Private Search Policy

Last Updated: August 2021

  1. Private Search Implementation
    “Private Search” Implementations refer to any Implementation that is marketed to end-users as one incorporating or offering privacy-enabling features.
    1. A “privacy-enabling feature” refers to a technology or tool that enables, facilitates, or enhances a user’s privacy.
    2. Privacy-enabling initiatives and practices are not considered a “privacy-enabling feature” without an underlying technology. Publisher’s initiatives or practices around managing, storing, sharing, or giving access to data are not “privacy-enabling features,” regardless of how those practices are described to Publisher’s users. For example, a commitment to not share data with third parties is not a “privacy-enabling feature.”
    3. Illustrative examples of qualifying “privacy-enabling features” are set forth in Appendix 1 to this policy.
    4. All Private Search Implementations must be reviewed and approved directly by Search Provider (and not by Publisher) prior to distribution.
  2. Implementation Requirements
    Each Private Search Implementation must pass back to Search Provider and its Search Services provider(s) all data and information required by Search Provider, including the full user IP address and user agent for each Query.
    1. All privacy-related claims and representations made to users in connection with a Private Search Implementation (including all marketing materials, ad copies, messaging at the point of distribution, and all other communications to its users) must be consistent with the terms of such Private Search Implementation’s publicly-posted privacy policy and must be presented to the user in a clear and unambiguous manner.
    2. Each Private Search Implementation’s publicly-posted privacy policy must (1) accurately reflect its privacy practices, (2) directly name and reference the privacy-enabling feature, and (3) accurately identify its data collection practices, including all user data that will be transmitted in connection with such Private Search Implementation to Search Provider and/or Search Provider’s Search Services provider(s).
    3. All Private Search Implementations must comply with Search Provider’s Policies.
    4. Private Search Implementations must not be marketed or portrayed as a means for accessing or interacting with illegal or nefarious content, or otherwise circumventing the law. This prohibition includes any marketing of the privacy-enabling feature of a Private Search Implementation as a means to circumvent government oversight or to privately access disallowed or illegal content.
    5. Publisher (and, if applicable, Publisher’s Syndication Partners) must not make any representations or claims that Search Provider or its Search Services provider(s) offers some form of private searching, or that its privacy-enabling feature extends to searches and results that are powered or provided by Search Provider or Search Provider’s Search Services provider(s).
  3. IP Obfuscation
    Except as expressly approved in writing by Search Provider and set forth in the Agreement, Publisher is prohibited from obfuscating user IP addresses.

 

Appendix 1 Examples of Privacy-Enabling Features
The examples below are for illustrative purposes only and should not be construed as a list of pre-approved privacy-enabling features.

  1. Data Storage in Notary Server
    1. Description: A feature through which all user data, such as IP address, is directly captured by and stored in a notary server and is never relayed or stored in a Publisher-operated server. Search Provider and/or Search Provider’s Search Services provider(s) receives requests for Results from the notary server. In submitting the request, the notary server passes the full IP address and user agent to Search Provider and/or Search Provider’s Search Services provider(s). After 96 hours, Search Provider and/or Search Provider’s Search Services provider(s) obfuscates the last octet of the user’s IP address (view-based IP address only).
    2. Privacy Benefit: The feature is that user data is routed through and stored in a notary server, to which only authorized notaries have access.
  2. Separation of Query and IP Address:
    1. Description: A feature through which Publisher separates the IP address from the query after 96 hours and stores both data points separately in a manner that prevent re-association.
    2. Privacy Benefit: The feature is that the query can no longer be associated with a specific user after 96 hours.
  3. Container-Based Searches:
    1. DescriptionA product, such as a browser, with a feature that allows users to perform searches within a “contained” tab, preventing cookies and other trackers from interacting with sites open outside of the container. For example, searches performed within the “container” cannot be tracked by or influence content on social media sites that may be open on other tabs within the product. Publisher still passes back the full IP address to Search Provider and/or Search Provider’s Search Services provider(s).
    2. Privacy Benefit: The feature allows users to keep their searches private from other sites on which they may be authenticated and that may place cookies and other trackers on the users’ activities.
  4. Bundled Cookie & History Clearing with Transparency Enhancers:
    1. Description: An application that bundles these two components: 1) a feature that automatically deletes a user’s browsing, search, and cookie history at the close of a search session and 2) a feature that provides privacy-enabling transparency to the user by surfacing analytics trackers, cookies, and other elements placed by websites on a user’s machine.
    2. Privacy Benefit: The feature allows the users to delete just the search and browsing history related to a search session; their browser’s history does not need to be cleared in full. In addition, the feature provides for increased transparency to the user regarding tracking features, allowing users greater visibility should they choose to manually disable certain trackers.
  5. Account-Based Privacy Features & Transparency Enhancers:
    1. Description: An application that bundles these two components:
      1. allows users to authenticate into the application and perform searches. These searches are then contained within that user’s profile and are not exposed to other users of that device (e.g., a shared PC in a household).
      2. provides privacy-enabling transparency to the user by surfacing the analytics trackers, cookies, and other elements placed by websites on a user’s machine.
    2. Privacy Benefit: The feature allows the user to keep their searches private with respect to the shared device that they use. The privacy enabling transparency features allow users to see what is being placed on their machine by websites they visit while in the authenticated application. Through this feature, a user does not have to clear cookies or browsing history at the end of their session and can preserve their search history for their personal visibility.
    3. Illustrative Use Case:  A user is planning a family vacation and does not want their family to see searches on their shared device. The user also does not want to delete history and cookies while planning the trip, so they can come back to previous searches and revisit sites without having to search for them again. This allows the user to “save their progress” searching but does not expose their search history to other users of the device.