Slashdot Mirror
The Face of One AOL Searcher Exposed
Juha-Matti Laurio writes "No. 4417749 conducted hundreds of searches over a three-month period on topics ranging from "numb fingers" to "60 single men" to "dog that urinates on everything., report NYT journalists Michael Barbaro and Tom Zeller Jr., but with a permission from Mrs. Thelma Arnold, 62. "Those are my searches," she said, after a reporter read part of the list to her, continues the article."
Asked about Ms. Arnold, an AOL spokesman, Andrew Weinstein, reiterated the companys position that the data release was a mistake. We apologize specifically to her, he said. There is not a whole lot we can do.
What a load... there is plenty you can do AOL. You can promise not to release this data again, you can actively hunt for it on the web. You can promise to delete your copy. You can promise that you won't keep data like this anymore. You can implement better security policies so that you know where your data is, and what is hapenning with it. You can limit the people who have access to posting stuff on your website.
Useless bastards!
I guess this just goes to show that you should be using something like Torpark even when merely conducting an online search.
:)
Whilest protecting your privacy does, on the surface, seem like a good thing, I wonder if it might count against you if you were ever suspected of a crime. We've already seen 'he has some encrypted data' used as evidence (even though the contents of the encrypted file weren't known) in one successful conviction, I suspect 'he's using privacy protection software called Tor' may go down the same way.
Remember, only people who have something to hide care about protecting their privacy.
http://blog.nexusuk.org
Why is it that whenever a big company blatantly violates the law, they get away with a few users boycotting them for a while, but when big business is slightly victimized, all hell breaks lose, laws are changed in their favor and individuals' lives get ruined? Sue AOL. Make them pay. Nothing says sorry like a multi-million dollar cheque.
At the very least do your searching through an engine that is separate to your ISP.
A customer of AOL searching through AOL has their searches linked to you as an individual. If you search through google then they get your IP address, and your ISP knows which IP address links to which individual at any one time (open Wifi networks aside). But at least the same company doesnt know both.
The data AOL released was the equivalent of any other search engine releasing its searches with IP addresses, so the same damage could be done by any other search engines logs, but imagine how much a marketing company would pay for that info from AOL with the personal details for each user included (i.e. Age, Sex, location etc.).
Why Google made such a fight out of the government's request for similar information, even if anonymized. It isn't a harmless request. I mean, the particular search identified in the article isn't a big deal, but some of the others that are in there are rather scary/personal, to say the least. Out of millions, I expect this pattern is normal.
As goofs go, this is a biggie, but an instructive one that will hopefully serve as a wakeup call. If the government were requesting something like this, it is as invasive as a library turning over a carefully-tracked list of patron searches that would be one ISP subpoena away from being personally identifiable. It's basically one huge fishing ground.
Why is online anonymity so hard to come by? It seems that every service I use on the web keeps logs and statistics, and there always seems to be some trail linking me to whatever I've done online. Perhaps there are searches and discussions I've had online that I don't want a potential employer to come across, for example. No matter how careful I may be, I never feel too confident that I've been successfully shielded by anonymity.
It would be nice to see more online services that at least make an effort to maintain your anonymity. How about a proxy that will do all your google searches from a set of hundreds of random IP addresses, selecting a new one each time and never connecting the searches to one another? Or how about an ISP that gives you a new, random IP address on request, and keeps NO LOGS of who had which IP in the past?
There are two obstacles to this - first, the average joe doesn't think too carefully about anonymity, so the demand for such services is low. Second, there are legal issues regarding what information would be recorded. It would be very interesting to see the RIAA come to the ISP in my above example and request the account information of a file trader. What would happen if they literally had no logs and no way of telling which user had been using that IP? It seems like they might get in trouble, but why should they? Grocery stores aren't required to keep careful logs of each person walking through their doors. Don't ISPs have the same right to allow people to come and go?
That is not completely correct. Remember, your ISP knows both who you are and what you searched for at any of the search engines.
The next big privacy nightmare may be an ISP (and not a search engine) opening up its logs.
It seems to me that if you're going to give the guy who wants to kill his wife the benefit of the doubt, then the same benefit should extend to the child pr0n guys. Either it's protected speech or it's not. That's why the ACLU defends the neo-Nazis' right to free speech--we may not like what they say, but they have the right to say whatever they want. Not that I want to protect child pr0n guys in any way, however this is what people are talking about when they say 'slippery slope'. First it's the child pr0n, then it's the terrorism, then it's the abortionists, then it's your political opponents. Then it's you for no really good reason other than that they can.
Courts rule time and again that if a search is illegal, the fruits of that search may not be used in court. This is the same principle. If we want the expectation of privacy in our web browsing kept as private as in our homes, then we need to find some other way to get the child pr0nsters. On the other hand, if we have no expectation of privacy in our web searches and should know better than to google child pr0n, then by all means nail them and everyone else to the wall. Just be sure to extend that principle to include things we link to on web pages, check out at libraries, and purchase at bookstores. I believe that libraries and bookstores in the US are already required by legislation to report to the government. Just remember that next time you're curious about the Anarchist's Cookbook and the recipes in there. It's all just chemistry anyway, right? I mean, I don't want to blow crap up, but I find it fascinating that horse poop and fuel oil can be that explosive and I want to know why. But ask at the public library and you might find yourself being asked uncomfortable questions by the Feds.
Not to get too off topic, but do you remember in the wake of 9/11 how one person asked a Post Office clerk if there were any stamps without American flags on them and got detained and questioned? All I'm saying is, just because a web search returns illegal results doesn't mean it isn't a free speech or a privacy issue.
steampunk web design
If you people RTFA, the reporter was able to find her based on her queries, not her IP Address or anything else. Torpack wouldnt help, nor would using a different search engine (after all, that search engine could be compliling the same data about your searches), unless you want to use a different search engine everytime you make a query. And even then, there are only a limited number of decent search engines out there.
You raise an important and oft-overlooked point.
This is exactly why I think it's so critical to evangelize with regard to using privacy measures. I want my mother, Aunt Sally, and 8-year old neice to be using TrueCrypt and Tor at a minimum (or, something providing similar functionality). Privacy / anonymity suites need to become as commonplace as antivirus, firewall and anti-spam software.
Helping strong privacy measures become the status-quo serves other important goals too. It makes it more politically costly to try to legislate them out of use, and it reduces the usefulness of developing new data mining programs that require person:transaction relationships - both for the government and for private industry.
In short, when everyone's Aunt Sally can be expected to have countermeasures against activity monitoring running on her home PC, the world will have become a safer place for all of us.
Pi Ran Out
At the very least do your searching through an engine that is separate to your ISP.
Your ISP has access to everything you do online unless you're using an encrypted channel like SSL. Your HTTP requests go through your ISPs routers, which see all. Not just search terms, everything. Cox will see this submission when I send it through, and has seen each preview. Cox sees every email I send, including the full content and any attachments. Some ISPs may not be recording it, but for AOL a big part of their business is selling aggregated data to advertisers, and enterprise grade storage costs a few dollars a gig. They'd be stupid to throw away HTTP requests, and I'd lay 20 to 1 odds that they are not. At least until we have laws that require them to. But then, I think we're more like to have laws that require them to keep the data. The EU already does.
Everything you do online is watched. It's just a question of whether you can trust your ISP. We currently lack any serious accountability for privacy breaches. The public is blissfully ignorant, and the government, far from promoting privacy, actually wants the data. In fact, depending on how far you think Epic/Carnivore/TIA goes, they already have it. Your phone records are protected by federal law, and they have those. What of data that isn't protected? Do you think they don't have it?
Stop-Prism.org: Opt Out of Surveillance
I can only think of a few possibilities as to why this is - either someone else was searching at the same time using the same account (or, hopefully, multiple people, unless the "steak and cheese" caused them troubles with "poop" - eh), or these records are presented in nothing like date/time order.
Can anybody tell me if the data in the dump has more than two fields (all I have ever seen is an "id" field, and a "search terms" field listed)? Are there other fields in the data dump that indicate a date/time stamp or something so that the searches can be ordered by that?
If not, then it is very likely that these searches were simply dumped using the equivalent of "SELECT id, terms FROM table", with no ORDER BY (or equivalent) clause tacked on, and the results were returned in a non-defined order (which might be by record insert order, by random order, or by any other possible order - for SQL compliant databases, if you don't specify an ORDER BY clause, the returned order of a recordset is undefined, and could possibly be in a different order each time the query is run by the backend SQL engine). If that is the case, than this data become just a bit more meaningless, as one could not follow a searcher's "train of thought" to determine what they were going after.
This would have both good and bad consequences for the data as it stands - good in that it obsfuscates the data just a bit more which could conceivably help hide a searcher's intentions, but also bad in that it could make innocent intentions look more non-innocent, depending on how the result set is skewed...
Reason is the Path to God - Anon