Yahoo Retains User Information for Three Years (Google is Even Worse)
I finally cancelled my Yahoo account this week mainly because I never used it and also because it would just be one less entry about me in a database. After I cancelled it, I got a confirmation email stating that my account data would be deleted in 90 days. I think this is normal for an online business and they are honest about their data retention policies, unlike Google whose privacy policy says that they can collect any information they want and use it any way they want. The scary part about Yahoo’s email to me however, was the data retention on Premium Yahoo Finance accounts.
** This is only a notification. You do NOT need to respond. **
This email is to confirm that your Yahoo! account, “[removed]”
has been recently terminated per your request. Your account
has been deactivated and will be deleted from our user registration
database in approximately 90 days. This delay is necessary to
discourage users from engaging in fraudulent activity. To satisfy
terms agreed to in the Yahoo! Finance Terms of Service, personal
information for users subscribed to Yahoo! Finance Premium
Services will be kept by Yahoo! for at least 3 years after the
subscription date.
If you did not request this action please reply to this message.
Thank you for using Yahoo!. You can always sign up for a new
account by clicking on any “Sign In” or “Sign Me Up” link
appearing on the front page of most Yahoo! Services.
It sounds to me like this is something they put in an old privacy policy and now have to adhere to, but three years is a very long time to retain data on a cancelled account. Perhaps somebody else knows why this is so long and would like to comment on it?
Yahoo’s data retention policies still blow Google’s out of the water, since Google doesn’t have any. According to Google’s main privacy policy that covers all of their services, Google collects “information you provide” as well as any information they can receive from “third parties” about you. Google also gives you a cookie (or multiple cookies) that “uniquely identifies your browser” that store your preferences, your “trends” and your “searches”. When you visit any Google site (or visit a site with a Google ad on it), they record any “information that your browser sends” which includes your “web request”, “internet protocol address”, “browser type”, “browser language”, the “date and time of your request”, and your “cookies”. If you contact Google, they will “retain those communications in order to process your inquiries”, but they don’t specify how long they retain that information. Additionally, if you visit any of Google’s “affiliated sites”, “personal information that you provide to those sites may be sent to Google”. Those sites may even collect and retain more information and then give it to Google, bypassing Google’s own privacy policy because “the affiliated sites may have different privacy practices and we encourage you to read their privacy policies”. Additionally, Google may “present links in a format that enables us to keep track of whether these links have been followed”.
Google say they may use your data for a number of reasons including “providing our products and services to users, including the display of customized content and advertising”, which covers everything they could ever want to do with data. It also indicates that advertisers have some access to your data.
Google also likes to share your data with “our subsidiaries, affiliated companies or other trusted businesses or persons for the purpose of processing personal information on our behalf”.
One interesting thing is that Google makes a “good faith effort” to “delete such data [personal information] at your request”. It could be that a nice letter to Google would remove you from their databases, but they’ve already shared it with all of their business partners. Because Google is registered with the U.S. Department of Commerce’s safe harbor program, they are also subject to some other rules. For instance if Google holds any data on you, such as if you have ever used their search engine, they are obligated to grant you “access to personal information about them [you] that an organization holds and be able to correct, amend, or delete that information where it is inaccurate”
So what exactly do Google and their friends know about their users?
If you use Gmail, Google knows who you contact, what you say to those people, how often you speak to them, which products/services you use that send you emails, which marketing/mailing lists you are on, and what your interests are. Examples like this are your Facebook account, what people write on your wall, etc.
If you use Google Calendar, or receive information about events through your email, Google knows what locations/events you frequent and with whom you do so as well as the locations of those events. This can easily be used to find out where you are at any given time.
If you use Google Search, Google knows what you look for online, what your interests are, what sites you visit, and what kind of research you do.
If you use any site that has Google ads on it or uses Google’s webmaster tools service, Google knows you have been to that site, how long you have been at that site, how frequently you visit that site, what pages on that site you visit, and therefore your account name on that site.
If you use Google Checkout, Google knows what products/services you buy, your credit card numbers, your mailing address, your telephone number, your real name, and your credit history.
If you use Google Desktop, Google knows every single file on your computer, what programs you have installed, what documents you have and what is inside of them, and when you are physically at your computer.
If you use Google Maps/Directions, Google knows where you go and when you go there.
If you use Google/Picasa, Google knows all of your pictures, when they were taken, which camera they were taken with, and who has looked at those pictures.
If you use Google Talk, Google knows who you talk with and what you say to them including your interests, plans to meet with that individual, and all of your other IM accounts that you have configured Google Talk to use.
If you use Google Web Accelerator/Google Toolbar, Google knows which sites you visit, how long you visit them, and which pages you visit. They also have access to all of your web traffic.
If you use Blogger, Google knows every single blog post you made and what you put in it as well as information on all of the peope who read your blog.
If you use Google Docs, Google knows your documents, who created them, who has looked at them (if that information is stored in the metadata), etc.
If you visit any sites that use Feedburner, Google knows you visited that site, how long you visited that site, what pages you viewed and how long you viewed them for.
If you use Feedburner/Google Reader, Google knows that you visit those sites and how much time you put into reading information on them.
If you use Orkut, Google knows all the information you provide to it such as who your friends are, who you associate with and what you say to those people, what your interests are, etc.
If you use Google Pages, Google knows all the content on your website, who looks at it, for how long, and where they look.
If you use YouTube/Google Video, Google knows which videos you watch, which channels you subscribe to, how long you watch each video, which videos you have uploaded, who your friends are on those services, etc.
If you use Google Code, Google knows who has downloaded your software and how often they update it.
If you use Google Book Search, Google knows which books you read and therfore your interests, etc.
If you use Google Finance, Google knows which companies you are interested in, and possibly which ones you invest in.
If you use Google Groups or any of the groups that they aggregate, Google knows all the emails you have posted to those groups, who you associate with on those groups, your interests, etc.
If you use GOOG-411, Google knows what businesses you lookup and your phone number
Every time you access one of Google’s services, they know where you accessed it from, how long you accessed it, and why you accessed it, making it possible to track your every move. Their databases know what your interests are, who you associate with, what you do in your spare time, where you go and how long you stay there, what your phone number is, what your credit card number is, what products/services you buy, what things you publish on the web, and everything anybody could ever want to know about you. It’s incredibly scary, and I’ve been getting off the Google train for some time now. If you must use Google’s services, use them behind a proxy such as Tor, delete your cookies regularly, and get a Firefox extension such as Adblock Plus so they can’t track you on “affiliate” sites. It might prove useful to have multiple identities on Google so that it’s less difficult for them to figure out who you are but the minute they have one piece of information that connects them all such as your IP address or credit card number, you’ll have to start over again.
Does anybody have any suggestions for alternatives to the above Google Services that will keep your personal information out of their hands and the hands of other information conglomerates?
Here are the ones I have come up with so far:
Google Calendar Mozilla Lightning or Sunbird
Google Search Cuil YaCy
Google’s Webmaster Tools Service Webalizer Analog Scroogle
Google Checkout
Google Desktop
Google Maps/Directions/Transit/Ride Finder
Google/Picasa
Google Talk Jabber
Google Web Accelerator/Google Toolbar
Blogger Wordpress
Google Docs
Feedburner Thunderbird
Orkut
Google Pages
YouTube/Google Video
Google Code Sourceforge
Google Book Search
Google Finance
Google Groups
1-800-GOOG-411
Comments
Comment from Anonymous
Time August 7, 2008 at 9:36 am
That plugin looks pretty good, but why don’t you use use Tor (torproject.org) or something like that? Poisoning databases is an effective tactic though because it makes them less profitable, causing companies to spend less money tracking users. I could see this being really effective against DMM (direct mail marketing)
Fight the brother!
Comment from Vince
Time August 7, 2008 at 2:40 pm
If you’re anonym you can’t take advantage of personalized services like personalized searches. The concept of the extension is to let the user decide which kind of personalization he wants. I don’t bother if Google knows my favorite football team. Actually I might be interested by personalized ads about stadium tickets. On the other hand, I consider politic and religion as sensitive topics so I want to prevent Google from inferring my religion and my political opinion.
Plus, we may imagine than someday Google will ban users using TOR while data pollution might be hard to detect (if correctly configured).
Furthermore, many users are always logged on their Gmail account. For them TOR is useless. There are also several issue with TOR. Despite many efforts (like the Tor Button which is great), it is not yet user friendly and I don’t think that average users can use it in an appropriate way.
Finally there is the problem of exit nodes that may not be trustworthy (see : http://www.cs.washington.edu/homes/yoshi/papers/Tor/PETS2008_37.pdf)
Pingback from Handbook Revolutionary » How To Write A Good Privacy Policy: Lessons From Colorado Indymedia
Time September 24, 2008 at 12:26 pm
[...] They claim that some policies require a PhD to read, and they’re absolutely right. I recently did an analysis of Google’s privacy policy, which was an all-day project for somebody who knows the law [...]
Comment from Vince
Time August 7, 2008 at 9:32 am
Notice that they always refer to « personal information » and « user data », but they never mention the data they infer from data-mining. They may consider that these data does not belong to users. I don’t even know if there is legislation about these data.
An alternative solution to protect your privacy is to pollute the data Google records. For instance, you can generate fake searches to deceive Google (or Yahoo!). I’m developing a FF extension to do that (https://addons.mozilla.org/en-US/firefox/addon/5986).