Microsoft pledges to delete Bing user data after six months
Microsoft has bowed to pressure from privacy groups and agreed to delete all user data collected via Bing after six months.
Up until now the company has been anonymising Bing users’ IP addresses after six months so people could not be identified by their search terms.
However, after continual lobbying by a panel of national privacy regulators from the European Union, called the Article 29 Working Group, among other online privacy rights groups, Microsoft has conceded it will totally eliminate all data it has collected on people using Bing after six months.
John Vassallo, a Microsoft vice president and associate general counsel, has confirmed that the global redesign of the search engine operation will happen over the next 18 months.
“We support what the Article 29 Working Group is doing. That is why we are making this change,” Mr. Vassallo said at news conference in Brussels. “We call on our competitors to do the same.”
The same high profile group has also lobbied both Google and Yahoo! to make the same move and actually delete people’s search data, as opposed to just anonymising it. However, as of yet, Microsoft is the only company to go as far as purging the data.
Peter Fleischer, Google’s global privacy counsel, said: “Data from our search queries represents a crucial arm in our battle to protect the security of our services against hacks and fraud. It also represents a critical element allowing us to help users by innovating and improving the quality of our searches. This is why we have committed to anonymising IP addresses in our search logs after nine months, significantly shorter than our previous 18 month retention policy.
“We're committed to using data both to improve our services and our security measures for our users and to protect their privacy, and we remain convinced that our current logs retention policy represents a responsible balance.”
Yahoo!, which keeps its search data for three months, before anonymising user IP addresses, said: "Yahoo! is extremely proud of our Data Anonymization Policy which has received wide support and affirms our commitment to protecting our users’ privacy. Yahoo!'s policy both dramatically reduces the time we hold personal data and increases the scope of log data covered under the policy. Under the policy, Yahoo! will anonymize user log data, including deletion of total IP address, after 90 days with limited exceptions to fight fraud, secure systems and meet legal obligations.”
Search engines keep data in an anonymised form to learn about trends and get insights into search – which is useful for the advertising side of their businesses and to digital marketers. However, despite deleting numbers from IP addresses, effectively “anonymising” them, some security experts think it is still possible for people to be identified by their search terms and other personal queries.
Graham Cluley, a senior security advisor at Sophos, said: “If the likes of Google still have all of its users’ search data, there are still clues which can be pieced together to identify the searchers. The IP address may be edited but the search terms are not deleted and slowly these fragments could help these companies piece together people’s identities – for whatever purpose suited them.
"I think privacy groups are concerned about the retention of this data as we often search for very personal things.”