Microsoft Reduces Bing Data Retention Times

Microsoft on Monday announced moves to reduce data retention times for Internet queries initiated through the company's Bing search engine.

Peter Cullen, Microsoft's chief privacy strategist, said in a statement that the company will delete IP addresses after six months and will remove cookie IDs and other cross-session IDs after 18 months.

"It's definitely a step in the right direction," commented Peter Eckersley, staff technologist for the Electronic Frontier Foundation (EFF), in a telephone interview "However, there's still an enormous gulf between what a reasonable person expects in matters of personal data, and the reality of the types and amount of data search engine companies actually retain."

EFF is a nonprofit consumer and legal advocacy group headquartered in San Francisco that focuses on a number of Internet issues, including data retention by search providers.

According to Eckersley, America's top three search companies are all making efforts to "at least look like" they are reducing the hold periods and limiting the amount of data they retain.

Yahoo's current IP address retention is three months, while Microsoft and Google are now holding onto IP info for six and nine months, respectively.

Search engine providers typically explain that the data needs to be retained to improve their search services.

"Data from our search queries represents a crucial arm in our battle to protect the security of our services against hacks and fraud," stated Peter Fleischer, global privacy counsel at Google, in an e-mail. "It also represents a critical element allowing us to help users by innovating and improving the quality of our searches."

Google earlier reduced its retention time for IP addresses in search logs, cutting it from 18 months to the current nine months. However, Google's concern over Internet privacy generally seemed in question after Google's CEO Eric Schmidt stated in December that "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."

Questions remain about whether search queries typed by users might still be used to identify individuals, even with the precautions taken by search providers.

"What they [the search providers] aren't telling you is what they are keeping," Eckersley noted. "They can delete IP addresses, but keep cookie-based search histories, user strings and other bits of data that could lead to personal identities."

Such was the case in 2006 when AOL released Internet search histories for more than 600,000 unnamed individuals as part of a research project. According to an overview on the Privacy Rights Clearinghouse Web site, several people were identified, along with their medical records, interests, financial info and social security numbers.

Microsoft said it changed its search data retention policy after an evaluation of its business needs and as the result of an "ongoing dialogue with privacy advocates, consumer groups, and regulators -- including the Article 29 Working Party."

The Article 29 Working Party (PDF) was established by the European Union to oversee the EU's Data Protection Directive, which was written to regulate the processing of personal data within EU member states.

The United States still lags behind the EU in terms of legal data protections, according to Eckersley.

"There's no question the Europeans enjoy much better data protection than Americans," Eckersley said. "The big three [search providers] in the U.S. are making strides but they really need to address the gulf of what people expect, and what is actually happening….The problem is there are no magic glasses to see inside of the logs they [Google, Microsoft and Yahoo] keep, and there is no regulatory directive providing guidelines for what data is kept."

On Wednesday, Microsoft called for updating certain U.S. laws, including the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act. Brad Smith, Microsoft's senior vice president and general counsel, suggested that without greater national attention to law enforcement, liability and privacy rules affecting the Internet cloud, the future of cloud computing could be stunted.

About the Author

Herb Torrens is an award-winning freelance writer based in Southern California. He managed the MCSP program for a leading computer telephony integrator for more than five years and has worked with numerous solution providers including HP/Compaq, Nortel, and Microsoft in all forms of media.


  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.