The Washington Post reports today that Yahoo! has changed its data retention policy to anonymize user behavior information after 3 months, rather than its previous, much lengthier retention window of 13 months.
This move by Yahoo! is likely in response to both consumer demand for greater privacy protection and pressure from government regulators both in the US and in the EU. Google & Microsoft have recently tightened their own retention policies recently after experiencing similar pressure.
Yahoo! and other search companies may be experiencing pressure of a different kind under the Obama administration. Eric Holder, the President-elect’s nominee for Attorney General, has stated publicly that he believes existing privacy laws may have to change to accommodate law enforcement needs:
In some cases, changes to privacy laws may be required to recognize the new technological reality we now confront.
Speaking on data-retention specifically, in the same memo Holder said that:
Certain data must be retained by ISPs for reasonable periods of time so that it can be accessible to law enforcement.
These statements suggest that Holder may be in favor of a mandatory minimum length of time for companies to retain data, rather than mandatory maximums. This puts search engines, ISPs, and other web-based companies in the awkward position of trying to please two sets of regulators with completely opposite goals.
The average web user has reason for concern. Under the Obama administration, anonymous use of many sites may be impossible should the Justice Department’s policies reflect Mr. Holder’s past public statements.
As I’ve said before, Mr. Holder has been a vocal critic of Bush administration privacy-destroying policies like the NSA wiretapping program and the PATRIOT Act. That’s reason for hope, but given Mr. Holder’s record on this issue, that hope shouldn’t be a great one.
Ideally, data retention policies should be a matter for web companies and consumers to decide. For some, the increased usability that data retention offers, such as customized search results, may be worth the risk to their privacy. For others, as short a window as possible or even immediate deletion of data would be preferable. Unfortunately, it seems that this question wont’ be settled through competition in the free market, but instead though competition between regulators. That competition may ultimately decide not only a national data retention policy, but an international one, considering the regulatory power that the EU has over many companies in the web services market.
On the bright side, it’s good that Yahoo! is doing what it can to shelter consumers from government harm, this may make up for its past privacy sins.