Slashdot Mirror
EFF Files Complaint with FTC Over AOL Data Leak
Quincy A. writes "Last week's exposure of search data on over 500,000 AOL users was a gigantic embarrassment for the company. It may be about to get worse, as the EFF has filed a complaint with the FTC over the incident. 'Citing AOL's own Network Privacy Policy, the EFF says that the company failed to "implement reasonable and appropriate measures to protect personal consumer information from public disclosure."' Among other things, the complaint asks AOL to notify all users affected by the data disclosure via certified mail and provide free credit monitoring for a year."
If nothing else, it's a terrible, terrible reminder that no matter where you are, no matter what you're searching for, someone could be watching.
Sony ha
The EFF is the "stop 1984 from happening" fund. If you read Slashdot, you know why you should be a member.
</soapbox>
It is a good thing they'll face at least some minor repercussions, but it's a far cry from what should happen. At the minimum, AOL should be proscribed from logging this information in the future. More fairly, AOL should be forced to pay a hefty sum to each of its customers and be proscribed from logging the information again.
Neither of these things will happen, though. AOL will keep spying on its customers and selling the information, future customers will not be notified of this fact except perhaps in some microscopic-print contract term, and in a few weeks almost everyone will have forgotten.
As slashbots, I imagine it's safe to say that we're not fond of AOL nor AOLers to begin with, and that's ok. Part of me wants to cite Chuck Darwin on this one, but I also understand that if it could happen at AOL, it may happen elsewhere. That's why I'm cheering the EFF on -- to send the message to every other ISP/search engine out there who doesn't get it yet. The privacy of your customers is very important.
I must admit some of that data (if it weren't tied to ID's) could make for good sociology/psychology papers.
The accountability they take in the future might be less than inspiring. From the article:
It is certain that AOL will vigorously contest the EFF's complaint, with the linchpin of its defense being that the whole thing was a horrible idea from AOL's new research unit that will never be repeated. Unfortunately, horrible ideas can have real-world ramifications, and even though AOL is "deeply sorry" and swears it will never happen again, there need to be some safeguards in place to prevent a recurrence.
I wonder what would happen to a murder defendant that tried to use that defense. "I'm sorry your Honor....my left hand pulled the trigger without my permission. It won't happen again! I promise!
Bottom line, respondeat superior says it is their unit, their employees, THE COMPANY is responsible.
The Government and the Corporations do not have a Constitutional right to privacy.
Hence all consumer (people) data must be treated as private by default, whereas the Government data must be treated as inherently public.
The EFF opposes the recent drive to turn this principle inside-out.
Obama likes poor people so much, he wants to make more of them.
The problem is that it is the searches which are revealing. It isn't possible to release complete search data AND protect privacy of all users because people search for things that are important to them, i.e., the searches are self revealing. That's why replacing usernames with a numerical identifier was so ineffectual for so many users.
As an aside, I imported the data into a mysql database. I've never messed with that much data before and it was a good learning experience with respect to grep, awk, and sed and converting the tab deliminated files into something I could import into mysql. I do wonder however, if there is a way to just import the tab deliminated file without adding "insert" to lines and escaping the ' ( ) and ; characters that appear in the data. Any experts have a hint? On my athlon 2200+ with 512mb of ram, each search of the data takes about a minute to complete. It's actually faster to just grep for lower numbered userids and then kill grep once the output shows.
What changed under Obama? Nothing Good
While I feel sorry for the specific individuals that AOL abused, this was probably a good thing in the long term for the privacy of the rest of internet users everywhere.
>AOL has been punished enough in the press. Given the circumstances I don't think that any legal action is necessary.
Others are of the opinion that the people responsible should spend decades in prision, and that the company should pay fines and restitution at the kinds of levels that would reduce them from a multi-billion-dollar-corporation to a startup looking for venture capital.
Somehwere in between that extreme and yours, there will be some appropriate consequences.
-fb Everything not expressly forbidden is now mandatory.
- the "Electronic Frontier" is woven into everyone's life: what happens electronically can be more real, longer lasting, than any real-world event, and
- "Foundation" doesn't mean the same as "Bill & Melinda Gates Foundation" (it can buy countries), or the "Ford Foundation" (it can casually sponsor a year of PBS). The EFF, unless it wins the trillion-dollar lawsuit, is a small donor-supported non-profit.
- And in some cases, the ACLU doesn't do as well. The EFF's AT&T lawsuit is still going strong. The EFF filed in January to get that amazing 'not automatically dismissed on state secrets' ruling. I admit I'm biased- I know people there and am a supporter- but damn, they're good.
Consider warrantless searches. In your 'real world,' a set of police can only do a few warrantless searches per day- maybe 10 or 20 if they have their door-kick down. In the actual world, a set of searchers hooked into AT&Ts database can do millions of warrantless searches per day. And they don't leave busted doors behind as a clue.Consider voter disenfranchisement. In the old days, you had to physically block people from voting, one by one. Now you can do badly-designed joins on voter-rolls and stop thousands of people from voting in an afternoon.
Consider Free Speech. In your world you have to hire goons- expensive at overtime- to physically intimidate speakers. In the actual world automated intimidation, expensive intimidation, exists. In the actual world, entire subjects can be disappeared from view, thousands in one software installation.
Or maybe you really don't worry about building innovative tech companies, music CDs, publishing electronically. You really don't worry about credit scores, credit card records, HIPAA, test results, university records, voter data, flight records, VoIP calls... in your world. Funny, I didn't think they'd let you online in Supermax, Mr. Kaczynski.
Right, as if anyones to know that AOL would do this. Yes, AOL is a complete pile of shit for a company, but this was unexpected. You cannot blaim these people, I feel for each one of them.
Google already knows where you live and has a satellite picture of your house. They can even tell which computer behind your NAT is making each search, based on the cookies that they leave on your computer.
Intron: the portion of DNA which expresses nothing useful.
Someone needs to come up with a quick-and-dirty resident app that issues random search queries to Google and other engines at random intervals. You poison the value of the data and make it relatively useless.
This is more than a "huge lapse in judgment", it's criminal negligence and legal action should be taken (IANAL). It's hard to imagine a researcher or company could be so collosally brain-damaged as to freely give away this data to the public. I would actually be more understanding if it was stolen. If anything, the data should be available only to qualified researchers, and then only under an NDA that would only permit summarized forms of the data to be published.
There is more than enough information in here for identity theft and blackmail. In less than one day of casual inspection, I've identified a number of individuals, of which a half-dozen or so could be blackmail targets (affairs, sexual fetishes, pedophilia, drug abuse and alcoholism, etc.) The number who could be targets of identity theft is higher.