The European Parliament has asked the European Commission to include search engines in the Data Retention Directive. This will force the search engines to store your searches and IP addresses, undermining the Commission’s attempts at protecting the privacy of European citizens.

Privacy and search engine data storage

It is not easy being a search engine.

Giants like Google and Bing would really like to store your searches and link them to your IP address, cookie or logon information, as this coupling gives them data they can use to improve their search engine algorithms and tailor search results to your personal taste.

On the other hand people like you and me feel uneasy about this invasion of privacy and would prefer Google and Bing to know as little as possible about our search habits.

The Article 29 Working Party

It is not easy being the European Union, either.

The European Commission and its Article 29 Working Party (not to be confused with Written Declaration 29 — see below) considers itself a champion of the little people — that is people like you and me — and has therefore put a lot of pressure on Google and its siblings in an attempt to reduce the amount of personal data stored by search engines.

The search engines have at least partly complied, by deleting IP adresses (the id number your computer or your ISP gives the search engine when you do a search) earlier than before. Bing is to cut the amount of time it stores the IP addresses associated with search queries from 18 months to six months.

One of our favorite search engines, Duck Duck Go, does not store collect any information about its users. Some meta search engines too, like Ixquick and Yauba have made privacy part of their business model, promising not to store any personal information.

Data Retention Directive

Unfortunately, another part of the European Union wants desperately to use all this data for police work and surveillance. There has been an intense discussion in many European countries regarding the ratification of the so-called Data Retention Directive.

The very controversial directive requires the member countries to store traffic and localisation data on people’s use of phones, mobile phones, email, Internet usages and so on. This is information on who’s communicating with who, when, how and where from. The police wants this data to crack down on crime, but it can, of course, also be used for Intelligence work and surveillance.

Hence, at the same time as the Commission is trying to protect you from Google’s surveillance it is actively working for increasing the amount of public surveillance.

The Smile29 initative

Now the European Parliament has gone ahead and demanded that search engine data should be included in the Data Retention Directive.

As we reported on June 8 MEPs Titziano Motti of Italy and Anna Zaborska of Slovakia in their Written Declaration 29 (also known as Smile29) ask for the search engines to store IP addresses and more to make that information available to law enforcement in order to catch paedophiles and sex offenders.

In a clarification Motti and Zaborska says that the proposal “has the only objective to persecute children related pornography and sexual harassment online.”

This is naive. As the Commission clearly has communicated to the search engines, the very existence of such data is a threat to privacy.

The Commission must act

Written Declaration 29 totally undermines all the work the Commission has done to protect privacy.

Admittedly, the Declaration does not (yet) have the status of law, and as far as we understand it the European Commission could in theory ignore it. However, it acts as a formal invitation to the Commission to take action to address the issues raised by the Declaration, and given that it has a the support of the majority of MEPs, it would be hard to ignore it.

Now the Commission may have to include the search engines into the Data Retention Directive and ask them to keep such data and to give it to the police when deemed appropriate.

The Commission could — probably — ask the search engines to store data related to searches for and visits to sex and paedophile sites only, but how they are going to define which sites and searches these are to be beats us.

As it is now, the Data Retention Directive does not allow for storing the content of communications, only the traffic data and timestamp. If you want to track down sex offenders you would also have to store the search query and the content of the sites they are visiting.

The legal privacy issues involved are mind numbing.

Do the MEPs know what they are doing?

Christian Engström, Swedish MEP of the Pirate Party, argues on his blog that “It is understandable if many Members of the European Parliament have been misled into signing the declaration, since the Data Retention Directive is never mentioned in any of the marketing material for the declaration, and is only referred to by its number 2006/24/EC in the declaration itself.”

He is probably right in believing that many of the over 300 MEPs who have signed the declaration do not understand the consequences of what they are doing.

Swedish MEP Cecilia Wikström from the liberal group has asked MEPs to withdraw their support for the declaration. She says:

“The review of the Data Retention Directive is currently underway, with a report expected from the Commission in September. The Directive was adopted under the previous legislature after severe pressure from the Council and despite being repeatedly rejected by the Civil Liberties Committee.

Following such a difficult adoption in the European Parliament, implementation problems in Austria, Belgium, Germany, Greece, Romania and Sweden and in advance of the Commission’s report on implementation of the Directive, it is clearly inappropriate for the Parliament to take a position on this topic now.”

The point Wikström is making is that the Data Retention Directive is about storing data for a long time, allowing law enforcement to use these data to fight crime. The Data Retention Directive is not about early warning, stopping crime before it happens.

Ixquick’s protest

Ixquick has seized the opportunity to get some additional PR. In a press release they argue that the Written Declaration 29 is targeting them:

“Since Google, Yahoo, and Bing already retain users’ search data, this proposal is clearly aimed at Ixquick and our English-language subsidiary Startpage,” said Robert Beens, CEO of Ixquick. “We have worked hard to create a privacy-friendly search engine that embodies the spirit of EU Privacy Protections, in line with the strict recommendations of the EU Article 29 Data Protection Working Party. This Declaration is evidence that the left hand of the EU does not know what the right hand is doing.”

We doubt very much that the Motti and Zaborska have heard about Ixquick, but it is certainly true that their directive will underminde Ixquick’s policy of not storing search and searcher data.

Ixquick points to the fact that this surveillance is unlikely to stop sex offenders. They quote Alexander Hanff of Privacy International who says that:

“Sex offenders exchange files through underground networks. They don’t find this stuff through search engines. I spent eight years helping law enforcement track down online sex offenders and never once did we see a case where search engine data was useful.”

Privacy International will now write to more than 200 European organisations to form a campaign to fight the adoption of an EU proposal to require the retention and analysis all European Internet search traffic.

List of names of MEPs supporting the Written Directive 29