Microsoft's chief privacy officer, Peter Cullen, announced that over the next 12–18 months, it would be slashing the retention time for users' IP addresses on its Bing search engine. Currently, it keeps users' IP addresses for 18 months, but anonymizes the data immediately. In the future, it will delete the anonymized addresses after six months. This is an important development, because both Microsoft and Google keep users' cookie data for 18 months.
Privacy experts have alleged that even with anonymized user data, where bits of the IP address are changed or deleted, it is still relatively easy to correlate those addresses with user cookies to get a lock on a search engine query author's identity.
Google changed its data retention policy in 2008 after considerable pressure from Europe's Article 29 Working Group. The company now anonymizes IP addresses only after keeping them for nine months, and Google doesn't have a policy on deleting the addresses permanently. It also retains cookies for 18 months.
In separate news, Moxie Marlinspike, author of the WPA Cracker wireless password cracking service, announced a service called Google Sharing. Consisting of a FireFox add-on and a proxy server, the service reroutes Google queries via the proxy server. The proxy then forwards the query, stripped of all identifying information, to Google, using a session initiated by the proxy.
"The response is proxied back to you", explains the service's web site. "Your next request will get a different identity, and the one you were using before will be assigned to someone else. By 'sharing' these identities, all of our traffic gets mixed together and is very difficult to analyze."
The Google Sharing service also injects fake search queries into the information stream to further obfuscate users' searches, and as a bonus, it automatically communicates in HTTPS with the client, so that, for example, traffic cannot be sniffed by local users on a public network.
The obfuscation service will not work for Google account-based services, such as Gmail and Google Docs. However, it will stop Google's analytics service from tracking surfers' visits online – something that it currently does for participating sites even if a web surfer doesn't find that site via Google's search engine.