Information Week reports that the beta version of Google’s personal search tool is raising significant privacy concerns among privacy advocates. No one is a bigger fan of Google as a whole and I have defended Google’s privacy practices in the past. But not this time. The lack of privacy protection in their Google Personal Search Tracker is inexcusable.

In the past I have found myself defending Google against privacy criticisms of gmail, its web-based e-mail service. The reason for this is that they have reasonable precautions in place to prevent Google employees from seeing anyone’s mail. Mail store on gmail is effectively de-identified for employee purposes. The fact that a software engine is crunching through my e-mail to generate ads for me to see while browsing my e-mail online doesn’t bother me as long as there are precautions against human eyeballs seeing my mail.

My concerns over Google’s web mail service has to do with the fact that they state that they will hand over my e-mail to law enforcement agencies “on request”. That’s a telling statement. It says to me that they will NOT require a law enforcement agency to go through due process, such as getting a warrant etc. That’s the truly scary thing about Google’s privacy policy for gmail. But on this count, Google’s policy is unfortunately no better or worse than any of the other major e-mail services.

Nonetheless, I am an avid gmail fan and use it as my primary e-mail service. I have to say however, that I will NOT be using their personal search tracker service until their architecture is fundamentally changed.

According to the Information Week article, the search history service is available once you have logged in to Google using your Google account ID. Once enabled, the search tracker records what queries you have made and what search page results came up as part of that query and logs those along with our Google ID. It’s unclear from the article if it then keeps track of which pages you visit from the search results pages.

The value of this service is that you don’t have to try to recreate the same queries multiple times over time. If you every get in a situation where you want to visit a page you looked up 6 months ago, Google’s service can help you quickly find it.

But once your ID is associated with a search result, the association is kept forever. You can remove it from your view, but the information is still kept in Google’s logs.

These logs can then be handed over to law enforcement agencies, again, “on request.”

The sad thing is that Google _could_ have designed the service so that the user has the ability to de-identify their search history to protect their privacy. But for whatever reason, they chose not to. It’s amazing that the engineers at Google did not foresee privacy issues as part of their requirements gathering process. And the even sadder thing is that Google _could_ commit to change their service to allow users to de-identify their search history, but so far they have chosen not to do so.

This entry was posted by Calvin () on Friday, April 29th, 2005 at 9:29 am and is filed under Privacy Policies. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Note: Blog posts are the opinions of their authors and do not reflect the official opinion of the National Science Foundation or North Carolina State University.