Privacy
None of the queries in the Google database for this project can be associated with a particular individual. The database retains no information about the identity, internet protocol (IP) address, or specific physical location of any user. Furthermore, any original web search logs older than 9 months are being made anonymous in accordance with Google’s privacy policy (http://www.google.com/privacypolicy.html).

As I read that, there’s a 9-month window during which health queries could potentially be re-identified should a governmental agency detect an outlier or want additional data and obtain a subpoena for logs.

Nor do I see any explanation of how they anonymize logs. Have you read any methodology or explanation that would enable you to evaluate whether their anonymization procedures are effective and reliable? Remember the AOL debacle over “anonymized” logs.

You’re right that on some level, this is nothing new, but it becomes of even greater concern when we consider mental illness, HIV, or other conditions that if the individual were identified, could result in stigma or job loss or discrimination. Expansion into health trends by a company that collects identifiable information and is not bound by HIPAA or medical confidentiality warrants some conversation and consideration.

I’ve sent Google an inquiry about the potential for re-identification during a 9-month window. If/when I get a response, I will post it to my blog.

Bottom line: although I, too, have disagreed with some of PPR’s positions at times, that doesn’t mean that the questions raised about this tool — and, more importantly to me, its potential applications — are stunts. Better we should deal with these issues in a more transparent and effective privacy-protecting manner now than deal with a potential privacy problem later.