EU revisits search engines' privacy measures

An influential group within the European Union has concluded that search engine companies are not doing enough to protect their users' privacy. The Article 29 Working Party, a group of national officials who advise the EU on privacy issues, found that search companies "have so far insufficiently explained the nature and purpose of their [data collection] operations to the users of their services". This is despite voluntary measures taken by Google, Yahoo! and Microsoft, who are all anxious to avoid more regulation.

The search engine companies have argued that they need to hold and use information about customers' behaviour to refine searches and tackle fraud. However, Google, for instance, said it had reduced the time it holds onto cookies to two years, whereas before it had held onto the information about which sites users visited indefinitely.

The group is of the opinion that six months should be the limit for holding onto information about users.

The group has also put forward recommendations concerning how the EU's data protection laws could be applied to search engine companies. If it is adopted, search engine companies will have to change how they amass and analyse Internet "cookies", IP addresses and other data that can be used to create a profile of users' online habits.

Given that the data collection and analysis needed to serve targeted advertising is still in its very early days, such operational upheaval could set user profiling back by many months. Indeed, it is looking as though regulation is going to shape the market, driven by various privacy groups, individuals and nervous politicians.

On 4 April, technical analysis of the Phorm online advertising system has reinforced an expert's view that it is 'illegal'. The analysis was done by Dr Richard Clayton, a computer security researcher at the University of Cambridge, England.

Previous trials of the technology by the telecoms firm were branded 'illegal' by Nicholas Bohm of the Foundation for Information Policy Research (Fipr), which campaigns on digital rights issues.

As the company did not inform customers that they were part of the trial, he said the tests were 'an illegal intercept of users' data'.

What Dr Clayton learned while quizzing Phorm about its system only convinced him that it breaks laws designed to limit unwarranted interception of data.

The UK's Information Commissioner's Office (ICO) confirmed that BT is planning a large-scale trial of the technology 'involving around 10,000 broadband users later this month.' Given the high level of dissatisfaction with BT's fixed line and broadband services (see story below), Phorm could make a bad situation much worse. Last autumn's Facebook/Beacon debacle is also still fresh in many users' minds and did much to undermine confidence in the social networking site.

Consequently, anyone planning to deploy Phorm-like functionality would do well to watch this space very carefully indeed. Some hard lessons are being learned.