EFF Files Complaint with FTC Over AOL Data Leak

Quincy A. writes "Last week's exposure of search data on over 500,000 AOL users was a gigantic embarrassment for the company. It may be about to get worse, as the EFF has filed a complaint with the FTC over the incident. 'Citing AOL's own Network Privacy Policy, the EFF says that the company failed to "implement reasonable and appropriate measures to protect personal consumer information from public disclosure."' Among other things, the complaint asks AOL to notify all users affected by the data disclosure via certified mail and provide free credit monitoring for a year."

While I am surprised the EFF took the case

[umm+qasr]

I'm happy that AOL will be help *somewhat* accountable.

Look on the bright side!

[PrescriptionWarning]

At least they provided a good 20 minutes of entertainment for me this morning :)

www.somethingawful.com/index.php?a=4016

I wonder

[LiquidCoooled]

Even if this *doesn't* get through court, could an AOL customer ask AOL for their export ID number?

Is the ID number we have all grown to know an integral part of every AOL account?
Does AOL even know who user 17556639 actually is or was it generated automatically and then lost in the data export?

EFF Can't Do It Alone!!!

[pfz]

They need your help!

Watch EFF attorney Jason Schultz tear the roof off in the new documentary, ALTERNATIVE FREEDOM. Maybe you will learn something or be able to show your friends and then we can all make sure digital rights are always kept in mind...

http://alternativefreedom.org/

Re:Why credit monitoring?

[Neil+Blender]

Heh, yeah. I searched it last night with some crude perl regexes. There were a bunch of full names and SSNs in the same search. One funny thing I kept finding was a search like:

"locate John L. Smith last address 123 Main Street, Houston, Texas social security number 123-45-6789"

Like AOL was some magic person finding machine. I kept thinking Star Trek, "Computer: Locate ..."

I don't want certified mail

[dysk]

the complaint asks AOL to notify all users affected by the data disclosure via certified mail

Unless I'm being sued or in immediate legal danger, I don't want to get any certified mail. When I do, I have to interrupt my work day and drive 10 miles over questionable roads to the post office. The fact that some of my searches may have been leaked without my name on them is not a reason to send a certified letter, however an insert in my next bill would be completely reasonable.

The EFF has good intentions, but in this case they are going overboard.

Re:Why do they even have this stuff?

[pclminion]

Why do they keep such logs, anyway? If it's to help tailor results better, or to help sell advertising, then why is it correlated with a user ID? My company, for example, saves a keyword search history, but there is no user-identfiable information correlated with it. And it's plenty of information for our needs.

First, the search database doesn't list AOL user IDs. It lists "unique IDs" for each user, but they are not correlated to whatever AOL's internal "User ID" is. But to assume that sanitizing the data by changing or completely removing user IDs will make people safe is boneheaded.

Let's start with a grep for social security numbers. I've blipped out the actual numbers themselves, but that's not much help for these poor folks, since anybody can get their hands on the database:

• find robert williams akron oh 44306 XXX-XX-XXXX
• birth certificate for debra ann collins 1-28-59 ss XXX-XX-XXXX
• locate keith ivan thompson born 3 may 64 social security XXX-XX-XXXX last address was XXXXXX colorado
• kristy nicole vega hammond la. social secruity number XXX-XX-XXXX birth date 03 08 81 drivers license number la. XXXXXXXXX address XXXXXXXX.

Moving on, check out this fascinating query:

• all i can say is you looked amazing in that photo. i would love to get achanceto know you. expect a call from me soon. are you looking for a friend or a companian just for future reference

Looks like somebody accidentally copy-pasted a portion of their private communication (email or IM, perhaps) into the search query box and clicked "Submit." Now their private thoughts are available for all to see. You'd be AMAZED at the stuff you'll find in these logs. The idea that by removing usernames/IDs from data is "instant sanitization" is naive and dangerous. There is more than enough information in many of these queries to identify specific individuals and examine EVERYTHING they have searched for in the past 6 months.

(I do question the sanity and intelligence of some of the people who submitted queries like the ones above, but ultimately this is not their fault.)

Re:So EFF stands for the free exchange of informat

[Coppit]

The Government and the Corporations do not have a Constitutional right to privacy.

Newsflash: neither do citizens. The closest the constitution comes is this:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

So your search history is fair game, as long as its not being used for searches and seizures. I get spam to an address I used for a Western Digital hard drive rebate. My neighbors kids get credit card offers after someone bought a kids magazine in their name. Privacy in the US is a joke compared to the strong laws in some countries (Germany IIRC is a good example).