Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Face of One AOL Searcher Exposed

Posted by ryuzaki0 on from the knew-it-wouldn't-take-long dept.

Juha-Matti Laurio writes "No. 4417749 conducted hundreds of searches over a three-month period on topics ranging from "numb fingers" to "60 single men" to "dog that urinates on everything., report NYT journalists Michael Barbaro and Tom Zeller Jr., but with a permission from Mrs. Thelma Arnold, 62. "Those are my searches," she said, after a reporter read part of the list to her, continues the article."

36 of 315 comments (clear)

  1. What a ho by mgblst · · Score: 4, Funny

    "60 single men"
     
    At her age. I think she should be happy with a couple, but 60... gotta admire her!

  2. Hmm by Iamthefallen · · Score: 5, Funny

    User 48956332 Perl For Dummies
    User 48956332 HTML 4, whats the big deal
    User 48956332 Howto use sandboxen in development
    User 48956332 What is CSS
    User 48956332 Unit testing
    User 48956332 Spelcheking
    User 48956332 Why is Digg growing so fast?

    --
    Wax-Museum Fire Results In Hundreds Of New Danny DeVito Statues
    1. Re:Hmm by LiquidCoooled · · Score: 5, Funny

      User 48956332 Preventing Dupes.
      User 48956332 Preventing Dupes.
      User 48956332 Preventing Dupes.
      User 48956332 Preventing Dupes.

      --
      liqbase :: faster than paper
    2. Re:Hmm by JPDeckers · · Score: 5, Funny
      Love browsing the data. As I noticed yesterday, a nice trace for user 14109288 (stripped a bit for readability):

      sexual positions 2006-05-22 21:57:18 http://www.sexualpositionsfree.com/
      sexual positions 2006-05-22 21:57:18 http://www.askmen.com/
      sexual positions 2006-05-22 21:57:18 http://www.condoms.au.com/
      premature ejaculation 2006-05-22 22:20:23 http://www.webmd.com/

      Note the timestamps of the last two lines, sounds like he had, well, an evening that did not go as planned

  3. Search string by KiloByte · · Score: 5, Funny
    "dog that urinates on everything., report NYT journalists Michael Barbaro and Tom Zeller Jr., but with a permission from Mrs. Thelma Arnold, 62. "
    Hmm... an interesting search query.
    But at least it looks like my code isn't the only place invaded by quote-abducting aliens.
    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  4. Nothing we can do! by mgblst · · Score: 5, Insightful

    Asked about Ms. Arnold, an AOL spokesman, Andrew Weinstein, reiterated the companys position that the data release was a mistake. We apologize specifically to her, he said. There is not a whole lot we can do.
     
    What a load... there is plenty you can do AOL. You can promise not to release this data again, you can actively hunt for it on the web. You can promise to delete your copy. You can promise that you won't keep data like this anymore. You can implement better security policies so that you know where your data is, and what is hapenning with it. You can limit the people who have access to posting stuff on your website.

    Useless bastards!

    1. Re:Nothing we can do! by Rob+T+Firefly · · Score: 4, Insightful

      On behalf of AOL, let me clarify... what they meant to say was "there is not a whole lot we could do that wouldn't interfere with the lucrative data-mining business."

      --
      Slashdot Burying Stories About Slashdot Media Owned
    2. Re:Nothing we can do! by LiquidCoooled · · Score: 3, Interesting

      The data is out there, what exactly could they do?
      Erase it from peoples hard drives, remove it from all the pipes that its in, drug everyone who has seen it?

      The fact they have this data is one thing, releasing it to the public is another.

      --
      liqbase :: faster than paper
    3. Re:Nothing we can do! by Jafafa+Hots · · Score: 4, Insightful

      and they can pay hundreds of miliions of dollars in damages.

      --
      This space available.
    4. Re:Nothing we can do! by cortana · · Score: 4, Insightful

      Why should they? Consumers have shown time and time again that they don't give a shit about how ethically a corporation acts, only about how cheap their products are. :(

    5. Re:Nothing we can do! by ConceptJunkie · · Score: 4, Insightful

      To be fair, there isn't a whole lot AOL can do about the data that's already been released. In fact, nothing. That genie's out of the bottle, and while it is totally their fault for allowing someone to make such an enormously foolish and potentially dangerous decision, they have stated that they are taking steps so that it won't happen again. Believe me, with so many people looking for an excuse to further bash AOL, they won't dare let this kind of thing continue.

      "Not keeping data like this" doesn't make any sense at all and doesn't accomplish any good for customers. Indeed there is great value in understanding what searches are made and how the search process can be improved. Keeping this kind of data secure is sufficient in my mind. The last two sentences are something I would agree with.

      I just have to wonder who would be stupid enough to not realize the ramifications of doing this. It doesn't take "thorough vetting" to figure out that this would cause a firestorm of bad publicity.

      Of course, the real lesson here is: Don't do anything on the Internet you wouldn't want your mother to find out about. There is no anonymity on the Web. It doesn't take a stupid decision by a large company to prove this.

      --
      You are in a maze of twisty little passages, all alike.
    6. Re:Nothing we can do! by Anonymous Coward · · Score: 3, Funny

      Or more like...

      "C'mon, these are AOL users we are talking about...we never expected them to find out".

    7. Re:Nothing we can do! by rifter · · Score: 5, Insightful

      The data is out there, what exactly could they do? Erase it from peoples hard drives, remove it from all the pipes that its in, drug everyone who has seen it?

      The fact they have this data is one thing, releasing it to the public is another.

      When it is data that they *care* about, corporations seem able to do plenty. If it's their source code, the code to decss, TimeWarnerAol's labels' mp3 files, the latest incriminating memos/emails ... they are positively rabid about protecting it. Cease and desist orders fall like rain, sites get shut down, people get sued for millions and prosecuted to the fullest extent of the law. But if it's their customers' data, like these searches, their email addresses, their credit card numbers, etc. They just shrug and say "Oh well. What canya do?"

      It's typical, frustrating, and complete bullshit. If the privacy laws were enforced and these corporations were punished for such egregious mishandling of our data maybe then they might think they can do something. But unless it directly affects them, they just are not going to care and will continue to take no precautions.

    8. Re:Nothing we can do! by dourk · · Score: 3, Funny

      remove it from all the pipes that its in

      Tubes, my friend. Tubes.

      --
      Wake up.
  5. Torpark by eldavojohn · · Score: 4, Informative

    I guess this just goes to show that you should be using something like Torpark even when merely conducting an online search. It's a shame but if you value your privacy, I guess it's necessary.

    Keep those IPs changing so they can't track and accumulate your searches I guess. I don't want a dossier of my searches available to the public.

    --
    My work here is dung.
    1. Re:Torpark by FireFury03 · · Score: 4, Insightful

      I guess this just goes to show that you should be using something like Torpark even when merely conducting an online search.

      Whilest protecting your privacy does, on the surface, seem like a good thing, I wonder if it might count against you if you were ever suspected of a crime. We've already seen 'he has some encrypted data' used as evidence (even though the contents of the encrypted file weren't known) in one successful conviction, I suspect 'he's using privacy protection software called Tor' may go down the same way.

      Remember, only people who have something to hide care about protecting their privacy. :)

      --
      http://blog.nexusuk.org
    2. Re:Torpark by z0idberg · · Score: 5, Insightful

      At the very least do your searching through an engine that is separate to your ISP.

      A customer of AOL searching through AOL has their searches linked to you as an individual. If you search through google then they get your IP address, and your ISP knows which IP address links to which individual at any one time (open Wifi networks aside). But at least the same company doesnt know both.

      The data AOL released was the equivalent of any other search engine releasing its searches with IP addresses, so the same damage could be done by any other search engines logs, but imagine how much a marketing company would pay for that info from AOL with the personal details for each user included (i.e. Age, Sex, location etc.).

    3. Re:Torpark by Anonymous Coward · · Score: 3, Insightful
      "But at least the same company doesnt know both."


      That is not completely correct. Remember, your ISP knows both who you are and what you searched for at any of the search engines.

      The next big privacy nightmare may be an ISP (and not a search engine) opening up its logs.
    4. Re:Torpark by Bob9113 · · Score: 3, Insightful

      At the very least do your searching through an engine that is separate to your ISP.

      Your ISP has access to everything you do online unless you're using an encrypted channel like SSL. Your HTTP requests go through your ISPs routers, which see all. Not just search terms, everything. Cox will see this submission when I send it through, and has seen each preview. Cox sees every email I send, including the full content and any attachments. Some ISPs may not be recording it, but for AOL a big part of their business is selling aggregated data to advertisers, and enterprise grade storage costs a few dollars a gig. They'd be stupid to throw away HTTP requests, and I'd lay 20 to 1 odds that they are not. At least until we have laws that require them to. But then, I think we're more like to have laws that require them to keep the data. The EU already does.

      Everything you do online is watched. It's just a question of whether you can trust your ISP. We currently lack any serious accountability for privacy breaches. The public is blissfully ignorant, and the government, far from promoting privacy, actually wants the data. In fact, depending on how far you think Epic/Carnivore/TIA goes, they already have it. Your phone records are protected by federal law, and they have those. What of data that isn't protected? Do you think they don't have it?

      --
      Stop-Prism.org: Opt Out of Surveillance
  6. 1 down, 24.9999 million to go... by kafka47 · · Score: 4, Insightful
    What about the one we really need to know?? User 17556639!!!

    /K

    1. Re:1 down, 24.9999 million to go... by scribblej · · Score: 4, Insightful

      Your comment is marked "insightful"

      That is sad. "Funny" sure. But "Insightful?"

      Here's the person's searches in question:

      17556639 how to kill your wife
        17556639 how to kill your wife
        17556639 wife killer
        17556639 how to kill a wife
        17556639 poop
        17556639 dead people
        17556639 pictures of dead people
        17556639 killed people
        17556639 dead pictures
        17556639 dead pictures
        17556639 dead pictures
        17556639 murder photo
        17556639 steak and cheese
        17556639 photo of death
        17556639 photo of death
        17556639 death
        17556639 dead people photos
        17556639 photo of dead people
        17556639 www.murderdpeople.com
        17556639 decapatated photos
        17556639 decapatated photos
        17556639 car crashes3
        17556639 car crashes3
        17556639 car crash photo

      If you want this person investigated, you are worse than the "thought police." First off, it's clear (to me, at least) that this guy isn't thinking about killing anyone. He just wants to see some gory photos. "steakandcheese" is a site like rotten.com. Even if he is thinking about killing someone, that's OK. There's a comment further down on the site you linked to that I find to be "insightful" about an old twilight zone episode. The main character could read minds and he reads the mind of a bank security guard who is thinking about robbing the bank! He has the man investigated, but nothing comes out of it. In the end, the guard admits he was thinking about robbing the bank... in fact he's thought about it almost every day. It's just a fantasy he has to make the day go faster... not something he'd ever act on.

      And having been a regular visitor to rotten.com in the past myself, I know that just wanting to see some of the reality of death that we tend to keep hidden in American society is not a crime. It's not even thinking of a crime. It's perfectly natural and healthy curiosity. Neither is daydreaming about terrible things you would never do -- or want to have happen -- in real life. Fantasy is normal and healthy.

      In fact, if you've never been to rotten.com or a similar site, I'd recommend you go sometime.

    2. Re:1 down, 24.9999 million to go... by hackstraw · · Score: 3, Insightful

      What about the one we really need to know?? User 17556639!!!

      Hello, I'm user 17556639, and I'm a crime novelist.

      Actually, I'm not but it is simply not up to AOL or the government or anybody to snoop into my business without probable cause. And probable cause is limited to the government, the rest stay the fuck out of my business.

      Anything taken out of context can look completely different, and it simply is NOT the duty of a citizen to chronically prove their innocence.

      A) Its sometimes impossible to prove that I was home alone asleep.

      B) I'm innocent until proven guilty. Even after being charged and possibly jailed until my court time.

      So, yes, I'm one of those "Fuck the children" people. I'm one of those people that respects my privacy. I'm one of those people that believes in free speech. Yes, I vote libertarian too.

  7. but with permission... by Catmeat · · Score: 4, Funny
    ... but with a permission from Mrs. Thelma Arnold, 62...

    In other words, the journalists tracked down about 20 AOL searchers, but Mrs Arnold was the only one to give permission for the article as hers was the only search term list that didn't include 'midget porn'.

    1. Re:but with permission... by Rakshasa+Taisab · · Score: 3, Funny

      I just realized something... I've never searched for 'midget pron'. Consider that rectified.

      --
      - These characters were randomly selected.
  8. Legal Standing? by RagingFuryBlack · · Score: 3, Interesting
    FTA:

    There are also many thousands of sexual queries, along with searches about "child porno" and "how to kill oneself by natural gas" that raise questions about what legal authorities can and should do with such information.



    Now what kind of legal recourse can people expect from these search results? Can the man who searched for ways to kill his wife be tracked down? How about all of the paedophiles who searched for child pr0n? Oh, I can just see all of the "Come on AOL, think of the children...tell us who that was..." How closely tied are these numbers to the user's AOL Accounts, I mean, I'm sure AOL left themselves some tie to the user in their copy. What's stopping feds from making many major busts on people?

    --
    Warning: Corny karma killing post above.
  9. Quick! by ttys00 · · Score: 3, Funny

    Quick, make a bunch of bogus searches! That way you will have some plausible deniability when The Man knocks on your door with a list of your searches.

    "Officer, those searches can't be mine, I'm not an 18 year old lesbian movie actress!"

  10. She should stay at AOL by gorbachev · · Score: 3, Funny

    At the end of the article, she says she's cancelling her AOL account as a result.

    She shouldn't. There's absolutely no way AOL will ever do anything like that again. On the other hand, if she switches to another online provider, who still hasn't been burned, it's a quite a bit more likely they'll screw up like this as well. She'd be "safer" staying at AOL.

    --
    In Soviet Russia, I ruled you
    1. Re:She should stay at AOL by shudde · · Score: 5, Funny

      At the end of the article, she says she's cancelling her AOL account as a result.

      Correction, she's going to try to cancel her AOL account.

  11. Oblig. Prisoner by ettlz · · Score: 5, Funny

    Where am I?
    You're on AOL.
    What do you want?
    Search information.
    Whose side are you on?
    That would be telling. We want information. Information. Information.
    You won't get it.
    By hook or by crook, we will.
    Who are you?
    The new ad-funded AOL Number 2.
    Who is Number 1?
    You are Number 4417749.
    I am not a number -- I am a free gran!

  12. Technology in the NY Times by MobyDisk · · Score: 5, Interesting
    I found this interesting:
    Next Article in Technology (1 of 27)
    The NY times considers this an article on technology. Slashdot considers this an article on "Your Rights Online." That is the reason nothing will happen no matter how many times these privacy violations occur. People don't act on technology issues. They act on privacy, religion, and entertainment. I would shame the NY times that they still don't get it, but neither does most of the rest of the planet either.
  13. AOL's apology vs. Dilbert's boss by khendron · · Score: 5, Funny

    From AOL's public apology

    "This was a screw up, and we're angry and upset about it. It was an innocent enough attempt to reach out to the academic community with new research tools, but it was obviously not appropriately vetted..."

    This is sounding very much like Dilbert's boss's public apology made years ago:

    "It was wrong for us to sell keyboards with no 'Q' We're sorry. We're morons. We're dumber than squirrels. We hear voices and do what they command. I have broccoli in my socks. "

    --
    Life is like a web application. Sometime you need cookies just to get by.
  14. user 4417749's Search Records by aquatone282 · · Score: 5, Funny

    4417749 numb fingers
    4417749 60 single men
    4417749 dog that urinates on everything
    4417749 landscapers in Lilburn, Ga
    4417749 bill arnold
    4417749 carpet shampoo rental
    4417749 julie arnold
    4417749 stan arnold
    4417749 homes sold in shadow lake subdivision gwinnett county georgia
    4417749 gwinnet county animal services
    4417749 stan arnold
    4417749 pecan pie recipes
    4417749 McGyver DVDs
    4417749 pet euthanasia services

    --
    What?
  15. SQL injection target? by Chapter80 · · Score: 5, Informative
    Pretty cool seeing people get this data into searchable form, like on:
    http://www.aolsearchdatabase.com/

    I did a search on there this morning, and it displays the SQL statement for me, which is very handy...

    Select SQL_CALC_FOUND_ROWS * from search_data WHERE match (anon_id,query,click_url) against ('4417749 ') LIMIT 0,30

    Interestingly, if you do the standard SQL injection, searching for something like "4417749') LIMIT 0,30; DROP TABLE SQL_CALC_FOUND_ROWS;--", I bet you will screw it up for them. Kids, don't try this at home. I'd never encourage people to do something illegal!

    The point of this posting is:
    Learn about SQL Injection, and protect against it.
    Don't display your SQL query to your users.

    If you don't know what SQL injection is, try a simple example: Search for "1','0" (skip the double quotes, but not the single quotes) and you'll see it in action without causing harm.

    1. Re:SQL injection target? by Inataysia · · Score: 3, Interesting

      Just to pimp somebody else's work...

      A neat paper was presented in the Software track at USENIX Security just a week or so ago about a technique that can be used to prevent all SQL injection attacks. It's a source code transformation that tracks one or two bits of "taint" information for every byte address in a program's address space.

      The sysadmin or security admin can then define a policy with augmented regular expressions that have three Kleene-style operators that let you say e.g. (expr)^T, which matches the expression 'expr', iff every byte in expr is tainted, or (expr)^t which matches 'expr' iff at least one byte of expr is tainted. The last operator is ^u which means "iff none of these characters are tainted".

      They prevent SQL injections by making a policy that says that whenever the function that actually executes the SQL query is called, its arguments are examined, and any string that matches.. (looks it up).. "(StrIdNum|Delim)*(SqlMetachar)^T(any)*", causes the system to either cause the call to fail with a given error, or causes the program to halt.

      That's pretty neat, but it's already been done with pre-built binaries. The problem with those systems is that they use library preload hacks and have to run each instruction inside a lightweight VM to track the taint information (because they lack the semantics that come with having the source), giving performance hits of a factor of around 100. Since this solution transforms the source, GCC can optimize the transformed code a fair deal and they end up with around a 17% performance hit, which is an excellent tradeoff for security.

      Since it's a C source transformation, they transformed apache, PHP, bash, and even glibc. Their technique can be used (and was demonstrated in the paper) to prevent a number of classes of attacks, not just specific attacks.

      Look it up: "Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks", Wei Xu, Sandeep Bhatkar, R. Sekar, Stony Brook University.

      End pimp.

  16. How to achieve change by RagingFuryBlack · · Score: 4, Interesting

    After reading through all of the 0+ modded comments, I've seen everyone saying "God, I wish there was something that could be done to stop this from happening again". You want to see it stop? Find something that ties your local congressmen to their search histories on AOL. Contact them with that information. I can almost guarantee you that if you find enough dirt on enough congressmen/senators, you'll see legislation passed requiring that Search companies not keep records of searches. It quickly changes from "Think of the children" to "Think of saving my ass from dirt that can be used against me next election year"

    --
    Warning: Corny karma killing post above.
  17. Privacy as evidence of nefarious character by RareButSeriousSideEf · · Score: 4, Insightful

    You raise an important and oft-overlooked point.

    This is exactly why I think it's so critical to evangelize with regard to using privacy measures. I want my mother, Aunt Sally, and 8-year old neice to be using TrueCrypt and Tor at a minimum (or, something providing similar functionality). Privacy / anonymity suites need to become as commonplace as antivirus, firewall and anti-spam software.

    Helping strong privacy measures become the status-quo serves other important goals too. It makes it more politically costly to try to legislate them out of use, and it reduces the usefulness of developing new data mining programs that require person:transaction relationships - both for the government and for private industry.

    In short, when everyone's Aunt Sally can be expected to have countermeasures against activity monitoring running on her home PC, the world will have become a safer place for all of us.

    --
    Pi Ran Out