Privacy screw tightened at Microsoft, Yahoo!

The major search engines are racing to outdo each other in updating their data retention policies in an attempt to assuage concerns that they keep consumer search data too long.

The latest to go public with their moves are Microsoft and Yahoo!.

Microsoft and Ask.com are also proposing an industry effort to create voluntary standards for protecting consumer privacy with search and online ads, a move that is probably spurred by Google's plan to acquire a leader in the online ad market.

Microsoft is today set to announce plans to permanently remove the IP address and other identifying data associated with web searches after 18 months unless the searcher wants the information stored for longer. The company will also store search terms separately from account information that personally identifies a user, such as name, email address and phone number, gathered as part of other Microsoft services.

In addition, Microsoft is promising it will give people the ability to opt out of behavioural ad targeting it offers on third-party websites and it will allow people to search and surf its sites without being associated with a personal and unique identifier used for such ad targeting.

Meanwhile, Yahoo! is vowing to remove portions of IP addresses and personally identifiable cookie IDs within 13 months except when users want the data retained for longer or when the company is required to retain it for law enforcement or legal processes, said a spokesman.

Cookies are small files stored on a computer so that the computer can be recognised when it revisits websites, enabling the site to remember the user's preferences for things such as ecommerce and sites that require a login.

The news comes days after changes at Ask and Google. Last week, Ask said it would allow people to search anonymously and would not retain a user's web search history at all if the searcher didn't want it to. Searchers will be able to change their preferences using a new AskEraser tool, which will reside on the Ask servers and will work with all the major operating systems. Ask said it will retain the search log data for 18 months for people who don't want to be anonymous and then it will disassociate the search terms from the IP address.

Also last week, Google said it would have cookies expire after two years instead of 2038, although for anyone who visits Google even once in the next two years, the cookie expiration date will be extended another two years.

In March, Google said it would start anonymising the final eight bits of the IP address and the cookie data after somewhere between 18 months and 24 months, unless legally required to retain the data for longer. That would make it much harder to identify the specific computers used for searches.

The risks associated with retaining search data were illustrated last year when AOL inadvertently exposed the searches of more than 650,000 users. The New York Times was able to discover the identity of at least one of the users, highlighting the risks associated with retaining search data logs.

Ask and Microsoft also said they would work together and are asking other companies and organisations to join them in creating industry guidelines for protecting consumer privacy in the areas of search and online advertising. They said they would provide an update on the effort in September.

Brendon Lynch, director of privacy strategy at Microsoft, said: "It's a topical area right now… We believe privacy is a very important aspect for our business going forward."

The Yahoo! spokesman said, without elaborating: "We're certainly open to having conversations about technical issues but we don't think this is the right time to participate in that."

A Google spokeswoman provided this statement: "Our goal is to improve privacy protection and data security for all internet users by continuing to innovate in the area of privacy."

Elinor Mills writes for CNET News.com