Slashdot Mirror
EFF Files Complaint with FTC Over AOL Data Leak
Quincy A. writes "Last week's exposure of search data on over 500,000 AOL users was a gigantic embarrassment for the company. It may be about to get worse, as the EFF has filed a complaint with the FTC over the incident. 'Citing AOL's own Network Privacy Policy, the EFF says that the company failed to "implement reasonable and appropriate measures to protect personal consumer information from public disclosure."' Among other things, the complaint asks AOL to notify all users affected by the data disclosure via certified mail and provide free credit monitoring for a year."
I'm happy that AOL will be help *somewhat* accountable.
OMGWTFBBQ!
with all the hype around personal privacy laws, and elections coming up this is a bad time for AOL. Nuff said though as they are in my opinion, the originators of spam, and the selling of customer information to data miners
Can I make a Beowulf Cluster of these search queries ?
If nothing else, it's a terrible, terrible reminder that no matter where you are, no matter what you're searching for, someone could be watching.
Sony ha
While I'm demonstrating my support, I thought I'd suggest some of you do the same.
Have you shown your support? EFF
The EFF is the "stop 1984 from happening" fund. If you read Slashdot, you know why you should be a member.
</soapbox>
At least they provided a good 20 minutes of entertainment for me this morning :)
www.somethingawful.com/index.php?a=4016
No, troll. From their main page : "What is EFF? EFF is a nonprofit group of passionate people -- lawyers, technologists, volunteers, and visionaries -- working to protect your digital rights.
My humor is probably your flamebait
I wonder whether AOL could be enjoined from collecting any personal data about users until this case is decided?
My turnips listen for the soft cry of your love
Even if this *doesn't* get through court, could an AOL customer ask AOL for their export ID number?
Is the ID number we have all grown to know an integral part of every AOL account?
Does AOL even know who user 17556639 actually is or was it generated automatically and then lost in the data export?
liqbase
Uh... To punish them for releasing a database of search results (that are pretty much anonymous, though some detective work can put names to some) the offended customers should give them access to MORE confidential information (SSN, mother's maiden name, credit history...?)
100% Troll.
Yes, people are for things they like, and against things they don't like.
What's your point?
More ignorance from the company recently voted worst technology of all time. http://www.pcworld.com/article/id,125772-page,2/ar ticle.html
My humor is probably your flamebait
really be from the "little-tighter-with-those-tubes-please" department.
Yes..yes it did
Really have you not heard about this? The data absolutely did contain exactly this sort of data.
They need your help!
Watch EFF attorney Jason Schultz tear the roof off in the new documentary, ALTERNATIVE FREEDOM. Maybe you will learn something or be able to show your friends and then we can all make sure digital rights are always kept in mind...
http://alternativefreedom.org/
I'm not saying that in any way AOL users "deserved" this -- nobody does. No matter what or how much information you a company has about you, whether it be your net searches or how filthy your carpets are, you expect the company that holds this information to keep it private.
However, why in the world would you go with a company like AOL that has so many recorded existing problems that could be discovered with a modicum of research? Unfortunately, it seems much like U-Haul being one of/the biggest moving van rental companies despite all the bad press... It's a household name, so it has to be good, right?
The Government and the Corporations do not have a Constitutional right to privacy.
Hence all consumer (people) data must be treated as private by default, whereas the Government data must be treated as inherently public.
The EFF opposes the recent drive to turn this principle inside-out.
Obama likes poor people so much, he wants to make more of them.
Did the search information include Social Secuirity Numbers, home addresses, mother's maiden name (and identifiable as such), PINs, or some other sort of data that could be used to affect someone's credit report?
YES, many people run their personaly identifiable information through a search engine; don't you think that if google indexed a text file that was a dump of some perloined database on eveilhacker.com you'd want to know about it? For me for a search engine to turn over search queries is serious breach of confidence; I could never use Yahoo, MSN, or AOL for anything beyond trivial searches now, and I only use yahoo for yellowpages skimming at work.
Apocalypse Cancelled, Sorry, No Ticket Refunds
Heh, yeah. I searched it last night with some crude perl regexes. There were a bunch of full names and SSNs in the same search. One funny thing I kept finding was a search like:
..."
"locate John L. Smith last address 123 Main Street, Houston, Texas social security number 123-45-6789"
Like AOL was some magic person finding machine. I kept thinking Star Trek, "Computer: Locate
I regularly google for
"1234 My Street, 80516 to somewhereelse, 80999"
in order to get driving directions.
If I were up to something nefarious then it would probably be quite obvious. Although i'm not up to anything and don't really care.
Even without searching for other people, some can be searching for themselves. I'll admit it, back during the spate of stupid e-commerce sites putting files of all of their transactions including creditcard numbers up for google to index, I searched for my own credit card number on google. I figured that if it was already out there, it couldn't do any more damage by putting it out there again.
Incidentially it got no hits at the time, though it's been a couple of years now.
If the data contained all of this, then so do the referrer logs of millions of webservers that get redirects from Google, AOL, Yahoo, you name it. This case highlights the sheer idiotic stupidity of users in the first place, typing their own personal information into a BOX on a SCREEN they *know* is connected to the internet, and expecting the data to remain 'secret'. Idiots, the lot of them. Im not saying AOL should be exonerated from all wrongdoing, but users have to take some blame for this themselves.
Yes, AOL made a mistake by releasing that information. They've admitted to the mistake, apologized, and I doubt anyone will try to do this again.
On the other hand, one needs to recognize that they didn't release the information for the purposes of making money, or defrauding the customers, or anything else. They collected the data in order to help a researcher write an extremely informative paper[pdf] about human behavior as it relates to searches. That researcher decided that other's might benefit from the information, and convinced AOL to make it publically available. It turns out that that was a huge lapse in judgement, but nonetheless, intentions are also important and while criticizing AOL, we should also complement them for their effort to interface with the academic community.
AOL has been punished enough in the press. Given the circumstances I don't think that any legal action is necessary.
It was a very strange thing for AOL to release that search history. Out of the blue, they suddenly announce they are giving away some of their data. Why did they do this? They must have had a reason. The only thing I can think of off hand is they needed a way to make the information public so it could be used legally by law enforcement?
Among other things, the complaint asks AOL to notify all users affected by the data disclosure via certified mail and provide free credit monitoring for a year."
AOL probably -CAN'T- notify the users, because they probably didn't keep the username->ID# mapping.
Please help metamoderate.
- They think all AOL users will change their SSN's (or will have time to change them) within that time.
- They think the spammers and identity thieves will forget all those juicy tidbits within that time.
- They figure anyone lame enough to use AOL in the first place would probably give away their identity anyway within a calendar year, so there's no need setting a precedent.
My money's on #3.This space intentionally left (almost) blank.
The EFF has good intentions, but in this case they are going overboard.
Be Back Quickly
While I feel sorry for the specific individuals that AOL abused, this was probably a good thing in the long term for the privacy of the rest of internet users everywhere.
For example:
select * from aolsearches where anonid = 3620882;
yields a very strange individual... some brief examples (shortened for brevity... it's MUCH longer than this):
| 3620882 | bank robber hide-outs | 2006-03-01 22:22:04 |
| 3620882 | male sissy panty stories | 2006-03-01 22:35:41 |
| 3620882 | big bosom mothers | 2006-03-01 22:47:58 |
| 3620882 | sissy nightgown training | 2006-03-02 11:46:49 |
| 3620882 | special female training of sissy men | 2006-03-02 17:16:24 |
| 3620882 | tight laced girdles | 2006-03-05 12:33:09 |
| 3620882 | baptist church directory | 2006-03-07 18:56:13 |
| 3620882 | pink panty discipline | 2006-03-07 19:41:53 |
| 3620882 | old curvy women | 2006-03-10 12:38:47 |
| 3620882 | independent baptist church directory | 2006-03-12 11:45:44 |
| 3620882 | westboro baptist church | 2006-03-23 13:51:49 |
| 3620882 | baptist college directory | 2006-03-25 19:44:22 |
| 3620882 | adult diaper parties | 2006-04-04 13:51:30 |
| 3620882 | colorado mining claims for sale | 2006-04-16 13:00:25 |
| 3620882 | husbands that are sissy | 2006-04-28 20:13:11 |
| 3620882 | very large bosoms | 2006-05-18 21:38:57 |
| 3620882 | how to make gun silencers | 2006-05-20 12:45:00 |
| 3620882 | male maid training | 2006-05-30 12:15:49 |
Really, I think of myself as a pretty tolerant person, but this seriously makes me wonder what kind of weird individuals roam this planet.
- the "Electronic Frontier" is woven into everyone's life: what happens electronically can be more real, longer lasting, than any real-world event, and
- "Foundation" doesn't mean the same as "Bill & Melinda Gates Foundation" (it can buy countries), or the "Ford Foundation" (it can casually sponsor a year of PBS). The EFF, unless it wins the trillion-dollar lawsuit, is a small donor-supported non-profit.
- And in some cases, the ACLU doesn't do as well. The EFF's AT&T lawsuit is still going strong. The EFF filed in January to get that amazing 'not automatically dismissed on state secrets' ruling. I admit I'm biased- I know people there and am a supporter- but damn, they're good.
Consider warrantless searches. In your 'real world,' a set of police can only do a few warrantless searches per day- maybe 10 or 20 if they have their door-kick down. In the actual world, a set of searchers hooked into AT&Ts database can do millions of warrantless searches per day. And they don't leave busted doors behind as a clue.Consider voter disenfranchisement. In the old days, you had to physically block people from voting, one by one. Now you can do badly-designed joins on voter-rolls and stop thousands of people from voting in an afternoon.
Consider Free Speech. In your world you have to hire goons- expensive at overtime- to physically intimidate speakers. In the actual world automated intimidation, expensive intimidation, exists. In the actual world, entire subjects can be disappeared from view, thousands in one software installation.
Or maybe you really don't worry about building innovative tech companies, music CDs, publishing electronically. You really don't worry about credit scores, credit card records, HIPAA, test results, university records, voter data, flight records, VoIP calls... in your world. Funny, I didn't think they'd let you online in Supermax, Mr. Kaczynski.
I ran a quick check:
The term "SSN" was used by only 68 searches - and one referred to a ship.
Numbers of the format "111-11-1111" were searched 191 times. 22 of these searches had names attached. I didn't look in adjacent matches, so some more names might be inferred.
Nine-digit numbers were searched 246 times. I did a quick look-over, and none of these appeared to be SSN's.
HIV Crosses Species Barrier... into Muppets
It's probably somewhere in their TOS (I haven't read it and don't care to/have time to) that they don't have to ask anyone's permission to "share" their "non-personally-identifiable information" with their "partners" (just to coin a few phrases from various TOS's and EULA's and CYA's I have bothered to read over the years...) but it would've been nice if they had announced they were planning to release a subset of their logs, to whom, and exactly when (and even offered an "opt-out" avenue to their users who so wished...) and then gathered some feedback before doing something so cosmically STUPID. That way, they would have had the benefit of all the regex advice and the pattern-matching advice (not to mention the most excellently very sound advice of all: "JUST DON'T DO IT"...)
This space intentionally left (almost) blank.
Right, as if anyones to know that AOL would do this. Yes, AOL is a complete pile of shit for a company, but this was unexpected. You cannot blaim these people, I feel for each one of them.
bash$ egrep '[0-7][0-9]{2,2}-[0-9]{2,2}-[0-9]{4,4}' user-ct-test-collection-*.txt | wc -l
183
bash$
183 search queries contain well formed SSNs (I'm sure there are hundreds more w/o dashes, etc) (I threw the [0-7] at the begining because wikipedia indicates that no SSNs with the first 3 digits over 772 have been issued). I looked at a handful and a lot of those searches contain a lot more than just SSNs, at that.
For example, the below (which I've actually removed the sensitive data from -- it's public, but I refuse to repost it):
4186504 locate keith ivan thompson born * *** ** social security ***-**-**** last address was *** street apt *** ****** colorado
Yes, but if that SSN doesn't belong to the AOL user who performed the search, AOL is not LEGALLY required to do anything about it, as AOL's customer data was not leaked.
Tough nookies for Ivan Thompson, though.
In Soviet Russia, I ruled you
True; kieth ivan thompson *probably* wasn't the one who issued that query. However, I'm willing to bet at least one of the 183 SSNs I found belonged to the searcher. And again -- I only found well-formed SSNs; I completely ignored those without dashes, which almost certainly number somewhere around 100, if not more.
Someone needs to come up with a quick-and-dirty resident app that issues random search queries to Google and other engines at random intervals. You poison the value of the data and make it relatively useless.
"What happens electronically can be more real, longer lasting, than any real-world event..." I've repeatedly said the same thing time and time again. When we rode to the gates of the Undercity and spat our defiance via /yell and /fart options will always remain with me. Seriously folks, the loss of our civil rights and uncounted "real" world atrocities aren't that big of a deal - its not like they have your social security numbers or e-bay accounts. Yet.
Don't worry about the mule, just load the wagon.
I can blame these people, they blindly put private and confidential information into a search box on a webpage. If they did it with AOL, who else did they do it with? These people have no understanding of the web, and yet they still submitted personal information to other peoples hands - how can they have any expectation that that information would have continued to be privileged? Im quite right in saying that the search engine string is now in the referrer logs of any website they visited from the results, so the information was already well beyond AOL. There is a level of personal responsability with your data.
locate John O'Connor and Sarah O'Connor
Newsflash: neither do citizens. The closest the constitution comes is this:
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
So your search history is fair game, as long as its not being used for searches and seizures. I get spam to an address I used for a Western Digital hard drive rebate. My neighbors kids get credit card offers after someone bought a kids magazine in their name. Privacy in the US is a joke compared to the strong laws in some countries (Germany IIRC is a good example).
use a search proxy. http://www.blackboxsearch.com/
well they say now that it didn't happen on purpose... but then I don't know why the names are replaced by IDs...
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
someone should start trying to find out the identities of the people whose search queries were published... I don't think you need too many queries by one person to pin him down...
;)
maybe THIS would silence the guys that understate how horrible this is for privacy...
sounds like another job for the EFF
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
Strange women lying in ponds distributing swords is no basis for a system of government.
Well yes, I suppose if you search for your SSN and then follow a link to a website then the referrer log has the SSN in it -- but then again so does the page that site is hosting. In addition, without the means to tie the data into all the other searches the user is doing, what you could get from a single entry in the referrer is probably going to be almost worthless in most cases.
I'm not saying that the user is not responsible when they key private data into a search form, but I think that it is reasonalbe to expect that that data is not going to be purposefully collected and deliberately made available to the public on an 'anything-goes' basis, particularly one where your individual habits are easily identified.
No, the Constitution comes much closer than that:
It's an outrage that these 9th and 10th Amendments -- which are arguably the most important -- are also the most ignored. The Founding Fathers are spinning in their graves.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz