Microsoft Supports Strong Industry Search Data Anonymisation Standards

BRUSSELS - 8 December 2008

Microsoft’s John Vassallo and Peter Cullen sat down with PressCentre to explain the importance of search anonymisation for consumer privacy and why an industry standard is needed.

Press Centre: What is Microsoft today announcing, and why?
John Vassallo: In April 2008, the Article 29 Working Party issued an Opinion regarding steps that search providers needed to take to improve consumer privacy protection. The Article 29 Working Party is named after the part of Directive 95/46/EC relating to personal data protection and represents all European national data protection authorities. Specifically, the Working Party requested that companies reduce the amount of time they retain search data prior to anonymisation to six months and that companies adopt strong anonymisation methods.

Today, Microsoft has announced that we are prepared to meet the Article 29 Working Party’s search anonymisation guidelines, but believe it is imperative that all search companies adopt the same standard to truly protect people’s privacy. We’ve evaluated the multiple uses of search data and believe that we can, in time, move to a six month timeframe while retaining our strong method of anonymisation.

We are prepared to make this change and applaud the Working Party for its leadership on industry standards and look forward to continuing a productive dialogue with them and other key stakeholders on how to make industry standards a reality.

PC: Why is the common industry standard so important?
John Vassallo: It’s important that all major search companies adopt the same high standards for search anonymisation to assure people that their privacy is protected. Consumers want to know that their privacy is protected while being provided with search and other online services that meet their needs. With only 2 per cent of the search market share in Europe today, and a small share globally, a Microsoft policy change would only protect a small portion of Internet users. The largest search provider collects and retains much more search data than any other company and thereby has the greatest impact on the privacy of internet search users. All major search companies need to adopt the same standard for people to have the assurance their privacy is protected regardless of the search engine they use.

Not having a common standard also creates competitive challenges. Without a common industry standard search engines can collect and retain varying levels of data. Ultimately, the search engine that has access to the most data is able to improve the relevance of its search results, which provides more consumer value and gives the company a competitive advantage.

PC: What specific actions is Microsoft taking on search anonymisation?
Peter Cullen: I am proud to say that Microsoft already has a strong method for anonymisation, and won’t need to make any changes to our method. Our approach is based on deleting the entirety of the IP address, as well as all other cross-session identifiers such as persistent cookie IDs.

What we’ve done since April is evaluate the multiple uses of search data to ascertain if we can, in time, move to a six month timeframe. Our answer is yes, we can, but we don’t believe it makes sense for us to make this change until our competitors also commit to meeting this higher standard with respect to both the method and timeframe for anonymisation.

PC: Why is the anonymisation method so important to protect privacy?
Peter Cullen: We believe that a strong anonymisation method matters even more to consumer privacy protection than the anonymisation timeframe. The Working Party also identified the need for a strong anonymisation method as a key part of its opinion and in response to recent announcements from other companies.

We believe our approach, which completely deletes all cross-session identifiers, is the way to best anonymise the data. This approach is necessary because it has been shown that, in some cases, when search queries can be linked across sessions and over time, it may be possible to identify individual users even in the absence of a full or partial IP address. The existence of a partial IP address may make such linkages even more likely.

While, both an effective anonymisation method and timeframe are needed to protect people’s privacy, a short timeframe coupled with a weak method will not yield significant privacy protections as data may be linked to an individual at a later date. By contrast, a strong anonymisation method helps to ensure that the risks to privacy are eliminated at a defined point in time.

PC: Why do Microsoft and other companies have to collect and retain search data?
Peter Cullen: Search data is used for a variety of essential purposes, including improving the relevancy and quality of the search results, contributing to the effectiveness of advertising, ensuring the integrity of the search engine business model and protecting against security threats. We are continually evaluating our data collection, use and retention practices so we can balance the need to offer people innovative products and services while also protecting their privacy.

PC: Why is Microsoft announcing these changes now?
John Vassallo: Microsoft has a long-standing commitment to privacy and takes protecting consumers’ privacy in the operation of our search engine very seriously. As part of this commitment, we released Microsoft’s Privacy Principles for Live Search and Online Ad Targeting in July of last year focused on user notice, user control, search data anonymisation, security and best practices. Since that time, we have continued to focus on finding ways to protect the privacy of anyone who uses our search engine.