Collaborative Search And User Privacy: How Can They Be Reconciled? Thorben Burghardt 1 , Erik Buchmann 1 , Klemens B¨ ohm 1 , and Chris Clifton 2 1 Universit¨at Karlsruhe (TH), IN-F, 76131 Karlsruhe, Germany, {burgthor,buchmann,boehm}@ipd.uka.de 2 Dept. of Computer Science/CERIAS, Purdue University, West Lafayette, IN 47907-2107, USA, clifton@cs.purdue.edu Abstract. Collaborative search engines (CSE) let users pool their re- sources and share their experiences when seeking information on the web. However, when shared, search terms and links clicked reveal user interests, habits, social relations and intentions. In other words, CSE put privacy of users at risk. This seriously limits the proliferation and accep- tance of CSE. To address the problem, we have carried out a qualitative study that identifies the privacy concerns of CSE users. In particular, our study reveals the range and type of concerns when sharing query terms and search results with different social groups, e.g., family mem- bers or colleagues. To control the information shared, the participants of our study have called for anonymity and reciprocity in combination with time- and/or context-dependent conditions. To facilitate the spec- ification of privacy preferences, we define a general policy structure to express privacy needs in the context of CSE. We also give an approach to address the reciprocity condition identified in the study, and we discuss options to anonymize sharing of query terms. Key words: Collaborative Search, Privacy, Policy 1 Introduction Collaborative Search Engines (CSE) enhance web search by sharing query terms, search results and links clicked among users. Examples include I-SPY [1], MUSE and MUST [2], SearchTogether [3] and Fireball LiveSearch [4]. CSE let knowl- edge workers synchronize efforts, provide guidance for inexperienced searchers, and offer Web-2.0-style information on Internet activities of friends/colleagues. So far, collaborative search has been done by hand [5], e.g., by sending emails with search results. CSE are more efficient in this respect. However, as queries and the results clicked can reveal the habits, interests, social relationships and intentions of the searcher [6], CSE are problematic from a privacy perspective. Current CSE either state that any search information will be visible to oth- ers, and/or leave it to the user to manually invite individuals to benefit from a particular piece of information [3]. CSE require that information is shared au- tomatically, or that people can subscribe to information generated by others, in the spirit of friendfeed.com. Acceptance of such an environment will depend on