Yahoo! has revised its Privacy Policy. Instead of holding user search and other data for 90 days, it will hold it for 18 months. And then it will not delete it but will just “annonymize” it — something we know doesn’t work very well.
Why move to a so-much-more-evil policy? The stated reason is given as:
To meet the needs of our consumers for innovation, personalization and relevance, Yahoo! is moving to align our log file data retention policy closer to the competitive norm across the industry.
Is 18 months really closer to the “competitive norm across the industry”? Not if you define the industry to include more than the US: In Europe, the law requires ‘anonymization’ after six months. In the US, Google keeps anonymizes IP addresses after 9 months and cookies in search engine logs after 18 months. The EU is not happy about this.
Yahoo! Data Retention FAQ:
Q: Why is Yahoo! changing its user log data retention policy?
A: To meet the needs of our consumers for innovation, personalization and relevance, Yahoo! is moving to align our log file data retention policy closer to the competitive norm across the industry. Once the new policy goes into effect, we will no longer apply a 90-day retention policy to raw search logs or other log file data and will instead hold raw search log files for 18 months prior to anonymization. As for non-search data, we will be removing the current 90-day retention period for these log files as we re-examine the right policy going forward that allows us to meet consumer demand for richer, more deeply personal experiences in our products.Q: What is Yahoo!’s updated user log data retention policy?
A: Yahoo!’s new policy will be to de-identify search log data within 18 months of collection with limited exceptions to meet legal obligations. For other, non-search log data we collect, that data will be retained for a longer period in order to power innovative product development, provide personalized experiences, and better enable our security systems to detect and defend against fraudulent activity.Q: When will the updated policy go into effect?
A: Yahoo! is providing advanced notice to our users of our intention to change our log file data retention policy. Yahoo! is rolling out notifications across Yahoo! to help ensure that we have given appropriate notice to our consumers of this change in our policy. Thirty days after we have completed these notifications, we will put the new policy into effect. We expect this will occur sometime in mid-to-late August.Q: Does this change the data retention period for data collected prior to the update?
A: No – Yahoo! will only apply the updated retention period to data collected AFTER the updated policy goes into effect.
I see that the original announcement was in April. I guess I just don’t use Yahoo! much — and here’s one more reason not to.
I would presume that the real issue behind such logs is not that they exist per se, but that they are subsequently USED by someone other than Yahoo (i.e. Yahoo turns them over for an official investigation of some sort, Yahoo sells the info to a vendor so they can target ads at you, etc.)
Assuming that’s true, do you have a problem with such retention if (and only if) Yahoo uses the data solely between you and Yahoo, or perhaps to help define and tweak its search algorithms? (i.e. it never reaches a 3rd party)
Is it your assumption that even if the paragraph above is true in intent, that in practice so long as ANYONE knows that data might exist, they (law enforcement, hackers, whomever) will try to get at it – that it represents too big of a lure?