Google Will Anonymize IP Logs Faster

An anonymous reader writes "The BBC reports on some changes to the data retention policy at Google in response to pressure from European authorities, but also included in the article is information about why Google claims they need to retain non-anonymised data for so long. Improving services, sure, but preventing fraud? Aiding 'valid legal orders'?" Reader s0ckratees points to some commentary on the change at Google's official blog. The upshot: IP addresses in Google's logs will be anonymized after nine months, rather than 18 as previously.

Scrape it

[smittyoneeach]

Scrape the log
To sparkling shine
So the chin
Hairless, divine
Burma Shave

So if you live in china

[HungryHobo]

And the government wants to know who's been searching for things they don't approve of they have to ask google for the logs every 9 months rather than every 18 months.

Re:So if you live in china

You may not like that Google keeps data, but they have an almost perfect record for keeping it private from others. Or did you not see the fuss they raised over YouTube data, and how even after being ordered to turn over their data, they still fought to reach a compromise that protected user privacy?

As for China, there's a reason Google keeps literally zero servers on Chinese soil. Even data for Chinese nationals is kept out of China, specifically so Google won't have to turn it over.

Short of not keeping data at all, there is pretty much nothing more they can do to protect privacy. But that's never enough for SlashDot...

Re:So if you live in china

[yuna49]

China is the least of my concerns. How about the Justice Department or the Department of Homeland Security?

The Europeans might be pressuring Google to reduce its retention periods, but I suspect that Google heard the opposite point-of-view from the government here in the USA.

Frankly I think that none of Google's logs should carry identifying information. If they need to track IPs for some reason, put them in a separate database table that's unconnected to the contents of the search strings. Keeping this information much beyond a week or two seems unreasonable to me.

Re:So if you live in china

[zoogies]

Whew! Good thing I'm in America.

Re:So if you live in china

[rtb61]

Do you realise how pointless it is anonymising IP adresses after 18 months or even 9 months, via simple data base associations they can link access to a particular individual and no longer need the IP adress for longer term analysis. Based upon those records and intervening IP adress records any new access can be tied to existing database and the individual user.

In fact google clearly state they are only anonymising the users IP address and do not talk about any other long term user records. Even their privacy statement to the EU whilst it does state it is not 'necessary' for a user to divulge their identity when doing searches does not clearly state that those searches are tied to the use based upon past records via data mining their massive data bases. For google to indentify the user once the they have cookies in place and the data gathering scripts running all over the web, the IP address whilst convenient is hardly necessary. Of course their reasons for using private data are so broad they could mean virtually anything.

Providing our services to users, including the display of customized content and advertising

Auditing, research and analysis in order to maintain, protect and improve our services;

Ensuring the technical functioning of our network; and

Developing new services.

If google want to be truly genuine about respecting a persons desire for privacy why don't they contact every person they have records on to ask them whether they would like those records cleared and no further data to be stored against them, at least once a year or even perhaps based upon their own public statement every nine months or, was is it all just a bit of love and trust google viral marketing.

Re:So if you live in china

[Wowsers]

The Europeans might be pressuring Google to reduce its retention periods, but I suspect that Google heard the opposite point-of-view from the government here in the USA.

Interesting the Europeans want Google to not keep logs on people, the complete opposite of the European Union who have no problem on keeping logs of people for ever longer time to see if they are a threat (to them getting voted out). The oppression loving UK government is interested in unlimited retention time of data.

http://news.bbc.co.uk/2/hi/europe/4527840.stm

The European Parliament has approved rules forcing telephone companies to retain call and internet records for use in anti-terror investigations. Records will be kept for up to two years under the new measures.

Improving services, sure, but preventing fraud?

[Richard_at_work]

Improving services, sure, but preventing fraud?

Sure - AdWord fraud. Scrubbing logs quicker means less leeway for click fraud to be discovered.

9 months are too long

[AtomicJake]

Actually, the IP should not be stored at all. Google might want to analyze the IPs to analyze and prevent attacks on its servers and additionally to get location information for its ad services. But there is no need to store it for a longer period -- unless you want to start massive data mining projects, which is exactly what is feared most from a privacy point of view.

So, any good news would be that the IP is not stored at all (except very temporarily).

Re:9 Months

[lysergic.acid]

considering the amount of data Google processes on a regular basis, a 9 Month backlog isn't that unreasonable.

i'm more concerned about Google not handing my data over to 3rd parties or governments than their retaining records of my searches. as long as they're willing to stand up for the rights of users, they can hold my search data for as long as they need to improve search results, reduce spam, and develop personalized search features.

Google anonymizing in China/India

[ilovesymbian]

What difference does it make to reduce this 18 months to 9 months log retention period?

Will Google anonymize logs in other countries too?

How about Google China? It respectfully hands over logs to the authorities on demand anytime. Same with Google India.

Re:Just out of interest

[sakdoctor]

Salting goes without saying -1 uninsightful

I'm talking about the fact that it's 2008, and that search space could be exhaustively searched in a matter of hours on a desktop machine.

As the poster below me points out, "throw away the salt" is an answer, but it means the logs can only be compared to other logs in the time frame that you were using that salt.

Maybe IPv6 will make anonymized logs more feasible because of the 2^128 search space.

I've just done it.

[caluml]

It's OK - I just did it.

peon@google ~ $ /bin/su -
Password:
google ~ # psql searchlogs scooby -W
Password:
Welcome to psql 8.0.15, the PostgreSQL interactive terminal.

Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit

searchlogs=> DELETE FROM searchlogs WHERE ts < NOW() - INTERVAL '9 months';
DELETE 551719812875516
searchlogs=> \q
google ~ # logout
peon@google ~ $ logout

Re:Just out of interest

[geminidomino]

I'm hypertensive, you insensitive clod.

Re:Just out of interest

[HungryHobo]

So I generate a table with 2^32 IP addresses and their MD5 with themselves as the salt, it doesn't enlarge the search space in this situation and I can then easily do a binary search to find what the origional IP was.

Re:Clusty

[jsalbre]

Their privacy policy specifically says that they DO keep logs of your IP and search queries.

do the anonymizing yourself

[cats-paw]

Tor isn't great for high bandwidth connections, but I think it's just perfect to make sure all of those do-gooder large corporations don't get a choice about anonymizing IP addresses.

http://www.torproject.org/

Re:9 Months

[Bender0x7D1]

considering the amount of data Google processes on a regular basis, a 9 Month backlog isn't that unreasonable.

Sure it is. Why? Because they are collecting data continuously and if it takes a long time to process what they've collected, more data is backlogged, and it keeps spiraling out of control. In fact, if it takes more than 24 hours to process 1 day of data, the backlog will increase without limit. The proper thing to do is to apply proper anonymization to the information immediately so you don't have to worry about it. There are plenty of methods that allow you to anonymize important information while retaining enough data for analysis. Here's one paper [Warning: PDF] on the subject.

Re:9 Months

[lysergic.acid]

first off, Google's processing capacity isn't static, it's constantly growing. just because it takes more than 24 hrs to process a certain set of data doesn't mean that the backlog will increase without limit. that isn't a logically sound argument.

if you take that argument and reduce the time frame from 1 day to 1 hour->1 minute->1 millisecond... so on and so forth, you reach the conclusion that if Google is unable to instantaneously process/analyze every piece of data the exact moment it is received or created, then their backlog will increase without limit.

sometimes data needs to accumulated before it can be processed. for instance, to observe search trends, or to compare e-mails for spam analysis, etc. sometimes logs need to be kept for extended periods of time--that's why they're called logs--or data is retained for repeat analysis.

i don't know what exactly Google retains user data for or what kind of analysis they do, but it's understandable if some data needs to be retained in its original state for certain types of research or analysis. if they were going to release network measurement data to 3rd parties, as that paper you linked to discusses, then, yes, i would expect Google to follow their own anonymization guidelines. but like they've stated in their press release, it's all about finding a balance between protecting user privacy and improving the quality of their services.

perhaps the best thing to do is to give users the option to have their search requests retained for improving personalized search results, and let them enable/disable this feature as it suits them. all other data will simply be processed for a set period of time and then expunged.

if they're not releasing server logs to anyone, anonymization isn't really necessary. though i'm sure they allow users to access their services through anonymous proxies.