Tech and Law

UK transparency & privacy review

2011-09-14T15:27:00.001+01:00

The independent review of the impact of UK government transparency on privacy, commissioned by the Cabinet Office and led by Dr Kieron O'Hara, is now out:

Comments are invited, to privacyreview@cabinet-office.gsi.gov.uk. No deadline date seems to have been given. (The public consultation on open data, launched in August, is still open - deadline 27 Oct 2011.)

Conclusions

Privacy is extremely important to transparency. The political legitimacy of a transparency programme will depend crucially on its ability to retain public confidence. Privacy protection should therefore be embedded in any transparency programme, rather than bolted on as an afterthought.
Privacy and transparency are compatible, as long as the former is carefully protected and considered at every stage.
Under the current transparency regime, in which public data is specifically understood not to include personal data, most data releases will not raise privacy concerns. However, some will, especially as we move toward a more demand-driven scheme.
Discussion about deanonymisation has been driven largely by legal considerations, with a consequent neglect of the input of the technical community.
There are no complete legal or technical fixes to the deanonymisation problem. We should continue to anonymise sensitive data, being initially cautious about releasing such data under the Open Government Licence while we continue to take steps to manage and research the risks of deanonymisation. Further investigation to determine the level of risk would be very welcome.
There should be a focus on procedures to output an auditable debate trail. Transparency about transparency – metatransparency – is essential for preserving trust and confidence.

Recommendations

"…which are intended to implement these conclusions without making too strong a claim on resources":
1. Represent privacy interests on the Transparency Board.
2. Use disclosure, query and access controls selectively.
3. Include the technical paradigm.
4. Move toward a demand-driven regime.
5. Create a data asset register.
6. Create sector transparency panels.
7. A procedure for pre-release screening of data to ensure respect for privacy.
8. Extend the research base and maintain an accurate threat model.
9. Create a guidance product to disseminate best practice and current research in transparency.
10. Keep the efficacy of control in the new paradigm under review.
11. Maintain existing procedures for identifying harms and remedies.
12. Use data.gov.uk to raise awareness of data protection responsibilities.
13. Investigate the Vulnerability of Anonymised Databases.
14. Be transparent about the use of anonymisation techniques.

Google's ICO privacy audit out

2011-08-16T15:49:00.001+01:00

The UK Information Commissioner's Office has published the results of its consensual data protection audit of Google Inc's privacy processes, initiated as a result of the Google Streetview collection of wifi payload data.

The audit was based on a desk-based review of relevant documentation, an on-site visit at Google Inc in London on 19 and 20 July 2011 including interviews with staff, and an inspection of selected records.

Verdict - there's been progress in Google's privacy procedures, but more improvements are needed.

For more info -

ICO press release 16 Aug 2011 (in HTML not PDF, thumbs up!) - this lists the improvements so far, and future areas needing work
audit report executive summary (PDF) (full audit not available)
Google's blog regarding this audit
Google's undertaking to the ICO November 2010, and ICO press release about the undertaking

For anyone interested, there's a full Guide to ICO data protection audits.

Libel reform - free seminar 13 April

2011-04-07T09:55:00.000+01:00

First in a debate-style Media Law Seminar Series from Centre for Commercial Law Studies, Queen Mary, University of London and City Law School, City University. This series "will focus on the cutting edge legal issues affecting all forms of popular media."

"This house believes that the English libel laws are unfit for purpose in the Twenty-First Century."

Date: 13 April 2011 - 6-8pm

Venue: Queen Mary, University of London 67-69 Lincoln's Inn Fields London WC2A 3JB

Free, but you have to register - e-mail your full name, your company name and position to k.zaim@qmul.ac.uk. Deadline 12 April.

2 CPD points.

Via http://www.law.qmul.ac.uk/events/.

"Outsouring" to "loud computing"

2011-04-01T10:00:00.002+01:00

It may be 1 April but these typos I found are real; perhaps worth adding to the eggcorns database?

Those wary of staff discontent about "outsouring" -

- will still have heard much about "loud computing"-

- which probably beats "clod computing"!

Census sabotage?

2011-03-30T10:45:00.000+01:00

Privacy or confidentiality concerns about the UK 2011 census? The census director's careful choice of words quoted in ComputerWeekly certainly seems noteworthy - "The UK Statistics Authority and the Office for National Statistics will never volunteer personal information for any non-statistical purpose…". So, they won't offer it to just anyone off their own bat, but they'll give it if - made to? Told to? Just asked to?

Apart from data protection or privacy worries, others are uncomfortable about the contractor engaged to process the census, Lockheed Martin. So the ingenious recommendations by Peace News on How to Fill In Your Census Form without Lockheed Martin Profiting may well be taken up by some.

It's (possibly unintentionally) absolutely hilarious - with suggestions like -

don't fill the census form in online
"accidentally change a digit of your telephone number and ditto for an email address"
send written queries to the FREEPOST address, perhaps direct to the Director
make small changes to names so you know the source of any "data protection failure"
and oh they might have scanning issues if
"- The form was wrongly inserted in the envelope;

- A different envelope has been used;

- The outer bar code has been covered before the form was put in the envelope;

- Some or all of the outer bar code’s white spaces were filled in with black pen or otherwise obliterate.."
not to mention that scanner paper feeds can "go temperamental" if there -

"a) could be things like post-it notes, loose bits of paper and other detritus, stains, obviously unreadable barcodes, etc.

b) could be of the form of additional staples, tears, folds, creases, spots of stickiness such as a marmalade spillage or a fragment of bluetack, improvised repairs of torn sheets with sellotape, additional pieces of paper glued to the side, etc"
bar codes on the form - "can be rendered ineffective by neatly filling in some or all of the white gaps between the bars of with a black pen or entirely covering with stickers – do not use post-it notes for they are easily removed. Do not allow any complete horizontal strip (however narrow) of the complete barcode to remain. (Many people “blacked in” or obliterated bar codes to great effect on Poll Tax forms in 1989-1991 and greatly increased their processing costs). Make sure you don’t miss any other codes and serial numbers."
tick both boxes "Male" and "Female", or “Jewish” and “Sikh”…
"Refusing to answer such questions [considered intrusive or privacy-invasive] could, in principle, cost you £1000 and will make no difference whatsoever to Lockheed Martin. It will be more effective to tick a few random boxes and write some random stuff in the text sections, then cross it all out again, and write something like “I don’t understand this. Please explain” This will take up time to deal with in the processing centre. You cannot be fined for not understanding a question or for being confused by it and you have made the effort."
"It is easy to make a mistake or even to forget to answer a question – we are all human after all. No problem: just write to the processing centre (Addressed to “Census Processing Centre” in whatever place name you remember from the form) to tell them to put it right on your form. A considerable amount of clerical work could be involved… If you supply a missing answer, keep a copy of your letter so that you can prove that you made a real effort to comply with your legal obligation to answer all questions."

I won't go on. You can finish the article direct, it's an amusing read.

Ironically, I know at least one person who's done some of the things they've suggested - not through any intention to muck up the form, but just because their situation is unusual (though not that uncommon), and they didn't think the form was clear or helpful enough as to how they were meant to complete it, hence crossings out galore!

Via Peter Judge, eWeek.

UK data protection register to be opened up further?

2011-03-19T13:58:00.001Z

Just saw, the ICO are consulting on allowing their entire Data Protection Register to be downloaded "in a reusable format", in the spirit of open data and transparency. Respond by emailing consultations@ico.gsi.gov.uk - closing date 31 March 2011.

This register has info about those who've registered with the UK Information Commissioner's Office as "data controllers" of personal data. (Not the details contained in the personal data which they control, just limited info about the controllers themselves.) You can currently search the Data Protection Register online. For example here's the info on Google UK and Google Inc.

The consultation is about the impact which making the whole register downloadable as a single data set would have on individuals on the register, where the ICO say -

However, a number of entries on the register relate to individuals, such as sole traders, and there are therefore data protection considerations. For example, is it fair that data collected for a statutory purpose is made available in a form that could make it more widely available and usable?

We want your views on what the impact on individuals would be if the register was available to download as a dataset, in a re-usable format, in its entirety.

Personally I think the requirement for notification / registration is somewhat red-tapish, as the info in the register's not that informative and yet it's a hassle and cost for those who have to register, but the law is what the law is.

I didn't spot any consultation on the format that they plan to use. I wonder what format that will be?

Responses will be published but if you think your response is confidential, explain why and they'll consider that if they are asked to reveal it, but can't guarantee to keep it confidential. Though

….The ICO will process your personal data in accordance with the Data Protection Act 1998 and in the majority of circumstances this will mean that your personal information will not be disclosed to third parties.

Just as an aside - I'm never clear when I see references to closing dates of "X" - do they mean before X? On X? By close of business on X? I'm probably being A-type here, but personally I would like all consultations to say, "by 17.30 GMT on X".

Privacy vs security & crime - lecture

2011-03-11T10:22:00.001Z

Mr Hielke Hijmans, European Data Protection Supervisor's Office, will discuss "Data Protection in Europe’s Area of Security and Justice" this Monday 11 Mar 2011, 7pm, London as part of Queen Mary School of Law's Criminal Justice lecture series. Drinks from 6.30pm.

From the flyer:

9/11 has reconfigured the relationship between security and privacy. The post- 9/11 era is marked by the proliferation of mechanisms for the collection, analysis and exchange of personal data for security purposes at EU level. EU databases (such as the Europol Information System and the Schengen Information System) have been created and expanded. The exchange of personal data between national police authorities has been strengthened. The private sector has been increasingly called on to cooperate with the State in the field of data transfers. This lecture will explore the implications of these developments and assess the extent to which the European Union has developed an adequate legal framework on data protection to address security concerns.

Those interested in privacy and data protection law, particularly in the context of crime, law enforcement and national security, may want to attend.

Details and to book a place.

Youngest female racing driver in UK seeks sponsorship

2011-03-07T09:55:00.001Z

Zoe Wenham, only 16 and racing in the Volkswagen Racing Cup, is seeking sponsorship. I wanted to help spread the word, though this is clearly not my blog's usual subject matter! When not racing she's studying for A levels in IT, Maths, Physics and Business Studies. Via Women in Technology newsletter.

More info, email zoewenham@hotmail.co.uk, site http://www.zoewenham.com/, Twitter @zoewenham - and also she'd welcome general suggestions or thoughts on her sponsorship portfolio.

Coincidentally, a friend and I were just chatting t'other day about females in Formula One (my friend likes watching, I have to say I'm not a sporty person myself).

There's a dearth of women in racing (the position seems even worse than with women in law). We wondered if that was partly because those narrow, form-fitting racing cars are built to suit the male form - normally they're not designed for wide hips to squeeze in, or, if I may say so, chestage - so do they indirectly exclude females that way?

If it's possible to have privacy by design (or not), isn't it possible that there is some kind of gender exclusion through race car design…? Does anyone with any Formula One engineering experience know?

Privacy - Council of Europe consults on modernising Data Protection Convention 108 - deadline soon

2011-02-14T10:08:00.000Z

The Data Protection Convention 108 is being updated for the realities of modern technologies and globalisation. 10 March 2011 is the deadline for putting views to the Council of Europe's T-PD expert committee on their list of 30 consultation questions.

I won't repeat the list here; they dealt with ETS 108's objects, scope, definitions, protection principles, rights and obligations, sanctions and remedies, applicable law, position of data protection authorities / regulators, transborder data flows, and the role of the committee. As you'd expect, they include the topical issues of privacy by design, proportionality, data security breach notification, location privacy, accountability, and should there be defined rights to privacy, data protection and anonymity.

Anyone who wishes can email them with thoughts or comments at data.protection@coe.int, before 10 March 2011. Here's their full list of papers about the modernisation. Also of interest - European Data Protection Supervisor Peter Hustinx's recent speech on new European rules on data protection, regarding the modernisation of Convention 108.

For those unfamiliar with this 1985 treaty on privacy and data protection, Convention ETS 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data has been ratified by all the EU countries and some other, mainly European, countries, including Switzerland. It was very influential eg on the EU Data Protection Directive, which is itself also being reviewed.

Report on issues with Convention 108

The Council of Europe (not the same as the EU) had commissioned an expert report on the challenges raised by developments since the convention was first promulgated.

The 2-part report released in November 2010 was written in French. It makes interesting reading for anyone interested in privacy or data protection laws and how they can or should be adapted to keep pace with technological and societal changes.

I've attempted automatic English translations using Google Translator Toolkit as my French is non-existent, ja si oui yep. The translations aren't perfect but they're good enough to give a decent idea of the gist, at least to me. The only edit I made was to change "master file" to "controller of the file"; I had no time to fix the formatting oddities.

Below are links to the rough English translations I ran of the November 2010 Report on the lacunae of the Convention for the protection of individuals with regard to automatic processing of personal data (ETS No 108) resulting from technological developments, by Jean-Marc Dinant and (in the case of Pt 2) Dinant and Cécile de Terwangne, Jean-Marc Moiny, Yves Poullet, Jean-Marc Van Gyzeghem and the CRID.

I've also embedded the automated English translations below for a sneak preview. The French titles link to the French originals.

I've provided links to translations in both HTML and Google Docs format, because with the Google Docs version you can use the "File -> Download as" menu to download the document in Word DOC, RTF, PDF or ODT to read offline, if that's more convenient for you. Be warned that they're quite large files so may take a while to download.

Part 1

Rapport sur les lacunes de la Convention n° 108 pou r la protection des personnes à l’égard du traitement automatisé des données à caractère personnel face aux développements technologiques Partie I - T-PD-BUR (2010) 09 (I) FINAL

English translations of Report on the lacunae of the Convention for the protection of individuals with regard to automatic processing of personal data (ETS No 108) resulting from technological developments - T-PD-BUR (2010) 09 (I) FINAL, by Jean-Marc Dinant - in
HTML Webpage format, or
Google Docs format.

Part 2

English translations of Report on the lacunae of the Convention for the protection of individuals with regard to automatic processing of personal data (ETS No 108) resulting from technological developments - T-PD-BUR (2010) 09 (II) FINAL, by Jean-Marc Dinant, Cécile de Terwangne, Jean-Marc Moiny, Yves Poullet, Jean-Marc Van Gyzeghem and the CRID - in
HTML Webpage format, or
Google Docs format.

Note - the Council of Europe did not reply to my emailed request for permission to translate the French texts. If any owner of the copyright in those reports objects to these translations, please let me know and I will delete them.

IM & chat privacy - deletion of logs or accounts

2011-01-31T10:16:00.000Z

Deleting your IM account or chat logs seems tough or impossible with most popular IM services. So Matija Šuklje discovered in looking at popular instant messaging or chat clients / systems, where he reported as follows -

AIM - almost impossible to delete account - he didn't mention what happens to logs.
ICQ - can't delete account, and yes indeedy it seems all copyright / intellectual property in everything you post using ICQ are thereby belong to them!
- By the way the link he gave on his blog was to different terms. The extract he quoted was in fact from ICQ's acceptable use policy, and it sez what he sed. At least today it does:
MSN / WLM - logs kept forever, he says, but it's easy to delete the account.
YIM - account can be deleted, again that doesn't mean logs are deleted.

(Most people already know about Gtalk / Gmail chats being spied on by a Google employee. You can have off the record chats which, one hopes, can't be monitored.)

He says he's moving over to XMPP (Jabber) only, on Gabbler, away from proprietary IM protocols, perhaps understandably.

See also, for anyone interested in this area, Google's data retention periods for some of their services.

EU legislators and privacy regulators are, as previously presaged, now considering introducing a "right to be forgotten", or right of oblivion, into EU data protection law. If they do no doubt it is likely to give people the right to delete their accounts and to insist that their logs are deleted once they cancel or terminate their accounts. Not just IM or chat, but probably other types of online accounts too.

This area is pretty topical right now - there's even an entire book, Delete: The Virtue of Forgetting in the Digital Age (summary) by Oxford University Prof Viktor Mayer-Schönberger, which for anyone who's not come across it yet "looks at the surprising phenomenon of perfect remembering in the digital age, and reveals why we must reintroduce our capacity to forget".

Aka - "Your compromising or embarrassing pics on Facebook or videos on YouTube could scupper forever your chances of being hired, promoted, elected etc forever, so what should we do about it"? Introduce self-destructing text eg using Vanish, or expiration dates for digital photos?

A theory of privacy? Free talk, London

2011-01-26T10:00:00.000Z

Thurs 3 Feb A Quest for a Theory of Privacy 6-7pm, by Prof Michael Birnhack. Register for a free place, form's at the bottom of the page - again at the Institute for Advanced Legal Studies.

From the blurb:

…too many (in legal, policy-making, technological and popular circles) have given up searching for a privacy theory. This talk would make the case that a privacy theory is much needed… that can best explain what is going on [with new technologies - RFIDs, biometrics, location tools, airport body scans etc] and more importantly, can guide us as to what should—or should not—be done. The talk will discuss these issues, as well as some of the existing theories and their shortcomings. I shall argue that the best understanding of privacy is a reinvigorated theory of privacy as human control over oneself.

Open source software & third party IP

2011-01-24T09:45:00.000Z

Free talk on Management of Open Source Software and Third Party Intellectual Property by Sean Egan, CTO, CM-Logic at the British Computer Society's offices, Tues 25 Jan 2011, London 1800-2100.

You have to register but it seems to be open to all.

From the blurb it's mainly about managing the risks of incorporating open source code into proprietary software or reusing other code in proprietary software, which "can compromise intellectual property rights, create unknown royalty obligations, and introduce hidden security risks", as well as licensing risks of course. CM-Logic's involvement in this area is that they provide solutions to "help organisations detect, track and manage the use of mixed-origin code".

Privacy - what's 'in' or 'out'?

2011-01-23T09:40:00.000Z

The Future of Privacy Forum's first annual list of privacy ins and outs, for 2011.

Very US-centric, not surprisingly, but interesting. Has anyone got suggestions for EU privacy ins and outs?

Privacy: data protection myths & misses

2011-01-17T10:30:00.000Z

Misconceptions about EU laws on data protection, in ORGzine, published recently. I based it on work for my presentation at BarCampLondon8.

The final version edited out some things, including my side note, which I hereby reinstate, that the title is a tribute to that well known kid's blooper, "A myth is a female moth"!

And please note my caveat that the article was meant to be mainly about the UK, rather than other EU Member States.

Find ECJ (European Court Justice) cases quickly from the case reference

2011-01-13T12:01:00.002Z

Form to find ECJ (European Court of Justice) cases from the case number and year on the Eur-Lex site, which has judgments in much more user-friendly format than the more commonly-used Curia site.

Had to host it on a blogspot.com domain to get it to work, so it's on a different blog. No time to sort out the CSS, yet so apologies for the poor alignment.

Have also added to that blog, in much more usable format, my previously-blogged but now improved form to find PDFs on the sites of the UK Information Commissioner's Office (ICO) and Article 29 Working Party, from their old links.

If you'd saved or bookmarked links before their recent site changes, that form may save you some time trying to find the new links that replaced the broken ones.

Please feel free pass on the form links to lawyers / law librarians / anyone else you think may find them helpful.

Privacy and intellectual property: how far should the law reach to protect copyright

2011-01-11T14:39:00.001Z

Talk at the Institute of Advanced Legal Studies, London next Monday 17 January 2011, 18:00 - 19:00 - http://www.sas.ac.uk/events/view/8049 - by James Michael, Associate Senior Research Fellow, IALS; Editor, 'Privacy Laws & Business International'. Looks interesting and certainly very topical.

Free, but you have to register.

According to the site, the speech is going to be on "what copyright holders can do in tracing those suspected of breaching copyright by file-sharing music and other products", including

the UK Digital Economy Act 2010, which thanks to BT and TalkTalk is going under the judicial review microscope
whether ISPs can be required, and by whom, to identify subscribers suspected of breaching copyright by file-sharing, and the European Court of Justice's Promusicae ruling
the French HADOPI or 'three strikes' law providing for Internet service to be suspended for those considered to be guilty of breaching copyright after three warning, and
in Ireland, a judge approving compulsory identification of subscribers suspected of copyright breaches and then changing his mind and disapproving a similar application in a later case (here's the later case).

Those interested might also be interested these blogs about studies on online copyright enforcement vs data protection/privacy in UK, Netherlands and Poland and in Austria, Belgium, France, Germany, Spain and Sweden.

Health records

2010-12-06T12:24:00.000Z

For those interested in health / healthcare privacy, Access to patient records is a note the House of Commons Library have just put out (short briefing for MPs) - dated 7 Jan 2009 but only recently added to their public website.

This 9 page paper outlines (under the Data Protection Act, Freedom of Information Act etc) rights of patients to access their own health records plus access on behalf of the patient or by other third parties, retention periods etc.

Mainly on England but much should apply to other parts of the UK too.

How to find old ICO or Article 29 Working Party documents despite broken links - use this form

2010-12-05T17:13:00.006Z

If you're having problems accessing documents on UK privacy regulator the Information Commissioner's website or EU privacy regulators the Article 29 Working Party's site because of broken hyperlinks, try using this form (you have to then click Open to get to it). Please feel free to bookmark or pass the link on to anyone else you think it may help.

Background

Links to documents on both these sites recently broke on site revamps - even the internal search function eg this search hasn't been updated as of today; try that search, clicking on the first result, and you'll get no further than the home page of the sub-site.

But never fear. I've produced a little script, as y'do on a sunny Sunday afternoon, so that you can paste your old link in a box on a form, hit Submit and be automatically taken direct to the document on the new site (rather than just get the home page, or an error message).

To use my form, pictured at the very top of this blog, you need to go to this page, then click Open (as highlighted above), or just Download it (and save it on your own computer for future ref if you prefer). Javascript has to be enabled on your browser for the redirection to work. And needless to say my script only works for broken links to those 2 sites, and if they decide to "update" their sites again, I'm afraid all bets are off.

Sorry the process is so long winded - I'd have included the form directly in the body of this blog for your convenience, but unfortunately Blogger is a bit weird with Javascript in the body of the blog or even in the head section of the template; I've figured out that it puts in line breaks so you have to run all the code on together in one line, but I've still not worked out how to escape stuff correctly whether it's quotes or the regex (I assume that's what's been going wrong, as a simple test shows a form submission can indeed trigger a Javascript function in the body of a Blogger blog.) I tried a direct link to that page on Google Docs but that doesn't seem to work either.

If anyone knows the solution (for Blogger javascript or for getting a direct link to an HTML file uploaded to Docs), I'd really appreciate hearing from you! I'm grateful they're hosting all this for free, but I do wish Google wouldn't make it so hard for people to include Javascript on the webpages they host.

The future of Google

2010-12-05T10:39:00.000Z

Interesting article in The Economist on 2 Dec 2010 looking at Google's position in the face of regulators investigating it and employees leaving for Facebook etc.

Facebook being used by debt collectors

2010-12-03T19:22:00.003Z

Privacy horrors, indeed - this news report by The Atlantic's Alexis Madrigal is a few weeks old but I've only just seen it. Debt collectors contacting the debtor's friends on Facebook!

The article points out that Facebook, Twitter and LinkedIn etc are great for helping debt collectors to track down people.

Facebook told The Atlantic that they think this sort of thing may breach their policies not to mention various laws, and ought to be reported to them. Quite.

Browser makers & ad networks are asked what they're doing to meet EU privacy rules

2010-12-02T10:00:00.004Z

EU privacy regulators have asked browser providers and ad networks to explain the technical steps they're taking on browser cookies, data collection and consent in order to implement the regulators' recommendations on online behavioural advertising (press release summary) - especially in light of the amended ePrivacy Directive's requirements on storing / accessing information on users' equipment, which will become law from 26 May 2011.

There's been much debate and concern about exactly what will be required by the new law (eg just recently in the Wall Street Journal, ComputerWeekly). Must users positively accept each and every cookie, etc? The new law, the regulators' views on what's acceptable with cookies and the scope for confusion have been criticised by lawyers (including Google's chief global privacy counsel) as well as by the internet advertising industry.

The EU privacy regulators' letters of 28 Oct 2010 to browser makers and ad networks, which didn't name specific addressees, were published on the Article 29 Working Party's webpage listing adopted documents. (Spotted them a week ago on the Article 29 site but haven't had a chance to blog 'em till now. The 28 Oct date is not shown in the letter, but is on that website page.)

From their letters, it seems clear that European data protection regulators want to put pressure on browser providers to build in "privacy by design", and that they also take a pretty strict view of what needs to be done by browser makers and advertisers. They've asked for a reply in 6 weeks from the letter date, which makes it Thursday 6 December, ie next week. But I suspect that either they won't publish the replies, or we won't see them until the New Year at the earliest.

According to their letters the EU data protection authorities, said to be "united" in the Article 29 Working Party, take this view (most of which echoes their OBA opinion):

Browsers should be set as standard to reject all third party cookies by default. "To complement this and to make it more effective, the browsers could require users to go through a “privacy wizard” when they first install or update the browser, in order to provide an easy way of exercising choice during use."
Browsers should -
1. convey, on behalf of the ad network provider, in a clear and comprehensive manner fully visible to the user, "the relevant information about the name of the data controller, the purposes of the cookies, the data that are collected and the further processing that personal data might be subject to", and
2. "require the data subject to engage in an affirmative action to accept or reject both the setting of and the continued transmission of information through the cookie. Such consent must be informed and prior to the processing" - ie before a cookie can be set, the user must be given the required info and the opportunity to affirmatively consent
3. (Note - this ties in with the draft Juvin report on the impact of advertising on consumer behaviour (2010/2052(INI), which the European Parliament's Internal Market Committee approved in early November and is up for a plenary vote this month, that says: "ensure the application of techniques making it possible to distinguish advertising tracking cookies, for which free and explicit prior consent is required, from other cookies")
Cookie expiry - "ad network providers should only place cookies with a limited lifespan in the user’s terminal equipment and they should not prolong the expiry date, so that the scope of the user’s consent is limited in terms of time."
1. Note - but how limited must "limited" be? If a cookie is set to expire after 99 years, that's still "limited", innit? It's interesting that an Interactive Advertising Bureau (aka Internet Advertising Bureau) code of practice recommending expiry after 48 hours was reported to have been swiftly withdrawn… (although the August 2010 draft code of conduct does still seem to be online, with no further consultation draft I can find).
Continuous access to info? - "to ensure the maximum level of awareness among users of the tracking over time so that they can decide whether to continue or revoke their consent," users should be provided with "sufficient and clear information" so that they have "an easily available possibility of revoking their informed consent to being tracked".
Advertisers should "provide sufficient and conspicuous visual notice, possibly by creating a symbol or other tools and related messages which should be visible and understandable on all websites where the tracking takes place and which sufficiently alert users to the tracking for advertising purposes."
"It would be preferable" if advertisers didn't collect sensitive personal data at all (on sexual preferences, political opinions etc)
"Ad network providers should implement retention policies which ensure that information collected each time a cookie is read, i.e. profile information, is automatically deleted after a justified period of time (they should provide reasons why they consider such period of time necessary in the light of the purposes of the processing)" - and the info should also be deleted if the individual revokes their consent or asks for their profile to be deleted.
"Ad network providers shall enable individuals to exercise their rights of access, rectification and erasure."

Note that they've said "The term 'cookie’ includes HTTP and flash cookies [LSOs] as well as any other method of storing or gaining access to information already stored on the terminal equipment of a user or subscriber, see Article 5(3)" - which is correctly technology neutral, and in my view should certainly catch things like DOM storage, and HTML 5 web storage (already used - or abused? - in mobile phones) and application caching too. But it doesn't catch anything where the storage is done at the server end.

Talking about consent and revocation, I wonder if the Working Party had any discussions with the EnCoRe people?

Anyway, here are the original links of the letters to browser makers and to ad networks - NB they're TIFF image files, not PDFs, so I've OCR'd them and embedded them below for ease of ref, and I can't guarantee their accuracy 100% so please refer to the originals for the definitive version. The direct links to the OCR'd versions are - browser makers, ad networks (yes I used a URL shortener there, goo.gl does track the number of clicks so just use the embed if you'd rather not click; yes URLs can be used as tracking mechanisms):

Browser makers

Advertising networks

Observations

I haven't had time to think through the issues fully yet, but even though I'm in favour of increased transparency, and empowering individuals to better control access to and use of their private information, I'm not sure that requiring third party cookies to be automatically rejected by default is the way to go - or, indeed, requiring consumers to consent individually to every single cookie (or even the first cookie per advertiser).

Many sites just won't work without cookies, and I am not sure how many non-EU sites are going to be willing to change their ways just because European privacy authorities would like them to. (Though the Wall Street Journal reports that some publishers are reining in their advertisers' cookie tricks, partly because if anyone's gonna profit from their visitors it oughta be them, not their advertisers! Ah, the power of lucre.)

Going back to accepting individual cookies, the analogies with security warnings and security education are I think appropriate here. Not to mention alerts on chemical plant emergencies!

Some people like security expert Bruce Schneier consider that the proliferation of security warnings in Windows Vista, the vast majority of which were in many users' views unnecessary, resulted in poorer rather than better security - because users became accustomed to automatically just clicking "Allow" to make the many warning dialogs go away, rather than evaluating the security risks of each individual situation:

"Users stop reading them. They think of them as annoyances, as an extra click required to get a feature to work. Clicking through gets embedded into muscle memory, and when it actually matters the user won't even realize it."

This is actually rational behaviour on the part of users.

Similarly, if users keep getting asked about lots of third party cookies, they may get used to automatically clicking "Accept" without thinking about it, so that they can get on with browsing the site they want to visit.

How to improve the browser?

It seems to me that better technical steps to require would be as follows - effectively incorporating into browsers the features of products like Cookie Culler, leaving aside for now competition law issues, and I admit reflecting my own preferences and the way I use browsers and handle cookies -

More fine-grained, user-friendly cookie control - including their easy deletion by users (and here I mean "cookie" in the same broad sense as the regulators - Flash cookies etc should be easy to delete from the browser too. Maybe the Working Party should have written to Adobe too??)
Built-in ability to delete all cookies automatically when the browser is closed, except those for sites which the user specifically wants to keep (ie delete all except those on a gradually built up whitelist).
The first time site wants to save a cookie, the browser should provide a clear option (or, in this case only, a second popup so it doesn't get missed) saying "Site X wants to save a cookie" etc etc, and where you can choose "Always allow this site to save and read cookies", "Never allow this site to save or read cookies", "Let this site save a cookie but delete it when I close the browser", and hey, why not "Let this site save a cookie now but delete it after half an hour" (whether I remember to close the browser or not)?
- I'm thinking along the lines of how the excellent free (donation based) Firefox extension NoScript works. Yes you get asked a lot the first time you use it, so there may be the annoyance and automatic clicking factor, but over time it reduces in number.
Cookie manager settings should be easy to find, so you can un-whitelist a site if you change my mind, whitelist or blacklist a new site from that page. Let's have a single comprehensive management screen for ALL types of cookies. Users don't care what type they are.
Don't forget though that advertisers and other sites can now track visits without their necessarily storing anything on the user's equipment, eg through IP address, through your browser's fingerprint aka Client-less Device Identification (CDI) (and see further this blog, UPDATE - and this WSJ article), so browser providers should also be ensuring that their browsers don't send anything more than the minimum necessary info to websites, and again perhaps provide fine-grained user control over what info is sent.
What about Javascript tracking scripts and third party scripts and web bugs? They don't necessarily store anything on the user's equipment (though maybe if they temporarily downloaded an image or other file that might do it…). Is there a way to get browsers to handle those natively, eg building in something like NoScript?
And stopping Evercookies?

What about a "Do Not Track" system, rather like "Don't call" lists? It's an interesting idea, see Arvind Narayanan's outline of some technical ways in which it could be done, though Robin Wilton's pointed out the absurdity of having to save a cookie on your computer to tell sites you don't want them to save a cookie to your computer. UPDATE - the US FTC are proposing such a system, says the New York Times. I've not read their report yet. See EFF summary and Do Not Track Stanford project. FURTHER UPDATE - see Jonathan Zittrain's views on this.

(Not that my Telephone Preference Service registration helps me. I still get all sorts of calls and hangups when I let my answering machine take it. All marketers should by law be banned from withholding their phone numbers when cold calling, in my view. The sods deliberately withhold their number, I'm convinced, so that callees can't find out who they are to report them. Bah.)

Is there another way?

It's obviously important to provide fine grained browser options for the user, and fine grained user control that is nevertheless user-friendly.

But what's more important is to have finer grained choices as to exactly what private information the user is prepared to "trade", in return for what services.

However much information we are given about a site's intentions regarding our personal data, at the moment we often have to either accept their cookie and say "Yes" to everything they want from us, or reject it and be barred completely from any access to their services. It's all or nothing.

SCL editor Laurence Eastham hit the nail on the head in a recent blog where he said, "why aren’t we demanding that web sites that need cookies offer a range of options with (or without) privacy settings that allow the user a real choice?", and made the point that -

"We need to be presented with choices that have meaning - and that can only be possible if the requirements insist that web site operators offer a range: the cookie that is strictly necessary for operation, the cookie that eases your experience but transmits only minimal information and the full-fat marketing cookie that makes the web site’s bells ring – and maybe a few more unusual flavours for the discerning palate."

In other words, it's not just the technical options on the user's browser that need attention - it's also, much much more importantly, making site owners and advertisers offer users a real variety of options - "give up more personal information, which we'll do X with, and in return we'll let you access more features on our site", for instance.

Would that all sites took a leaf from the book of the BBC, who carefully explain exactly what cookies are set when you visit their website, and by whom - ie third party cookies as well as their own list - what each is for, etc. All sites should be doing that, and more. It's not just a browser settings issue, it's down to the web site and the advertising network. A choice of different cookies for different purposes ought to be offered at the start of the first visit to the site or communication with a particular ad network (all in a single simple screen or dialog, not each in succession which would increase the annoyance and "automatically click Yes" factor).

A related point is, it's important to properly enforce the purpose limitation principle - a site shouldn't collect personal information that's excessive or irrelevant to the purpose of the site visit.

If I'm signing up for a messageboard to discuss with likeminded fellows our passionate mutual interest in watching paint dry (hey, they can dry at different speeds depending on the type of paint, didja know? I've timed 'em!), the site really doesn't need to know my exact birthdate or mother's maiden name. As I've said before.

What a site thinks it needs to know about visitors (everything?!) may be different from what a user thinks it need to know. There may be a big mismatch between the data collector's purpose for obtaining the data, and the data subject's purpose in visiting the site.

The problem with website use is that merely by browsing to a site you lay yourself open to all sorts of info being collected about you and your browser, and to being forced (some might say blackmailed) into giving up all sorts of private info just for the "privilege" of registering. (You might even now be done for infringing copyright just by visiting a site, but that's a different blog…)

For even basic site access a free service will often want something in return (they usually capture your IP address automatically anyway), but they should offer users a choice as to how much personal data they collect.

For now, the lack of real choice in how many personal details consumers are asked to cough up can be dealt with, in a way, by savvy users - who just give different details, or use various tactics on social networking sites. (With a banking site I've registered a different maiden name for my mother than her real one. With many free sites I give a totally different postcode.) But remember they still grab your IP address and can correlate different visits even on different days etc. Which is why I'm changing my ISP soon - it claims my service is for a dynamic IP address but I can't effectively change my IP address unless I switch off my router for at least a week (I can't, I'd get internet withdrawal), or possibly I could try forking out for a new router, but I don't know if that would work.

Raising user awareness and educating users is critical, generally. But I think everyone knows that. The question is how. And more user friendly tools will certainly help - again the question is what those tools should do.

We will see what transpires over the next year or so. Will browser providers really rise to the challenge, and will it make much difference if ad network and others just find other ways to gather info on users and profile them? (eg in another context, insurance companies running "fun" surveys, trawling public records, and social networking sites etc to get more info about people's lifestyles and how risky they are).

Background

Article 5(3) Directive 2002/58/EC (Directive on privacy and electronic communications), after the changes made by Directive 2009/136/EC (PDF), now reads -

Member States shall ensure that the use of electronic communications networks to store storing of information or to gain the gaining of access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is has given his or her consent, having been provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

The UK are just going to copy that wording out without change or embellishment, according to their consultation on the implementation of this updated law. Not surprising perhaps, as they've been criticised before for their "traditional, but wholly unhelpful way of re-wording a Directive" which "nearly always…throws up room for wholly unnecessary uncertainty and argument." But it's clear what the government really intend, from the accompanying impact assessment (p.146) which says:

"Option 1: Implement an ‘opt-in’ system for cookies
Option 2: Allow consent to the use of cookies to be given via browser settings. This is the preferred option because it allows the UK to be compliant with the E-Privacy Directive without the permanent disruption caused by an opt-in regime."

There's still a few hours or so left to respond, for anyone who wishes! - the consultation runs "until" 3 December 2010 (no indication of what time).

Apparently under the Netherlands implementation it will be possibly to imply the user's consent from their browser settings.

Certainly Recital 66 of the amending Directive 2009/136/EC (PDF) says -

Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.

Copyright note

I have shown OCR'd versions of the Working Party letters above based on the Europa copyright notice as I can find no ban on their reproduction, but if anyone from the Commission or Working Party objects please let me know and I'll take them down.

ICO - fixing broken links on your site to ICO papers or press releases

2010-11-26T21:17:00.001Z

UPDATE - to find the new URL, just enter the old URL in this form - blogged here.

If your blog or website has links to files (press releases, documents) on the UK Information Commissioner's site, here is a heads up that links from about October 2010 may be broken.

Anyone who read this blog a year ago will know that linkrot - ie sites, especially official sites, breaking or killing links to their site eg on a site revamp - sets my teeth on edge. Yeah, sometimes I just have to channel my inner law librarian. But really, old URLs should not be changed. It's a usability nightmare that is all too common. Surely it would not be difficult to redirect links in the old format to the new URLs on the ICO site. See my suggested (Word-specific) regex below, for instance.

The ICO must have tweaked their site recently. Links to webpages still work; it's just links to pdfs that don't.

For instance, any link to -
http://www.ico.gov.uk/upload/documents/pressreleases/2010/response_to_moj_dpframework_press_release_06102010.pdf
won't work now; the link should instead be to -
http://www.ico.gov.uk/~/media/documents/pressreleases/2010/response_to_moj_dpframework_press_release_06102010.ashx

In other words, in the URL change "upload" to "~/media" and change "pdf" at the end to "ashx".

From my very limited testing, links (even to PDFs) in the old format to files published before about October 2010 do still work, although changing them to the new format also won't break them - but note that I don't guarantee either point!

Luckily, most of us shouldn't have too many links to PDFs on the ICO site from about 1 Oct 2010 to have to fix.

I updated the ICO links on this blog manually. Below is what I did, in case it helps anyone else who uses Blogger as their blogging platform; the same method may be assistance in relation to updating links for the recent europa.eu changes (see below) as well as for any other blogs you might need to update "en masse" (ish) on Blogger in future -

The Blogger Data API doesn't support the q text search parameter - else I'd have tried coding something in Java or Python to find and download the relevant posts, update the links and re-upload them.
So you can instead try downloading the XML file of all blog posts (Dashboard > Settings > Basic, it's the Export blog link against Blog Tools - good to use it for regular backup generally, anyway - then Download Blog).
Open the XML file in eg Word.
Search in Word for http://www.ico.gov.uk/upload/ to find the broken links, or more precisely, in order to note down the titles of the blog posts which contain those links - as mentioned above, it seems you won't have to go back beyond about 1 Oct 2010, but I don't guarantee that.
You could perhaps use regular expressions in Word (tick "Use wildcards" in Word's Find and replace box) to find -
(http://www.ico.gov.uk/)(upload)(*)(pdf)
and replace it with -
(\1)(~/media)(\3)(ashx)
- then save the XML file and re-import it into Blogger. But…
There's a Blogger problem with importing the edited XML file. I got the dreaded error bX-tjg9ds with a test blog that had just 4 test blog posts. Plus, I'm a bit nervous about trying to export and re-import the entire blog, especially given the error.
So in the end I just searched the downloaded XML file to find all the broken links as mentioned in 4, ie blog posts published in Oct/Nov 2010, then I signed in to Blogger, and in Edit Posts I found the relevant blog posts and updated them manually in HTML view. (Or if you use the excellent Windows Live Writer you could perhaps retrieve each relevant published post from Blogger, edit it manually, then republish it; but I didn't do that myself as I haven't had time to test whether it would republish with the same timestamp or not. I believe it would, but try it at your own risk!)

Note - broken links to the Article 29 Working Party's documents it seems may be fixed by changing (in the URL) -
justice_home/fsj
to -
justice/policies
- but again I've not tested that fully, so use that at your own risk. I haven't the time or strength to update links on this blog at the moment (I have 59 links to A29 papers/pages!), but least I have the downloaded XML file to use now.

Facial recognition for profiling - by drinks machine

2010-11-19T11:15:00.000Z

Privacy advocates may be somewhat concerned that a vending machine now exists in Japan, installed in a Tokyo train station, which uses sensors and facial recognition technology to discern a potential customer's gender and age and "recommend" drinks accordingly (based on market research as to the preferences of different ages and gender).

So it offers canned coffee to men (green tea if they're in their 50s), and tea or a sweeter drink to women in their 20s. It even makes different suggestions depending on the time of day.

Sales have apparently tripled following introduction of that technology, and the company involved, JR East Water Business Co (subsidiary of railway company) JR East Co, plans to expand to 500 such machines in Tokyo and neighbouring areas by March 2012.

Talk about biometrics profiling for advertising and marketing! But one can imagine the technology, and indeed individual machines, being used for many more purposes. A sign of times to come?

(What really gives me pause is the go ahead given to Spanish scientists to use silicon barcodes to individually tag human oocytes and embryos for identification - they "aim to develop an automatic code reading system". Are the barcodes going to be removed after birth? Can they be?)

EU law invalid for interfering unjustifiably with privacy & data protection rights

2010-11-18T21:42:00.002Z

An EU law requiring online publication of personal data (names of recipients of certain agricultural funds, plus amounts received) was declared invalid by the European Court of Justice, as unjustifiably interfering with privacy or data protection rights under the European Convention of Human Rights / EU Charter of Fundamental Rights, because it required blanket publication of all their names/amounts however much (or little) they received, however often, whatever the period or type of aid, etc.

This case is interesting because it underlines the possibility that other EU laws could be vulnerable to being struck down by the ECJ for undue interference with privacy rights, should a national court be persuaded to refer the matter to the ECJ. Data Retention Directive, anyone…?

(The Lisbon Treaty does make it easier for individuals and organisations to complain direct to the ECJ about certain limited EU acts, but we don't know how that'll work out in practice yet.)

The EU must act consistently with the Charter, including in making the laws they pass. However, the Charter's impact on national laws is more limited. It only applies to member states when they're implementing EU law.

What's more, the UK, along with Poland, weren't happy with the Charter and insisted on a Protocol 30 to the Lisbon Treaty to try to ensure that the Charter won't create new legal rights in the UK or Poland, and won't extend the ability of the ECJ or national courts to invalidate UK or Polish laws / regulations etc as inconsistent with the Charter's fundamental rights. This "opt-out" has been called disgraceful, but it may not be clear yet what the exact legal effect of the Protocol is.

Interestingly, in their recent successful application to have the Digital Economy Act judicially reviewed, one basis put forward in their statement of facts and grounds by ISPs BT and TalkTalk was the disproportionate impact of the Act on rights under the Charter as well as the Convention of Human Rights, and reports are that the judge will allow the review to consider fully all 4 of the grounds put forward - probably in Q1 2011. (ZDNet's reference to the judge waiting for the European Data Protection Supervisor's opinion seems mistaken, incidentally, as his opinion on ACTA and 3 strikes came out a while back, in June 2010.)

Anyway, here in the UK it seems people's personal data can get published on line on government websites without their consent or indeed knowledge, even when there's no law stipulating publication! (Hellooo New Forest District Council…)

Details

The court noted that -

The EU Charter of Fundamental Rights (Wikipedia entry, another explanation, full text) has the same legal importance in the EU as the EU Treaties (since December 2009, when the Lisbon Treaty (Wikipedia entry) came into force).
The validity of the EU Regulation provisions in question here must therefore be evaluated in the light of the Charter, including -
- data protection - article 8(1) - ‘Everyone has the right to the protection of personal data concerning him or her’, including that personal data ‘must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law’, and
- privacy - article 7 - 'Everyone has the right to respect for his or her private and family life, home and communications.'
- (Note - the ECJ has said the Data Protection Directive should be interpreted in the light of fundamental rights under the European Convention of Human Rights anyway, including article 8's right to respect for private life - see Rundfunk)
However, those rights aren't absolute, depending on their function in society, and may be subject to limitations provided for by law which respect the essence of those rights and freedoms and, subject to the principle of proportionality, are necessary and genuinely meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others.
Where rights under the Charter correspond to rights guaranteed by the European Convention on Human Rights, then their meaning and scope should be the same as those under by the Convention (article 52(3)), and anyway the Charter doesn't restrict or adversely affect rights recognised by the Convention (article 53).
This means the case law of the ECHR is relevant when considering rights under the Charter, and indeed generally - notably the ECHR cases on respect for private life and protection of personal data. (Note - nothing new here, in that the ECJ generally considers the ECHR anyway where appropriate.)
"In those circumstances, it must be considered that the right to respect for private life with regard to the processing of personal data, recognised by Articles 7 and 8 of the Charter, concerns any information relating to an identified or identifiable individual (see, in particular, European Court of Human Rights, Amann v. Switzerland [GC], no. 27798/95, § 65, ECHR 2000‑II, and Rotaru v. Romania [GC], no. 28341/95, § 43, ECHR 2000‑V) and the limitations which may lawfully be imposed on the right to the protection of personal data correspond to those tolerated in relation to Article 8 of the Convention."

In this case, the Regulation in question (1290/2005 on the financing of the common agricultural policy) required information to be published online regarding recipients of aid from certain EU agricultural funds - and publication of someone's name and income is an interference with their privacy, so even if the underlying laudable aim was transparency as to the use of public funds, the publication requirement still had to be legal, proportionate, necessary etc.

The law here (articles 44 and 42(8b) to be precise) wasn't valid as it required indiscriminate publication of all those details "without drawing a distinction based on relevant criteria such as the periods during which those persons have received such aid, the frequency of such aid or the nature and amount thereof." The court did say, to stem the possible flood of lawsuits no doubt, that no one could sue for past publication of those details. Going forward, obviously they can't be published in the same way.

There were other Data Protection Directive issues in the case but I won't cover them here.

Aside - the referring German court here actually tried to get the ECJ to rule on the validity of the Data Retention Directive, and on whether the Data Protection Directive prevents websites from storing the IP addresses of visitors without their express consent.

Sadly for those of us interested in these issues, the ECJ said, rightly, that those questions weren't relevant to this case, which was referred to them following lawsuits by fund recipients whose personal data had been published on a website (not by visitors to that site whose IP address had been recorded).

Case - Volker und Markus Schecke GbR (C-92/09), Hartmut Eifert (C-93/09), 9 Nov 2010.

Google - data retention periods for different services (including deleted data)

2010-11-06T18:43:00.001Z

From a privacy viewpoint, how long a service provider keeps your personal data is important. It's one of the key data protection principles in the EU that personal data shouldn't be retained for longer than is necessary for the purpose for which it was processed.

When that purpose is served, strictly the service provider ought to delete that data. And again, strictly that includes any duplicates or backups.

Insiders like employees who have access to users' data can be a major risk to data security. Sometimes they can view users' personal data, eg Google systems engineer David Barksdale (maybe more) who was fired for accessing Gmail / Google Voice /chat data - stories in ValleyWag, Reuters, ComputerWeekly (or consider the FIFA passport details debacle, or the position of Facebook employees). If stored data isn't properly deleted when it should be, that may further increase the risk of its being accessed by an insider (or outsider) who shouldn't.

Google Search - different features, different retention periods

I previously compiled a table comparing the retention periods for search data at the main internet search engines.

So it was interesting to see a blog by Google's Chief Privacy Counsel Peter Fleischer which mentioned in passing the data retention periods for logs relating to people's use of certain other search-related Google services, which I don't think I've seen documented anywhere else. Here it is in tabular form:

Google Search service	Data retention period
Search logs	9 months
Instant Search (displays search results as you type) logs	2 weeks; a Google blog post clarifies "we now store Google Instant's partial query data for up to two weeks in unanonymized form, at which time we will delete 100 percent of it. These data retention changes apply only to queries made when Google Instant is active."
Suggest feature - from 2004, available on mobile, now called Google Autocomplete (provides search auto-completion) logs	24 hours

Aside - on Suggest logs, incidentally, see the Telegraph write up of funniest Google Suggest suggestions.

Deleting data from Google services

Leaving aside search features for now, what about when you delete data from another Google service?

Google have recently introduced a new privacy policy, with supplemental privacy policies for some individual products. The general privacy policy says -

Because of the way we maintain certain services, after you delete your information, residual copies may take a period of time before they are deleted from our active servers and may remain in our backup systems. Please review the service Help Centers for more information.

It doesn't give info about how long before residual copies are deleted from servers, and "may remain in our backup systems" suggests they never get deleted from backup!

It would be good if Google clarified this point for each service, and, better still, deleted them from backups too.

Google Tasks

It's interesting to see a specific privacy policy mentioned for Google's Tasks feature (which you can use in Google Calendar as well as Gmail):

"You can delete tasks that you have created. Such deletions will take immediate effect in your account view, although residual copies may take up to 30 days to be deleted from our servers. In addition, every 90 days, if not more frequently, we permanently delete usage statistics associated with your use of Tasks. We retain this information beyond 90 days in aggregate form only."

But, I couldn't find specific mention of periods for deleting residual copies in the case of other Google products eg Google Apps services.

Google Docs

I noticed recently that when I deleted documents from Google Docs, they were still appearing in my Google Docs search results for about 2 or 3 hours thereafter. (And for how much longer "residual copies" stay on Google's "active servers" or backup servers after that, is anyone's guess.)

This "feature" may in fact be quite an annoyance if you delete documents which you no longer need, but then they keep polluting your Google Docs search results for 2 hours after that - especially if you're working to a deadline and need to find other stuff quickly!

Google really ought to sort this kind of thing out if they want to succeed in selling Google Apps to organisations, as it will probably frustrate business users. Quite apart from the data protection / privacy implications.

In addition, for those who didn't know - even when you delete a Google Docs document, it seems Google will never delete any images / pictures / photos linked to in the document. Not unless and until you specifically contact Google Docs support (not an easy thing to do) and ask them to do so. So don't go putting embarrassing pics in your Google Docs!

Gmail

It's good that for Gmail at least, Google say they make "reasonable efforts" to remove deleted info ASAP (emphasis added) -

"Data retention

Google keeps multiple backup copies of users' emails so that we can recover messages and restore accounts in case of errors or system failure, for some limited periods of time. Even if a message has been deleted or an account is no longer active, messages may remain on our backup systems for some limited period of time. This is standard practice in the email industry, which Gmail and other major webmail services follow in order to provide a reliable service for users. We will make reasonable efforts to remove deleted information from our systems as quickly as is practical."

It would be helpful to know what's the max "limited period of time"; but note that "reasonable efforts to remove deleted information" is not the same as a guarantee of eventual deletion.

Note that there are special contractual terms of service for Google Apps applications, including Gmail etc; and it seems (though that's not reflected in the terms) that there's more reliable deletion in the case of paid-for services like Apps Premier Edition:

"I received verbal assurances from our salesperson that Google always honors client requests, within reason. E.g. A deleted account is truly deleted, however there is a 5 day 'grace period', where it seems an accidental deletion can be remedied. Regarding the dispersal of data amongst data centers (triple redundancy), the sales person indicated it may take a week to remove data from all the caches. So, it was implied within a certain window of time, all data that a customer wishes to be deleted is destroyed, and after that it is truly gone."

- plus customer-selectable email retention settings and archiving periods, although archiving Google Docs for records management (deliberate records retention in archives for compliance purposes) appears to be problematic.

As for third party apps obtained through Google Apps, it's up to the third party entirely what their data retention policy is. You have been warned.

It seems people are still uncertain about other issues like Google Analytics data retention.

TOS & privacy policies galore?

As well as explaining individual data retention policies, the interaction between all these different terms and conditions (and Google's Privacy Principles unveiled in Jan 2010) could be clearer.

For example the Google Apps privacy notice is very brief and refers to the basic Google Privacy Policy page - not even the privacy policy itself - and neither of which links or even refers to the "More on Gmail and privacy" page I quoted from above. This can all be rather confusing to the user.

(There's probably a lot of money to be made by anyone who can produce an app to check and cross check TOS across a single website in relation to different services of the same provider - for consistency, cross references etc.)