Your search terms are highly sensitive and very private. They are also uniquely identifiable. Examining what you search for can reveal deeply personal facts about you, such as your online reading habits, medical history, finances, sexual preferences and political affiliations.

A database of search terms, linked to subscriber accounts, would be a clear violation of the privacy rights of everyone who uses the Internet in Europe.

I’ve written to my MEPs urging them not to sign Written Declaration 29 and to withdraw their signature if they have already signed. You should do the same – it takes two minutes through writetothem.com

Here’s my letter (but, as always, please use your own words for maximum effect).

Dear Timothy Kirkhope, Edward McMillan-Scott, Andrew Brons, Godfrey Bloom, Diana Wallis and Linda McAvan,

Written declaration 29 [pdf] calls on the European Commission to extend the data retention directive (2006/24/EC) to Internet search-engines. If this were to happen all private searches done on Google et al would be monitored. I feel this would be an intolerable violation of article 8 ECHR privacy rights.

Written declaration 29 is being marketed within the European Parliament by using an emotionally-loaded picture of a child and talking about the need to set up an ”early warning system” to combat child abuse. Laudable though that aim is, as a technical expert it’s my opinion that these measures cannot achieve it, and the marketing is therefore misleading. Some MEPs have already said they feel they have been misled into signing the declaration because of the way in which it was presented to them.

If the declaration is adopted the names of the signatories will be made public.

If you have signed written declaration 29 and feel you have been misled I urge you to withdraw your signature.

Christian Engström MEP has published more information on his website.

This kind of security breach is nothing new. In fact it happens on a frequent basis, though the news is often buried by companies fearing a consumer backlash.

These problems will continue to plague users until firms start taking privacy seriously. In practice this will only happen once it makes economic sense for them to invest in better security.

In late April, a US Government identity theft task force recommended federal legislation requiring companies to disclose security breaches that expose private information. The aim is to make failing to protect customer privacy more expensive than burying the problem.

This will work because it incentivises those who are in a position to improve security to take action.

If the recommendations become law, I think we can expect all kinds of interesting privacy innovations from the US market. An example appeared in my RSS reader today, suggesting that companies should appoint a Chief Privacy Officer (CPO) (via SecGuru).

A CPO is responsible for identifying information that should be protected (the “what”); Chief Security Officers (CSO) are then responsible for securing it (the “how”). The two roles complement each other.

In the UK, companies that handle private information are already required to comply with the Data Protection Act 1998. A Data Protection Officer – similar to a CPO – often takes responsibility for this within an organisation. However there are currently no requirements for breaches of privacy to be published, so Data Protection Officers regularly operate reactively, in contrast to the proactive CPO. This is especially true in smaller companies that can’t afford to employ a dedicated person in the role.

In the article, CPO Chris Zolads highlights the growing economic incentives for companies to take seriously the management of private data (or “custodianship”, as he sees it):

“Good privacy is good business. The stakes in this area are constantly getting higher and higher . . . now we’re reading about [data breaches] in major media outlets,” he said. “That’s done a lot for consumer awareness . . . and has raised the consciousness and awareness of our managers. That’s a positive move forward.”

It seems unlikely that laws similar to the US proposal will be passed in the UK anytime soon. Data protection legislation is harmonised across the EU – an organisation that moves more slowly than the landmass on which it sits. However if such laws prove successful abroad, the pressure on industry and the UK Government to act will increase.

I certainly hope that PlusNet take a leaf from this new US book of customer privacy – and that’s a phrase I never thought I’d see myself type!

Cost reductions for the consumer are predicted, but I suspect that in such a competitive market, providers will simply increase charges elsewhere to compensate.

At least in future I won’t have to pay as much to field calls from oblivious work colleagues and inconsiderate salespeople while relaxing on the beach.