EFF Files Complaint with FTC Over AOL Data Leak

Quincy A. writes "Last week's exposure of search data on over 500,000 AOL users was a gigantic embarrassment for the company. It may be about to get worse, as the EFF has filed a complaint with the FTC over the incident. 'Citing AOL's own Network Privacy Policy, the EFF says that the company failed to "implement reasonable and appropriate measures to protect personal consumer information from public disclosure."' Among other things, the complaint asks AOL to notify all users affected by the data disclosure via certified mail and provide free credit monitoring for a year."

Why do they even have this stuff?

[Skadet]

Among the list of remedies proposed by the EFF include [...] hav[ing] the FTC bar [AOL] from storing users' search activities "except where necessary... to the rendition of AOL's services or the protection of AOL rights and property." At most, AOL should only be allowed to keep 14 days' worth of data, argues the EFF.

Why do they keep such logs, anyway? If it's to help tailor results better, or to help sell advertising, then why is it correlated with a user ID? My company, for example, saves a keyword search history, but there is no user-identfiable information correlated with it. And it's plenty of information for our needs.

If nothing else, it's a terrible, terrible reminder that no matter where you are, no matter what you're searching for, someone could be watching.

Re:Why do they even have this stuff?

[DerGeist]

More like someone is watching.

This user-search crap is an advertising goldmine. The internet is so vast and intricate that you need a search engine to find just about anything (unless you happen to enjoy posting to random forums in hopes for a response...in a few days or so).

But when you search, it says something about you personally. Just like when you buy things at the grocery store (don't forget to use your Super Shopper Saver Discount Card, Mister 60917492!) searching online indicates what you are interested in and what you're likely to buy in the future. By hopefully pegging your wants, desires, hobbies, interests, tastes and preferences into a conveniently distributable file advertisers hope to beam you laser-targetted ads for crap that you (and only you) will simply HAVE to buy in order to feel complete as a human being.

Without the personal identiciation, they can't hope to learn every intricate detail of your life in order to suck more of your money from your pockets (or packets, as the case may be :-). *ducks*

Donate to these people

[MobyDisk]

The EFF is the "stop 1984 from happening" fund. If you read Slashdot, you know why you should be a member.
</soapbox>

Re:Donate to these people

[avalys]

Don't forget the ACLU.

Electronic freedom is nice, but freedom in the real world is all that matters in the end.

Re:Donate to these people

[eipgam]

Some semi-relevant links for UK residents:

http://www.cfoi.org.uk/
http://www.liberty-human-rights.org.uk/
http://www.cyber-rights.org/
http://www.justice.org.uk/

Re:Donate to these people

[Just+Some+Guy]

And while we're at it, the NRA (for that amendment the ACLU forgot about).

Re:While I am surprised the EFF took the case

[deviantphil]

The accountability they take in the future might be less than inspiring. From the article:

It is certain that AOL will vigorously contest the EFF's complaint, with the linchpin of its defense being that the whole thing was a horrible idea from AOL's new research unit that will never be repeated. Unfortunately, horrible ideas can have real-world ramifications, and even though AOL is "deeply sorry" and swears it will never happen again, there need to be some safeguards in place to prevent a recurrence.

I wonder what would happen to a murder defendant that tried to use that defense. "I'm sorry your Honor....my left hand pulled the trigger without my permission. It won't happen again! I promise!

Bottom line, respondeat superior says it is their unit, their employees, THE COMPANY is responsible.

Re:So EFF stands for the free exchange of informat

[megaditto]

The Government and the Corporations do not have a Constitutional right to privacy.

Hence all consumer (people) data must be treated as private by default, whereas the Government data must be treated as inherently public.

The EFF opposes the recent drive to turn this principle inside-out.

Re:While I am surprised the EFF took the case

[anagama]

The problem is that it is the searches which are revealing. It isn't possible to release complete search data AND protect privacy of all users because people search for things that are important to them, i.e., the searches are self revealing. That's why replacing usernames with a numerical identifier was so ineffectual for so many users.

As an aside, I imported the data into a mysql database. I've never messed with that much data before and it was a good learning experience with respect to grep, awk, and sed and converting the tab deliminated files into something I could import into mysql. I do wonder however, if there is a way to just import the tab deliminated file without adding "insert" to lines and escaping the ' ( ) and ; characters that appear in the data. Any experts have a hint? On my athlon 2200+ with 512mb of ram, each search of the data takes about a minute to complete. It's actually faster to just grep for lower numbered userids and then kill grep once the output shows.