Slashdot Mirror

← Back to Stories (view on slashdot.org)

AOL Releases Search Logs of 657,427 Users

Posted by ryuzaki0 on from the give-or-take dept.

An anonymous reader writes "AOL has released the search logs of over 650,000 users for research purposes. This looks like it may become a public relations disaster for AOL, as well as a privacy nightmare for the users involved as Michael Arrington of TechCrunch notes: "AOL has released very private data about its users without their permission. While the AOL username has been changed to a random ID number, the ability to analyze all searches by a single user will often lead people to easily determine who the user is, and what they are up to. The data includes personal names, addresses, social security numbers and everything else someone might type into a search box." This is also being covered on The Paradigm Shift and Oh My News." fantomas adds " Looks like they've just taken it down but it's still available on The Pirate Bay; not sure why but some of the academic researchers are going crazy musing the ethical aspects of letting the world know who's searching for how to kill their wives ..." Update: 08/07 21:32 GMT by T : amromousa writes "AOL is now apologizing for the release ..., calling it a "screw-up," which they're upset and angry about."

17 of 346 comments (clear)

  1. Searching for SSN's?? by StarvingSE · · Score: 4, Interesting

    personal names, addresses, social security numbers and everything else someone might type into a search box.

    Who in their right mind would type their social security number in a search box, in plain text??? I mean, really???

    --
    I got nothin'
    1. Re:Searching for SSN's?? by radarsat1 · · Score: 4, Interesting

      Who in their right mind would type their social security number in a search box, in plain text??? I mean, really???


      Who in their right mind would give their SSN to AOL?
      People really don't understand these issues.. I've this to be true recently when an HR person at my university asked me to send my SSN to her over email. Also, a couple weeks ago I booked a room at a hostel over the internet, and apparently I mistyped my credit card information, so they asked me if I could to to them again over email. You know, I just said "No, I'll call you." But it just goes to show that most people just don't even think about privacy issues. Even professionals who should know about these things. They just don't. Either that or they don't understand the technical side of it... like that email is not encrypted, etc.

      As for search engines, I've no idea why you'd be searching for one on Google, unless for instance you wanted to see if your own was available somewhere--Which is funny, now that I think about it. How can you search for your own online information (to see what is out there) without giving it away yourself by typing it into a search engine?
    2. Re:Searching for SSN's?? by Anonymous Coward · · Score: 1, Interesting

      I assume you're joking, but giving that result will reduce the number of possible social security numbers to 100, given your place of birth (the first three digits are determined by the location where your SSN was issued; it is likely somewhere you grew up). This leaves 100 possibilites for the inner two numbers. Instead of having 1000 possibilites for the remaining numbers, we only have the one that satisifies the subtraction.

    3. Re:Searching for SSN's?? by Jherek+Carnelian · · Score: 5, Interesting

      Also, a couple weeks ago I booked a room at a hostel over the internet, and apparently I mistyped my credit card information, so they asked me if I could to to them again over email. You know, I just said "No, I'll call you."

      I send my credit card numbers over email all the time. But I only use "throw-away" numbers that are generated on the fly and can only be charged by a single vendor up to a specific amount (pre-set by myself). Most of the big card issuers offer a similar service for free (last I heard, MBNA, which has offered it for at least 5-6 years now, has not had a single instance of succesful fraud involving such throw-away numbers, never mind free, they ought to be paying me to use the service).

    4. Re:Searching for SSN's?? by slushdork · · Score: 5, Interesting
      So, after reading this, I thought I'd have some fun with Google:

      - Go to http://www.ssa.gov/employer/statewebcali.htm and pick an SSN prefix for a particular state (say, CA, which is from 545 to 573).

      - Go to Google, click Advanced Search, and in "With all of the words:" enter "SSN".

      - In "Return web pages containing numbers between" enter 545000000 "and" 574000000.

      - Click Search and stare in horror all the student listings, bankruptcy filings, etc. posted with names, SSNs, addresses, etc.

      I'm sure I'm not the first to think of this, but if you abuse any of this information, the Erinyes will come after you!

  2. Wow by Anonymous Coward · · Score: 3, Interesting

    Since most people search for their own name, this really isn't very private. I imagine law enforcement may use this to track AOL users. I wonder what the legal implications are...

  3. This just in by Klaidas · · Score: 4, Interesting

    Company calls data posting a mistake.
    Hmm, I wonder if this "sorry" will be enough

  4. Funniest thing so far by saskboy · · Score: 5, Interesting

    A friend of mine downloaded this dataset.
    A teacher's credit union employee was searching for sexy underwear, how best to conduct a relationship with a co-worker, and have sex in a pickup.
    Just before that, she was searching for cars. And appears to have cancer as well, or lives with someone with cancer. Maybe it's her sick husband.

    I wonder if that demonstrates why someone wouldn't want their Google searches or AOL info to make it into the public realm. AOL is obviously a bastion of consumer rights.

    --
    Saskboy's blog is good. 9 out of 10 dentists agree.
  5. Tracing back to a user by gstegman · · Score: 3, Interesting

    It occurs to me that it would be pretty difficult to trace back to the user who is doing the searching by knowing what they are searching for. Sure I have Googled myself and have entered my address into Google Maps, Map Quest, etc. But I have Googled about a hundred other people and thousands of addresses. It would be an interesting game of what do all these things have in common for someone to triangulate all this information back to who I am. Granted I have never done a search on my or anyone elses Social Security Number, that's just asking for it.

  6. Re:finally, maybe users will wake up by Irish_Samurai · · Score: 4, Interesting

    So, how many wives are either not going to be home tonight, or are going to fix hubby his very favorite dish?

    You're probably just trying to be funny, but this could be a real problem. I know I have had some seriously bizarre search historys when doing research on possible articles to write in my lame ass vanity site. They could very easily be taken out of context and used to make me look like a sicko instead of a cynic who wanted some of the bizarre material that non fiction can provide.

    Maybe this guy is doing some research on a book. Maybe he's an artist doing some death metal band's cover. Hell, maybe they have a socially retarded CS major for a dorm mate and are trying to freak them out.

    It's the ridiculous release of this type of data and the sensationalist warping of these smallest elements that allow our privacy to get train wrecked.

  7. Re:it's a geographic location! by Man+Eating+Duck · · Score: 3, Interesting

    Actually, it IS a geographic location in Norway :)

    It is 1.5 hours drive from where I live, and a really beautiful place.

    More info here.

    Furthermore, I just searched for "End of the world" on google...

    --
    Are you a grammar Nazi? I'm trying to improve my English; please correct my errors! :)
  8. Eh? Security vs. convenience by raehl · · Score: 1, Interesting

    I mistyped my credit card information, so they asked me if I could to to them again over email.

    I am always amused by people who are concerned about sending their credit card number over email. Credit card numbers are just plain not secure period. The number is even printed right on your card, and also encoded in a machine-readable format! It's sent through the mail on your bill, it's printed on receipts (although things are getting much better here), there are plenty of easy ways to illicitly get credit card numbers that are much easier than email.

    If you're not willing to send a credit card number through email, then you probably just shouldn't have a credit card at all.

    --
    paintball
    1. Re:Eh? Security vs. convenience by shadowbearer · · Score: 2, Interesting

      Reminds me:

        I was biking thru an alleyway on the way home from work a couple of days ago, and I found a bunch of what looked like bill statements scattered all over from, I'd guess, the garbage cans. Since this sort of thing concerns me, I gathered them up and tried to find the recipient ( he turned out to be a block down from there)

        I only looked at them long enough to find an address on them, then gathered them up and dropped them in the mailbox of the owner with a quick note as to how I found them. But even that quick look was enough to see that there were both the account number and the SSN of the recipient printed on them.

        Until that sort of foolishness stops, there isn't much point in securing databases or email, is there? I see it quite often.

      SB
        (who hasn't had a credit card in 16 years thru my own choice)

      --
      It's old. The more humans I meet, the more I like my cats. At least they are honest.
  9. Site owners - can you find the searches? by harmonica · · Score: 2, Interesting

    There are a couple of lines in those logs that have supposedly led AOL users to my site. However, I can't verify a single one of those with my own logs. Any site owners out there who were more successful? Any explanation for that phenomenon?

  10. Re:finally, maybe users will wake up by MillionthMonkey · · Score: 4, Interesting

    Check out Disturbing Search Requests where people search through their logs for interesting HTTP REFERER links from Google and submit the most disturbing. A common reaction is befuddlement from webmasters when Google returns their site in response to certain queries (such as "sweet as food delicious cheap dog fellatio").

    Who hasn't typed "how to kill your wife" into a search box by now anyway? (That was a joke! Hi honey!)

  11. Conspiracy theory 1 by Anonymous Coward · · Score: 2, Interesting

    Hmm Didnt the govt ask for just this kind of info from google sometime ago? And now aol just accidentally manages to release the same kind of info?

  12. Time to revisit "personally identifying info" by geekotourist · · Score: 5, Interesting
    When AOL appologized today, the spokesperson said '"Although there was no personally-identifiable data linked to these accounts, we're absolutely not defending this."


    Back in January, related to the story on how the DoJ demands and gets ISP data, AOL had said that "We did not comply with the request made in the subpoena," spokesman Andrew Weinstein said. "Instead, we gave the Department of Justice a list of aggregate anonymous search terms that did not include results or any personally identifiable information."


    AOL- you need to rethink that phrase personally identifiable, because it doesn't seem to mean what you think it means. You're hiding behind one technical definition of PII, without concern about whether or not the results actually have PII. If you're releasing results with personally identifying information, then you cannot say you're not releasing PII. I'd written in January I'd writen "I question this assumption by Yahoo, AOL, etc. that search terms, by themselves, have no privacy considerations because they've been separated from personal info. What if the search itself contains personal information? Are the search companies deleting the timestamps and randomizing the order of the search terms themselves? Because otherwise I could see personal info showing up." Obviously, half a year later, they still think that replacing a name with a number takes away the PII. They need to have a talk with, say, the Census Department, about why the department will withhold data about *groups* of businesses in a region. Grouped data can easily become PII data if you can tease out characteristics. AOL didn't even group the data!


    As always, relevant quotes from the best.essay.evar on why privacy is a fundamental human right: "If information that is actually about someone else is wrongly applied to us, if wrong facts make it appear that we've done things we haven't, if perfectly innocent behavior is misinterpreted as suspicious because authorities don't know our reasons or our circumstances, we will be at risk of finding ourselves in trouble in a society where everyone is regarded as a suspect. By the time we clear our names and establish our innocence, we may have suffered irreparable financial or social harm..."

    "...agents of the state in Canada cannot order Canada Post to photocopy the address on every envelope we send, nor can they order bookstores to keep a record of every book we buy, let alone of every page of every magazine we leaf through. There is no reason why they should be able to exercise such powers with regard to every e-mail someone sends or every Web site he or she visits."

    "I do not see any reason why e-mails should be subject to a lower standard of privacy protection than letters or telephone calls. And I do not see why Internet browsing should be subject to a lower standard of protection than book purchasing or researching in a reference library. Canadians should not be subject to greater state monitoring or scrutiny just because they choose to use new communication technologies."