Here are some recent interesting links about the privacy of Internet search records:
Check out Patriot Search for a laugh. It’s a new search engine where your results are reported directly to the government: “Our mission is to provide the best possible search engine to you while at the same time, making sure the government is informed should you search for something obscure, illegal, or unpatriotic.” [Thanks to Scott Forbes for the link.]
CNET has interviews with Internet search companies about the kind of data they retain about their users. Of the many questions asked, the answers to these two questions are particularly interesting:
1. “Given a list of search terms, can you produce a list of people who searched for that term, identified by IP address and/or cookie value?”
AOL: “No. Our systems are not configured to track individuals or groups of users who may have searched for a specific term or terms, and we would not comply with such a request.”
Google: “Yes. We can associate search terms with IP addresses and cookies, but not with users’ names unless they are registered with Google.”
MSN: “We can provide a list of the IP addresses and cookie values for a given query, but this does not equate to a list of “people,” only to a list of IP addresses and anonymous temporary ID numbers. . . .”
Yahoo: “Yes, we can.”
2. “Given an IP address or cookie value, can you produce a list of the terms searched by the user of that IP address or cookie value?”
AOL: “Yes. But–as discussed above–those terms are also visible to the user with their search results, and the user has the ability to delete any/all of those terms, or to turn off that functionality altogether.”
MSN: “Yes. As a matter of standard business practice, we do not compile such lists. Mapping as described would be done only for the purpose of responding to the legal request.”
Yahoo: “Yes, we can.”
[Link via Michael Zimmer.]
A New York Times article discusses how frequently Internet Service Provider records are being subpoeaned for civil and criminal cases. According to the article:
Requests for information have become so common that most big Internet companies, as well as telephone companies, have a formal process for what is often called subpoena management. Most of the information sought about users is basic, but very personal: their names, where they live, when they were last online — and, if a court issues a search warrant, what they are writing and reading in their e-mail. (Not surprisingly, the interpretation of voluminous computer records can be error-prone, and instances of mistaken identity have also come to light.)
AOL, for example, has more than a dozen people, including several former prosecutors, handling the nearly 1,000 requests it receives each month for information in criminal and civil cases. The most common requests in criminal cases relate to children — threats, abductions and pornography. Next come cases of identity theft, then computer hacking. But with more than 20 million customers, AOL has been called on to help in nearly every sort of legal action. . . .
AOL says that only 30 of the 1,000 monthly requests it receives are for civil cases, and that it initially rejects about 90 percent of those, arguing that they are overly broad or that the litigants lack proper jurisdiction. About half of those rejected are resubmitted, on narrower grounds. Generally, AOL gives its members notice when their information is sought in civil cases. If the member objects, the issue is referred back to the court. (In criminal cases, there is often no notice, or notice is given after the information has been given to investigators.). . . .
The big story is the privacy law that protects your e-mail does not protect your Google search terms,” said Orin S. Kerr, a professor at the George Washington University Law School and a former lawyer in the computer crime section of the Justice Department.
Originally Posted at Concurring Opinions
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.