Bing blogs

This is a place devoted to giving you deeper insight
into the news, trends, people and technology behind Bing.

Search Blog

January
20

Privacy and MSN Search

There’s been quite a frenzy of speculation over the past 24 hours regarding the request by the government for some data in relation to a child online protection lawsuit.  Obviously both privacy and child protection are both super important topics – so I’m glad this discussion is happening.

Some facts have been reported, but mostly I’ve seen a ton of speculation reported as facts.   I wanted to use this blog post to clarify some facts and to share with you what we are thinking here at MSN Search.

Let me start with this core principle statement: privacy of our customers is non-negotiable and something worth fighting to protect.

Now, on to the specifics.  

Over the summer we were subpoenaed by the DOJ regarding a lawsuit.  The subpoena requested that we produce data from our search service. We worked hard to scope the request to something that would be consistent with this principle.  The applicable parties to the case received this data, and  the parties agreed that the information specific to this case would remain confidential.  Specifically, we produced a random sample of pages from our index and some aggregated query logs that listed queries and how often they occurred.  Absolutely no personal data was involved.

With this data you:

        CAN see how frequently some query terms occurred.
        CANNOT look up an IP and see what they queried
        CANNOT look for users who queried for both “TERM A” and “TERM B”.

At MSN Search, we have strict guidelines in place to protect the privacy of our customers data, and I think you’ll agree that privacy was fully protected.  We tried to strike the right balance in a very sensitive matter.

Now that you have more information, you can be the judge.
 

Ken Moss
General Manager – MSN Web Search

Comments

  • I don't agree at all that privacy has been protected in this case.

    What if people are querying private and personally identifying information? I do it all the time. I would hate the idea of those private queries becoming public.

    What if on the basis of the results you have given them, they subpoeana you to produce IP details of specific queries that they find questionable?

    This is a cop out and our privacy has been thrown out of the door and a window opened on our searches for all to see.

    Disgraceful.
  • I'm not clear on Anon's argument - Ken mentions that there were no IP addresses associated with search queries in this example - seems like Microsoft did the right thing.

    Considering many of us connect to the internet with unsecure internet connections, and that I need to query a company's servers just to perform a search, why would I consider my query private? I just agreed to share it with my ISP, the web search provider, and anyone else who has the ability to sniff the bitstream of my internet connection.

    Regardless, it sounds like Microsoft is trying to walk the delicate balance of legal requirements vs. user privacy and made the right tradeoff.
  • Does Heather work for Microsoft? Sounds too self-congratulatory. I agree with Anon. Even if no IP addresses were divulged, people can be querying MSN search to see if certain confidential information has been posted somewhere online; e.g., unlisted phone numbers, social security numbers, home addresses, etc. And, the last thing such a person wants is for that info to be turned over to an unsecure source. Furthermore, certain searches that may include a keyword that may be used to localize a user - e.g., ZIP code, city name, neighborhood name, etc.

    It would seem that if the Feds were scouring for certain porn terms, they could limit their request to certain keywords instead of being able to examine all searches.

    A tradeoff was certainly made, and it wasn't for the benefit of MSN users. As for the assertion that the parties agreed that the information specific to this case would remain confidential, if the government cannot even maintain the identity of its CIA assets confidential...

    Remember, it's all confidential, until it's political.
  • Heather,

    You are firstly assuming that the request from the State Department is a valid in terms of the law. I have so far seen no evidence which convinces me of that, and my understanding is that is specifically why Google have asked a court to test it.

    There is a difference between an ISP having my query data, to that query data being legally within the hands of civil servants and beuarocrats within the US government. The fact that my IP is not shown in the initial dataset is a moot point. It is not difficult to imagine many queries which reveal personal information, not just about the query-maker but about their friends, relatives or enemies.

    A question to MSN search.

    What if the Government believes that some of the queries they are now in posession of, which I assume they would otherwise only have been able to come into posession of via an authorised warrant, are worthy of further investigation?

    Will MSN then release IP and user information? They will if they are compelled to do so as part of any criminal court case. If so, it can be shown that the direct cause of this was the release of the initial query data.

    They have truly let the genie out of the bottle!

    Anon
  • Okay, MSN notices there are 500 hits for "child porn" and 300 hits for "islamic jihad" and issues subpoenas, or better yet a warrant, to obtain the IP address and names of each of the 800 lucky winners whose privacy was destroyed regardless of whether they were Osama Bin Laden and Mr. Pervert or a UCLA Professor doing research on child porn or religious warfare.
  • just a couple of questions

    1) why did not MSFT blog or let the user community know about the DOJ request ??
    2) Why is it that MSFT is telling the community now ??
    3) what will MSFT do in the future to assure use users that they will safe gaurd agaist whims and fancys of the legal hoops ??
  • I think the twenty-something crowd is having a hard time distinguishing what the government wants the data for vs. what they believe the government wants it for.
    The government is not the boogy man and as a parent I appreciate the intent of the DOJ data gathering attempt.
    Most parents would or should agree.
    I appreciate MSNs cooperation with the DOJ. Had Google complied instead of taking what we now see more as a political stance they may not have lost 9 percent of their market cap today.
  • I am going to say one thing to you: If an Indian (or Brazilian, or whatever) company launches a decent search engine and its government publicly promises to respect user privacy I WILL NEVER EVER USE A US-BASED SEARCH ENGINE AGAIN. This is not because you did something wrong in this case, it is because incidents like this make me feel less and less safe disclosing my personal info to any system that is within US jurisdiction. You guys at Microsoft can certainly see the ramifications of this for the US IT industry... sooner or later some country with enough IT expertise will seize the opportunity that our government is slowly but steadily creating for it...
  • AnonMe - please do not assume to talk for any parent other than yourself. In my case, you certainly do not. I on the other hand don't assume I speak for anyone buy myself.

    There used to be a great thing in the United States that worked pretty well. It was called "personal responsibility". A party called the Republican party *used* to believe in things like small government, libery, freedom of the individual, etc. That is until the party got hi-jacked.

    In this case personal responsibility means things like -

    - ensuring the PC is in a family room
    - using family-safe filter software
    - teaching my kids about safe internet usage

    I don't believe for a second that anyone who understands the problem, the technology and the government *honestly* believes that this request will lead to a safer Internet.

    Please explain how this dataset will be used, the actions that will be taken, and how you believe the Internet will be "safer for kids" as a result.

    As for the market cap issue... That's a non-starter. Perhaps you haven't been keeping up to date with the Yahoo results or the movements on the Nikkei index?
  • As a 40 something parent I have to take issue with an earlier comment about the 20 somethings being more than a little paranoid about what the government wants. The constitution specifically prevents the govenernment from "fishing" for information so that they can find out if something is up. As a subsequent poster noted, it is entirely possible for this information to be used to issue subsequent supoenas. Why not let the FBI into everyone's house to have a look around? Supposedly were all on the up-and-up and they want to protect us - don't they?

    Additional security always comes at a price. Personally, I am not sure who I have more reason to be worried about, the terrorists or uncle sam.
  • Regarding: "a random sample of pages from our index and some aggregated query logs that listed queries and how often they occurred."

    Can you say

    1) How many pages?

    2) How many queries?
  • Here's what I want to know, on a technical level:

    Does MSN Search actually record IPs with each search string? In other words, is there any sort of electronic or paper trail for each search that ever could be subpoenaed? Because whether or not that information is requested in this subpoena, if it is available at all, there's a chance that it someday could be requested, and that's a nightmare waiting to happen.

    I realize that IP information is technically available any time one machine sends info to another, but the question here is specifically about whether MSN Search records that information in any way. If it doesn't, I'll be a lot more comfortable with the assurances given that no-one's privacy is in danger of being invaded.
  • Another wonderful thought: MSN also knows which results you clicked on (like nearly all search engines they track click-throughs to improve their algorithms).

    So now not only can those searches you performed get subpoeaned on the basis of the information now in Uncle Sam's hands... But he can potentially see which sites took your fancy, too. In fact since he got what he wanted the first time what's to stop him coming back for a bigger bite?

    This is the biggest public relations coup that Google could ever have hoped for. Not only does it make Google look good it makes Yahoo and MSN look terrible. The impression now is that their users's privacy doesn't matter, whether or not that was their intention.
  • Not only do they keep your IP. They keep ALL of your searches and more. What's more they can link it all directly to YOU. Check out google-watch for more info:

    http://www.google-watch.org/gcook.html

    The whole point is to build statistical models of you. On some level they probably know you better than you know yourself!
  • Microsoft were always going to comply. Ever since the DOJ (tail) changed Microsoft from being important to impotent, Microsoft (Dog) has never had the same bark or bite in the market. Like a trained government puppy they were always going to rollover.

    This whole FBI question goes to the heart of the issues raised by Steve Gilmore concerning digital identity and "attention clickstreams".

    Who's data is it anyway? Mine or theirs? Google has made a lot of money from selling MY clickstream to advertisiers in exchange for a free search engine which is why MSN is so keen to get into the search advertising game now.

    But has anyone here ever really read the license agreement and privacy policy for Google, Yahoo or MSN? Can I request that they delete my history file? (clickstream from their records)

    To make matters worse has anyone here ever downloaded their respective desktop search tools? Again the clickstream data from the desktop search is certainly upload by Google and stated clearly in their policy agreement which I am sure you all read before installing the application.

    I am now checking the policies for MSN and Yahoo but expect to find the same (lack of) privacy policy.

    What next - will the FBI ask Amazon what books I have bought just in case I bought something they deem is not suitable reading or will they ask Ebay what items I wanted to buy or sell or ask Expedia what holiday destinations I wanted to look at etc etc.

    So the next time we complain that the Chinese government violates its citizens rights by resticting their internet access, remember this as the day we lost our privacy. 1984?