Google plans to retain search information in their databases.

The Financial Times said Google’s desire to keep that data for as long as 24 months may run counter to privacy laws in the EU. It’s a lot shorter than the indefinite time Google has kept search data prior to their policy change.

Information on what people search for could be used to construct a pretty accurate profile of an individual. The potential for an epic scale invasion of privacy exists, should a government or a malicious party manage to grab that information.

It is unlikely an external attack would be able to breach Google’s security, as the company prizes that information even more than the people who contribute it. Government intervention is another matter, and Google has already fought one battle with the Justice Department over its try at grabbing a huge amount of that data.

Google’s global privacy counsel Peter Fleischer pointed out to the Times that Yahoo and Microsoft have not publicly announced any limits to their search data retention. Fleischer previously wrote on Google’s official blog that “since these laws do not yet exist, and are only now being proposed and debated, it is too early to know the final retention time periods, the jurisdictional impact, and the scope of applicability.”