Google’s Global Privacy Counsel Peter Fleischer appears to be a master of textual undercurrents (what the reader understands as “between the lines”), responding to Privacy International’s recent condemnation of the company’s privacy policies without mentioning the group itself.
Another palpable and present name never mentioned in Fleischer’s accompanying missive to Europe’s Article 29 Working Party on privacy and data retention policies is China, but we’ll get to that later.
Privacy International placed Google at the bottom of the list among its major competitors, saying Google was “hostile” toward privacy. Danny Sullivan and Google’s Matt Cutts were both quick to come to Google’s defense. Sullivan called PI’s study “haphazard.”
On Monday, Fleischer didn’t mention PI at all, but wrote at the Google Blog about the working relationship the company has with Article 29, beginning with a reiteration of Google’s privacy track record.
(It’s easy to imagine Fleischer with his tongue stuck out as he writes about resisting government subpoenas, user controls and choices, and by noting the Working Party’s praise of the company for its “readiness to consult” – contrasted, of course, with the competition.)
Fleischer announced Google’s new policy of anonymizing server logs after 18 months, shortening the previous policy of 18-24 months. Various government pressures, he notes, may require the company to return to the 24-month version.
It’s interesting that he chose to publish the company’s response to the Working Party rather than PI, especially given the timing. His post was in response to the Working Party’s letter asking the company to justify its data retention policies, feeling that the 24-month standard was too long.
Fleischer enumerates the justification this way:
· to improve our search algorithms for the benefit of users
· to defend our systems from malicious access and exploitation attempts
· to maintain the integrity of our systems by fighting click fraud and web spam
· to protect our users from threats like spam and phishing
· to respond to valid legal orders from law enforcement as they investigate and prosecute serious crimes like child exploitation; and
· to comply with data retention legal obligations.
That last one, regarding legal obligations, brings to light the struggles Google faces on an international level. In Fleischer’s six-page letter, he notes the Enron-inspired Sarbanes-Oxley law, and both German and US pressure to retain data for 24 months, indicating Google’s desire but potential inability to comply with its own newly-instituted retention policy.
From the letter:
Thus, the discussion regarding the right retention period is in fact a global discussion. Google is a U.S. company and we respect U.S. laws — but we are also a global company, doing business across Europe and across the world, and we recognize the need to respect the laws of the countries in which we do business. We are therefore committed to data protection principles that meet the expectations of our users in Europe and across the globe….
There is no single right answer to the question of how long server logs should be retained.
Note again, who is not mentioned. Yahoo has had its run-ins with China already. It’s entirely possible Google will be called on to turn over data to the Communist government to track down dissenters.
Regardless of international nuances and pressures, the anonymizing promise is an nice addition to Fleischer’s thumb-biting toward PI. The company says the anonymization of logs will not be reversible, meaning that no one, not even Google he says, will be able to read identifying information once logs data has been anonymized.
