Google is to give users privacy, by anonymising its search logs after two years - unless the law demands otherwise.

Up to now Google has retained a record of every search, with a log that can associate it with an individual PC. Under a policy announced yesterday, Google will keep full details of all user searches, but will make them anonymous after they have been kept for 18-to-24 months. The policy will be implemented within the next year, and is intended to protect searchers' privacy, according to a Google Blog entry.

Privacy advocates have raised alarms over search providers retaining data about users' activities. They fear that such data could be used by law enforcement agencies or fall into the hands of hackers.

Under the new policy, unless Google is legally required to retain the information, server logs will be "anonymised" after 18-to-24 months so they can't be identified with individual users. The blog was written by Peter Fleischer, Google's privacy counsel for Europe, and Nicole Wong, the company's deputy general counsel. Engineers are working out the technical details now.

Google says it keeps server logs "so it can improve services and protect them from abuse and security threats". Each search record includes the query, IP (Internet Protocol) addresses and cookie details.

The Mountain View, California, company instigated the move on its own after talking to "leading privacy stakeholders" in Europe and the US, the blog entry said. Data-retention laws may force the company to retain logs for a longer time, it said.

Two high-tech civil rights groups called the move a good first step, but warned that more work needs to be done.

"This is a big step in the right direction," said Ari Schwartz, deputy director of the Center for Democracy and Technology, in a written statement.

"Keeping the data around forever significantly compromises (Google's) users' privacy," said Kevin Bankston, [cq] a staff attorney at the Electronic Frontier Foundation, in San Francisco. The US government probably has subpoenaed search log data on individuals in criminal investigations, a move it wouldn't necessarily have to reveal, he said. Another danger is that an angry spouse or business partner could obtain the information in the course of a lawsuit, Bankston said.

"We'd love to see a shorter retention period and more complete anonymisation," Bankston said. Google should also extend the policy to its other products, which include Gmail, Google Calendar, Google Maps and other web-based tools.

Other major search providers, such as Yahoo and MSN, haven't even revealed as much as Google has about what they do with server logs, Bankston said.

AOL LLC last year posted on its research website about 20 million [m] search records from about 658,000 of its members. Each user was identified by a unique number. The move created a scandal that toppled AOL's chief technology officer and two other employees. Users later sued, asking a court to order the company to stop saving the records.

Bankston believes Google has a better method of anonymising records but said AOL does so after just 30 days. Still, Google could adopt a better technique, such as removing the associated IP address altogether, he said.