Consider this graphic from the New York Times, which shows the proliferation of options available in those tools (click chart to link to larger version on original site).

Addles the brain, doesn’t it?

As the Times notes, to opt out of full disclosure of most of their personal information, Facebook users must click through more than 50 privacy buttons, which then require making decisions about more than 170 options.

Facebook describes its privacy tools as “comprehensive and precise,” but that’s poor justification for something so ridiculously convoluted from a company that positions itself as a caretaker of identity.

Little wonder that Facebook is facing a barrage of criticism. As European Union’s Article 29 Working Party said in a scathing letter today, Facebook’s privacy practices are “unacceptable.”

Google has long claimed that the server log data it collects are a critical driver of innovation. Over the years, to appease privacy advocates, the company has tweaked its treatment of those data and the length of time it stores them. Google continues to collect IP addresses, though it makes them anonymous after nine months (it used to do so only after 18-24 months).

This may soon change. And not because of any initiative on Google’s (GOOG) part but because of one by Microsoft (MSFT).

Responding to Article 29 Working Party guidelines for protecting users’ personal data online, Microsoft this morning said its new search engine, Bing, will purge all the data it collects on users after six months. Not make the data anonymous, but purge.

“Today we sent a letter to the Article 29 Working Party notifying them of our intention to make a change to Bing’s data retention policy,” Bing Privacy Manager Reese Solberg wrote in a post to the Bing blog. “Specifically, we are reducing the amount of time we store IP addresses from searchers to 6 months. Currently we keep that information for 18 months before we delete it.”

Elaborating, the letter continues, “Generally, when Bing receives search data we do a few things: first, we take steps to separate your account information (such as email or phone number) from other information (what the query was, for example). Then, after 18 months we take the additional step of deleting the IP address and any other cross session IDs associated with the query.”

In conclusion, the letter describes Microsoft’s initiative succinctly: “Under the new policy, we will continue to take all the steps we applied previously–but now we will remove the IP address completely at 6 months, instead of 18 months.”

Microsoft’s move leaves Google in the uncomfortable position of being far less a friend to privacy than Microsoft. And hard as the company might argue in favor of storing user data, it will likely have to match Microsoft.

It’s difficult to claim that server log data are “a crucial arm in the battle to protect the security of our services against hacks and fraud” when a prominent rival is essentially claiming exactly the opposite.

So it’s reassuring to hear that Google has agreed to cut the time for which it retains users’ personal search data to 18 months from 18 to 24 months. The move is a concession to the Article 29 Working Party, the European Commission’s advisory group on privacy protection, which last month expressed concern over Google’s plan to retain user data for up to two years (PDF). “After considering the Working Party’s concerns, we are announcing a new policy: to anonymize our search server logs after 18 months, rather than the previously established period of 18 to 24 months,” Peter Fleischer, Google’s global privacy counsel explained. “We believe that we can still address our legitimate interests in security, innovation and antifraud efforts with this shorter period. However, we must point out that future data-retention laws may obligate us to raise the retention period to 24 months. We also firmly reject any suggestions that we could meet our legitimate interests in security, innovation and antifraud efforts with any retention period shorter than 18 months.”

Google’s policy change, while certainly a step in the right direction, likely won’t be enough to sate privacy advocates who’ve in the past called for it to scrub user logs in 18 to 24 hours, not months. Still, it’s better than that of Yahoo and Microsoft, which have so far declined to disclose their data-retention policies at all. This begs the question: Why haven’t we heard anything about the Working Party’s letters to those two companies? Insufficient postage for airmail?