The move was partly successful, as Jacques Barrot, the EU's justice and home affairs commissioner, called it a "good step in the right direction." Barrot urged Google to cut the anonymization time even further, however, to six months, as recommended in a report by the EU's Article 29 Data Protection Working Party. "Awareness and compliance with fundamental human rights are of pivotal importance" for Internet companies, Barrot said.

But Internet security expert Chris Soghoian, writing on CNET, said Google's time reduction is almost completely illusory. Despite Google's assertion that "we're significantly shortening our previous 18-month retention policy to address regulatory concerns and to take another step to improve privacy for our users," Soghoian said that Google's new policy fails to provide meaningful anonymization.

Preserving Utility, Securing Privacy?

Google maintains that even anonymizing after 18 months entails "sacrifices in future innovations." The process for anonymizing after nine months will not "use precisely the same methods for anonymizing as we do after 18 months," Google's senior legal staff posted on the company's official blog. "After months of work our engineers developed methods for preserving more of the data 's utility while also anonymizing IP addresses sooner."

Soghoian reported that he sought additional details from Google and was told, "After nine months, we will change some of the bits in the IP address in the logs; after 18 months we remove the last eight bits in the IP address and change the cookie information." The statement conceded that "it is difficult to guarantee complete anonymization, but we believe these changes will make it very unlikely users could be identified."

Soghoian explained that Google anonymizes after 18 months by removing the last eight bits, or three numbers, of an IP address. Thus Google's strongest anonymization hides a user among 256 possible IP addresses. By changing only "some" of the IP bits, users will be hidden among 64 or 127 addresses.

'Laughable' Anonymity

"By itself, this is a laughable level of anonymity. However, it gets worse," Soghoian wrote. This is because Google doesn't anonymize cookie data after nine months, only IP addresses. Thus, a user whose IP address has been "anonymized" to 173.192.103.1XX, with a cookie value of 12345, could search later from the same IP address and with the same cookie value.

"Even though the nine-month-old search logs have been 'anonymized,' because the cookie values remain, it is trivial to match the newer search results to the older searches, and thus completely reverse the anonymization process," Soghoian wrote.

Google's policy is a cynical one, he charged, saying the company is simply relying on the technological ignorance of the mainstream and technology press to believe its "worthless" new policy is real change.