By telling us that personalized search data, IP addresses, etc. are to be kept for no more than 18-24 months “unless we’re legally required to retain log data for longer,” what Google actually revealed today is how bad the current state of online privacy protection is. Not only are companies collecting and maintaining this data almost indefinitely, but in some cases they’re legally bound to do so. This constitutes one of the dirty not-so-little secrets of online existence: we have little idea about and almost no control over the data that is collected about us.
Imagine if everywhere you drove a record was kept of your route, speed, what stores you visited, who you talked to, etc. In the real world this kind of surveillance requires a warrant and an enormous amount of effort (digging into your credit card purchases, getting your cellular company to flip the switch that turns your phone into a GPS-enabled mobile bug, etc.). But to perform the same observations on line all you need is access to Google’s databases–between the Toolbar, Gmail, Talk, Desktop Search, AdSense, Google Analytics, Google Checkout, etc., etc., a huge percentage of what you accomplish with a computer can be tracked, analyzed, and ultimately connected back to you. And this is just one company. There are literally hundreds of major companies that have access to and maintain this data. How much? For how long?
How long does your ISP keep logs of the web sites you surf to? How long does Yahoo keep a transcript of your chats? How much information does the web-integrated Windows Live search in Vista phone home about you? These are questions we’ve ignored for the sake of utility and expedience, but I have a feeling they’re about to get asked. Google has broached the subject; now it’s up to the industry at large to respond, and hopefully, when they realize how bad it is, online citizens to get involved.