- 3 pages
- © March 2007 Google Inc.
What changes are you making to your logs policies?
When users search on Google, we collect information about the search, such as the query itself, IP addresses and cookie information. (More info on this is available here.) We had previously kept the logs data for as long as it was useful. When we implement this policy change, we will continue to keep server log data so that we can improve Google’s services and protect them from security and other abuses, but we will anonymize our server logs after 18-24 months, unless legally required to retain the data for longer.
What does it mean to anonymize the logs?
We will change some of the bits in the IP address in the logs as well as change the cookie information. We’re still developing the precise technical methods and approach to this, but we believe these changes will be a significant addition to protecting user privacy.
How do these anonymizing measures protect user privacy?
Changing the bits of an IP address makes it less likely that the IP address can be associated with a specific computer or user. Cookie anonymization makes it less likely that a cookie can be used to identify a user.
Do these changes guarantee anonymization?
It is difficult to guarantee complete anonymization, but we believe these changes will make it very
unlikely users could be identified.
What regulations or laws might require that you keep the data for a longer period?
Governments in many countries are considering laws that will require communications service
providers to capture and archive telephone and internet traffic data for periods from 6 months to 2
years. These laws have for the most part not yet been enacted.
Why are you making these changes to your logs retention policy?
We are making this change to respond to feedback that we’ve received from numerous privacy
stakeholders that this policy change will create additional privacy safeguards while enabling us to
comply with future data retention requirements. We’ve come up with what we think is a great
solution to data retention that strikes the right balance between our various goals: (1) using logs
data to improve Google’s services for our users and protect them from security and other abuses;
(2) creating additional privacy safeguards by providing more transparency and certainty about our
data retention practices; and (3) abiding by data retention requirements.
Why did you retain the logs for longer periods?
It is standard in the industry to use logs data to analyze usage patterns and diagnose system
problems. We will continue to retain logs data for these purposes, but will anonymize the data
after 18-24 months, unless we are required to retain the data for longer due to data retention
laws. By making this change, we sacrifice some of the data’s usefulness, but we believe the
additional privacy provided by the change outweighs this.
Why does Google maintain logs at all?
We use this information to improve the quality of our services and for other business purposes.
For example, we use this information for fraud detection and prevention purposes, to identify
system problems and to combat denial of service attacks.
Are anonymized IP addresses and cookies still useful in improving Google’s services?
We may lose some data that has analytical and statistical value to us in improving Google’s
services and preventing abuses, but we believe the value of the additional privacy safeguards
that this change will enable is worth it.
Why not keep the logs information for an even shorter time period?
We are trying to strike the right balance between various goals: (1) using logs data to improve
Google’s services for our users and protect them from security and other abuses, (2) creating
additional privacy safeguards by providing more transparency and certainty about our data
retention practices, and (3) abiding by data retention requirements.
Which stakeholders have you spoken with?
We have discussed logs, data retention and other privacy issues with a variety of stakeholders,
including regulators, privacy advocates, consumer protection groups and users around the world.
In January 2007, for example, we met with the Norwegian Data Protection Authority, who are
among the stakeholders who have raised concerns about logs and data retention. We hope these
changes will address some of their concerns.
Will governments be able to subpoena server log data after it is anonymized? Will
anonymized data still be able to identify an individual user by cookie or IP address?
Google does comply with valid legal process, such as search warrants, court orders, or
subpoenas seeking personal information. Logs anonymization does not guarantee that the
government will not be able to identify a specific computer or user, but it does add another layer
of privacy protection to our users’ data.
Will this policy change make it more difficult for law enforcement to prevent and detect
crime or child exploitation?
No, current laws allow the government to request that companies preserve user data. We
regularly comply with such laws.
What happens to the logs at the end of the expiration date? Are they deleted?
At the end of the expiration date we will still keep server logs but they will be anonymized.
How is anonymization different from encryption?
When we anonymize data, we intentionally erase part of it. This creates privacy safeguards
because no one can read that data — it’s gone. By contrast, encryption encodes information so
that it becomes a secret. Someone who knows the code can get the data back.
Will logs anonymization apply retroactively?
Can users opt out of anonymization?
We are working on a solution to make this possible.
Will users have the option to delete or edit their logs before the expiration date?
No, not in the server logs. There are several other Google services that give users control over
how much data we keep and for how long, including Gmail.
How many subpoenas for server log data does Google receive each year?
As a matter of policy, we don’t provide specifics on law enforcement requests to Google.
How long do other Internet companies retain data?
We cannot comment on other companies’ data retention practices.
Will there be different log retention policies based on a user’s country of origin?
No. We believe in applying this as a consistent policy for the benefit of our users worldwide.
When will this new policy go live?
This is a difficult initiative to implement. We hope to be able to do this by the end of 2007, but it
could take longer
Do you disclose to users that you collect and store this user data already?
completed the changes described here.