Keep Your Internet Searches Private

Internet users were shocked to learn that the search queries of over 600,000 individuals were exposed online by AOL recently. Although the personal names of AOL users had been replaced with numbers, apparently for a research project, reporters and others were able to determine the identities of several people. Search terms revealed medical conditions, illegal activities, illicit interests, financial information, even Social Security numbers.


The retention of search logs is a common practice of search engine companies, not only AOL, but also the other major services such as Google, MSN, Ask, and Yahoo. But a little-known search engine has made a name for itself by bucking the trend.


Ixquick, a search engine based in the Netherlands, promises it will permanently delete all users’ personal search details from its log files.  With this privacy policy, established in June 2006, Ixquick stands heads taller than its peers.


To date, the other search engines store users’ search details for at least some time.  Google, which is preferred by just under half of all users, stores search data indefinitely.  Other popular search engines, including MSN, Ask, and Yahoo  also have policies indicating that they store user data for an undefined period of time.  


When AOL released Internet search histories, the public realized that the search terms entered could tell a lot about the searcher.  At least two user’s identities were revealed through search terms alone.  The Washington Post reports that at least 190 users had entered their Social Security number into AOL’s search engine.


Ixquick will delete a user’s IP address and has designed a cookie that will not identify an individual user.  It says deletes all personal information within 48 hours.


Switching to Ixquick does not mean you have to give up the other search engines.  Ixquick is a metasearch engine, which means that it returns the top-ten results from multiple other search engines. It uses a star system to rank its results -- by awarding one star for every result that has been returned from another search engine. Thereby, the top search results are the ones that have been returned from the maximum number of search engines.


The AOL situation is just the latest example of why data retention policies are a privacy risk for consumers.  In December 2005, the U.S. government wanted data to support its proposed child pornography law.  To get the necessary data, the government issued subpoenas to Google, Microsoft, Yahoo, and AOL asking for search histories and IP addresses.  Google fought the subpoena, but eventually had to turn over Web site addresses that were returned by searches.


At the time, the other search engines, which complied with the subpoena, claimed that no personal information was released by handing over the search histories to the government. The recent AOL incident shows how empty those statements were.


What’s the lesson to be learned from this privacy meltdown? Relying on a search engine’s promise not to reveal your information may not protect your personal information.  The best solution is to use online services that minimize data retention.  If a search engine has no data, then a subpoena for personal search information is useless.


You can search the Internet in private at


At least two complaints have been filed with the Federal Trade Commission about AOL’s disclosure of search terms:

  1. Complaint of the World Privacy Forum (WPF),
  2. Complaint of the Electronic Frontier Foundation,

For tips on search engine privacy, read the WPF’s guide: