The search engine that has no idea who you are

OUT-LAW Radio, 17/07/2008

While privacy activists protest at Google and others' keeping of data about our searches, we talk to the man behind a Dutch search engine that almost instantly deletes users' data

• Download OUT-LAW Radio, 17/07/2008 (10MB, 12 minutes)
• Low quality recording for 17/07//2008 (2MB, 12 minutes)
• Instructions for listening and subscribing to OUT-LAW Radio

A text transcription follows.

This transcript is for anyone with a hearing impairment or who for any other reason cannot listen to the MP3 audio file.

The following is the text spoken by OUT-LAW journalist Matthew Magee.

Hello and welcome to OUT-LAW Radio, the weekly podcast that keeps you up to date on all the twists and turns in the world of technology law.

Every week we bring you the latest news and in depth features that help you to make sense of the ever changing laws that govern technology today.

My name is Matthew Magee, and this week we talk to the man behind a search engine which is bucking the trend by deleting all the data it collects about you.

But first, the news:

Privacy watchdog warns government of super database

eBay does not have to be trade mark police says US court

and

European Commission proposes extending copyright protection

Privacy regulator the Information Commissioner has warned that any Government plans to create a single database of phone and internet use could be a threat to privacy.

Commissioner Richard Thomas warned that reported Government plans to create a new database of phone and internet usage for all UK citizens could undermine people's right to privacy.

He said: "Do we really want the police, security services and other organs of the state to have access to more and more aspects of our private lives?"

The Home Office had previously told OUT-LAW that it was not yet releasing details of proposed changes contained in its Government's Draft Legislative Programme to laws surrounding the collection of data.

Thomas also issued HM Revenue and Customs and the Ministry of Defence with official warnings after the loss by them of millions of people's personal data.

eBay does not have to pre screen its auctions for counterfeits of trade marked goods, a US court has ruled in a case that could have threatened the entire business model of the online auction site.

The court also told eBay that it could use other people's trade marked terms in ads on its site and in ads that it places on other people's websites.

Jeweller Tiffany sued eBay in 2004 over the counterfeit Tiffany items that flooded the site, arguing that the company was liable for the trade mark infringement resulting from the sale of the fakes.

But Judge Richard Sullivan in the US District Court in New York said that eBay was not responsible for all trade mark infringement on its site and that its anti counterfeiting policies were sufficient.

The ruling confirms that it is up to the owner of a trade mark to protect it.

The European Commission has proposed a Directive that would give performers rights over recordings for 95 years after the recording. The change would give a player on a recording rights for the same length of time as the writer of the material.

The Commission proposed Directive would extend the term from 50 to 95 years but must first receive the approval of the EU's Council of Ministers and its Parliament.

Opponents of the plan argue that sound recordings of 50 years' old or more should be released from copyright in order to benefit all society. They say that the move will keep music out of the hands of remixers or other artists wishing to use it to create new sounds. The Commission, though, said that music which was neglected would pass into the public domain.

That was this week's OUT-LAW news

European privacy activists, watchdogs and legislators have been engaged in a protracted bunfight for over a year and a half now about web firms' keeping our personal data on file.

Data protection, data retention, server logs, the differences between content providers and service providers: the debate is conducted in terms that could be designed to make your average web user switch off.

But when Google was ordered two weeks ago to hand over the details of anyone who had ever watched a clip on its video sharing site YouTube, the debate suddenly got very real.

Web users who had guffawed at a comedy clip or nodded at work to a music video, and those who had put the clips up there in the first place, suddenly realised that evidence of their activity was stored somewhere, and that it was going to be made available by a court order.

The retention by search engines of what is searched for when and from what internet address is the focus of many activists' concerns. Google, which has an 80% market share in Europe, keeps records of this for up to 18 months.

So what can you do if you don't want your searches to be tracked? Well, this is a question that Dutch search engine company Ixquick sought to answer by choosing to delete all this information within 48 hours of the search taking place.

Chief executive Robert Beens told OUT-LAW why his company is different to all the rest.

Beens: We really fundamentally believe in the user's right to privacy. I don't want to know anything - Ixquick doesn't want to know anything - about users. We want to offer them a good search service and we rather not know their IP address or what they search for. In June of 2006 we were the first search engine to start deleting our users' privacy sensitive details from our log files. We delete the IP addresses of our users as the most important personal data within 48 hours and we also stop the use of cookies with an ID - with identification on them because also ID cookies can be very important when you're looking at privacy on the use of search engines. A company can safeguard their own data but there can be external situations that endanger the data of the users and you have no right to hold on to those data in my view from a privacy perspective. It's a fundamental issue. Privacy is a right. We believe in the fundamental right to privacy and we believe personal data, privacy sensitive data should be protected.

It wasn't always this way. Ixquick had something of an epiphany in 2006.

Beens: It started when I was doing a legal view of the company and I tried to do an in depth investigation into our own liabilities and the most important one of course, was the keeping of user data like their IP addresses and the search queries. So I asked the technology people what exactly are we keeping and why are we keeping those data. And they gave me the list of issues and items that we were keeping and recording in our log files and I said why are we keeping those data? And they didn't give me a good answer. I said well if there's no reason for us to keep the data why don't we get rid of it. I don't want to have the liability on our company to keep someone's personal data because it is a liability and the only safe way of keeping someone's personal data is by deleting it.

So what exactly does Ixquick do? Well it's a meta search engine, so when you plug in a query it in turn searches other search engines for results and gives them to you, telling you which search engine they came from.

Ixquick then deletes all records of your visit within 48 hours. Beens says, though, that it is not just about deleting IP addresses or search terms, it is vital that cookies – the small files stored in your browser that indicate what sites you have visited - are deleted as well.

Beens: Especially the cookies that have uniquely identifying ID - you can call them ID cookies or tracking cookies - in my view are dangerous because they enable the issuer of the cookie to keep track of behaviour beyond IP addresses. If I use a specific server on the web and I log in with my log in name and password and at that moment the company behind it can see this is unique identification number ABC. If I go to another computer I won't be using the same IP address but I log in again it can see that this is the same user as the one before and it will know this is the same piece of information and it can glue all the separate pieces of information together like a puzzle. It enables companies to track beyond IP addresses.

One of the people who has been most vocal in opposing the record keeping of companies such as Google has been the European Data Protection Supervisor, Peter Hustinx. The man charged with overseeing the data protection and privacy compliance of EU bodies, Hustinx also takes a more general advocacy role promoting good privacy practice.

Google has felt the sharp end of his tongue in the past as he criticised their policies, but Ixquick has fared far better.

The company this week received the first ever privacy seal issued by a group of privacy organisations including data protection authorities. The seal was presented by Hustinx, praise indeed in the privacy world.

Beens: A European privacy seal that guarantees that IT products and services comply with the demanding EU laws and regulations on privacy and on data security. It's the ultimate proof to our users that Ixquick does what we say we're doing. It's the proof we live up to our promises.

Ixquick is not a company on the scale of the likes of Google or Yahoo!, but it does process three to four hundred thousand queries a day, and makes its money, like other search engines, by publishing clearly marked paid listings alongside the normal results for your query.

Beens said that he believes increased privacy is something that web users are beginning to want, and that other search companies may well have to change their policies to fall in line with increasing demand.

Beens: I do see an increased awareness with the general public when it comes to their online privacy. That awareness is going to be translated, I think, into more restricting laws and regulations and it may just be the case that other search engines will be forced by those regulations and laws to comply with stricter privacy rules.

That's all we have time for this week, thanks for listening.