Chrome Privacy

European privacy regulators have reported on their investigation into Google's privacy policy, which was launched on March 1st. Their investigation found:

incomplete information and uncontrolled combination of data across services.

The privacy policy is a mix of particularly wide statements and of examples that mitigate these statements and mislead users on the exact extent of Google's actual practices.

Google's answers have not demonstrated that your company endorses the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object. Indeed, the Privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data. We challenge you to commit publicly to these principles.

The investigation showed that Google provides insufficient information to its users (including passive users), especially on the purposes and the categories of data being processed. As a result, a Google user is unable to determine which categories of data are processed in the service he uses, and for which purpose these data are processed.

The company's new privacy policy, which came into force on March 1 2012, was criticised by many at the time, including Big Brother Watch. We highlighted how most consumers had not read the policy, and warned that even if they did the opaque language made it difficult to understand exactly what data was being captured and what would happen to it.

The test now will be whether data protection regulators have the ability to hold the company to account, or if as before their powers are limited to a paltry fine that will barely trouble one of the world's largest corporations.

Germany's Federal Office for Information Security says that Google's new browser Chrome should not be used for surfing the Internet.

The problem, according to a translation from Blogoscoped, is that joined with email and search, Chrome gives Google too much data about its users.

Based on article from theregister.co.uk

In telling the world it will anonymize user IPs after only nine months, Google has appeased EU regulators. At least in part. But it looks like Mountain View's new policy is just another example of Google Privacy Theatre.

After nine months, the company has confirmed with The Reg, Google will change some of the bits in the user IPs stored in its server logs. But as the plan stands now, it will leave cookie data alone.

This means the missing bits are easily retrieved.

More than a year ago, the company said it would "anonymize" its server logs after eighteen months. And sometime between March and July, it actually put this plan into action. In this case, anonymize meant change some of the bits in the IP address in the logs as well as change the cookie information. Google now says it erases exactly eight bits from a user's IP, but it has yet to explain what it actually does to the cookie data.

After nine months, we will change some of the bits in the IP address in the logs, the company says: After 18 months we remove the last eight bits in the IP address and change the cookie information...It is difficult to guarantee complete anonymization, but we believe these changes will make it very unlikely users could be identified.

But as CNet points out, if your cookie data remains intact, restoring the full IP address is trivial. Google may erase some IP bits on your nine-month-old search queries, but those bits will remain intact on your newer queries - and both sets of queries will carry the same cookie info.

ie Google search data is not really anonymised until 9 months after users clear their cookies. And few users are likely to clear their cookies, ever.