EFF Files Complaint with FTC Over AOL Data Leak

Quincy A. writes "Last week's exposure of search data on over 500,000 AOL users was a gigantic embarrassment for the company. It may be about to get worse, as the EFF has filed a complaint with the FTC over the incident. 'Citing AOL's own Network Privacy Policy, the EFF says that the company failed to "implement reasonable and appropriate measures to protect personal consumer information from public disclosure."' Among other things, the complaint asks AOL to notify all users affected by the data disclosure via certified mail and provide free credit monitoring for a year."

While I am surprised the EFF took the case

[umm+qasr]

I'm happy that AOL will be help *somewhat* accountable.

Re:While I am surprised the EFF took the case

[kkiller]

I agree, although I'd prefer it if they were being held accountable :-P

Re:While I am surprised the EFF took the case

gsf bitches

Re:While I am surprised the EFF took the case

It is a good thing they'll face at least some minor repercussions, but it's a far cry from what should happen. At the minimum, AOL should be proscribed from logging this information in the future. More fairly, AOL should be forced to pay a hefty sum to each of its customers and be proscribed from logging the information again.

Neither of these things will happen, though. AOL will keep spying on its customers and selling the information, future customers will not be notified of this fact except perhaps in some microscopic-print contract term, and in a few weeks almost everyone will have forgotten.

Re:While I am surprised the EFF took the case

gsf bitches2

Re:While I am surprised the EFF took the case

As slashbots, I imagine it's safe to say that we're not fond of AOL nor AOLers to begin with, and that's ok. Part of me wants to cite Chuck Darwin on this one, but I also understand that if it could happen at AOL, it may happen elsewhere. That's why I'm cheering the EFF on -- to send the message to every other ISP/search engine out there who doesn't get it yet. The privacy of your customers is very important.

I must admit some of that data (if it weren't tied to ID's) could make for good sociology/psychology papers.

Re:While I am surprised the EFF took the case

[deviantphil]

The accountability they take in the future might be less than inspiring. From the article:

It is certain that AOL will vigorously contest the EFF's complaint, with the linchpin of its defense being that the whole thing was a horrible idea from AOL's new research unit that will never be repeated. Unfortunately, horrible ideas can have real-world ramifications, and even though AOL is "deeply sorry" and swears it will never happen again, there need to be some safeguards in place to prevent a recurrence.

I wonder what would happen to a murder defendant that tried to use that defense. "I'm sorry your Honor....my left hand pulled the trigger without my permission. It won't happen again! I promise!

Bottom line, respondeat superior says it is their unit, their employees, THE COMPANY is responsible.

Re:While I am surprised the EFF took the case

[umm+qasr]

Yeah. Typo corrections are funny.

Re:While I am surprised the EFF took the case

gsf bitches3

Re:While I am surprised the EFF took the case

[anagama]

The problem is that it is the searches which are revealing. It isn't possible to release complete search data AND protect privacy of all users because people search for things that are important to them, i.e., the searches are self revealing. That's why replacing usernames with a numerical identifier was so ineffectual for so many users.

As an aside, I imported the data into a mysql database. I've never messed with that much data before and it was a good learning experience with respect to grep, awk, and sed and converting the tab deliminated files into something I could import into mysql. I do wonder however, if there is a way to just import the tab deliminated file without adding "insert" to lines and escaping the ' ( ) and ; characters that appear in the data. Any experts have a hint? On my athlon 2200+ with 512mb of ram, each search of the data takes about a minute to complete. It's actually faster to just grep for lower numbered userids and then kill grep once the output shows.

Re:While I am surprised the EFF took the case

[merreborn]

The mysqlimport command.

http://mysql.com/doc/refman/5.0/en/mysqlimport.htm l

Re:While I am surprised the EFF took the case

[fishbowl]

>I must admit some of that data (if it weren't tied to ID's) could make for good sociology/psychology papers.

And the data should be treated precisely the same as psych experiments on human subjects, because that is exactly what it is. If you have never tried to do a research project involving human subjects in your experiments, you probably don't realize the hoops you have to jump through or the accountability you are required to take.

By "experiments", I mean, even getting permission to present a slide show to a group and ask them questions, that sort of thing.

Re:While I am surprised the EFF took the case

[Neil+Blender]

If the file has say, 5 columns that are tab delimited - make a table with five columns of the appropriate type

Then use this statement:

load data infile '/path/to/file/file.txt' into table name_of_table;

Tab delimited is the default delimiter for that statement but you can change it.

And as someone who regularly works with this amount of data - dump grep, sed and awk and learn Perl. It is way, way faster and is exactly the tool for this kind of job. Oh, and put an index on your search term column.

Re:While I am surprised the EFF took the case

[anagama]

thanks to you both -- I'll definitely take your hints.

Re:While I am surprised the EFF took the case

[Dog-Cow]

How is it "spying" when all the data collected is submited to AOL by the users to be used as search terms? They aren't recording anything not sent to them on purpose by the users. That's like saying it's spying to save emails people send you.

But I know, it's trendy to bash AOL for the hell of it.

Re:While I am surprised the EFF took the case

It's spying when you surreptitiously collect information about someone.

When you go for a walk carrying your cell phone, your phone is constantly transmitting the information necessary to locate you. You voluntarily pay for the phone service, and know (if you learn how things work) that this is happening. Yet, if someone at the cell phone company is watching you, recording this record of your location, to build up a complete, permanent record of everywhere you have gone, there are few sane people who wouldn't call that spying.

In the same sense, you know you are giving AOL your search terms in order for them to perform the search -- but you're not giving the terms to them in order to help them keep a permanent, indexed record of all of your searches. Someone with a little computer knowledge should realize how easy it is for AOL to do this. This doesn't justify AOL actually doing it.

It would be far more acceptable if AOL had explicitly told its customers this was its intent. (I'm not talking about some fine print in a "privacy policy," I'm talking about an explicit statement made obvious to all new users.) As long as AOL keeps these records and pretends that it's respecting the users' privacy, it is effectively deceiving and certainly spying.

Don't try to dismiss this as "bashing AOL." The same arguments apply to most other search engines.

Re:While I am surprised the EFF took the case

[ShaunC]

each search of the data takes about a minute to complete

Assuming a table named aol_search, with columns user_id and search_term, this will speed things up:

alter table aol_search add index users(user_id)
alter table aol_search add index terms(search_term)

If you're querying on the URLs, add an index for those too.

AOL issues a press release:

OMGWTFBBQ!

Re:AOL issues a press release:

[SuperBanana]

OMGWTFBBQ!

I was thinking more along the lines of "LOS GTG!!1"

(Lawyers Over Shoulder.)

Re:AOL issues a press release:

[MMC+Monster]

Oh My God, What The F?ck, Bar-B-Q???

slogan

[MrSquirrel]

AOL's new slogan: "Whoopsie-doodles!"

bad for aol, good for aol.

[Brigadier]

with all the hype around personal privacy laws, and elections coming up this is a bad time for AOL. Nuff said though as they are in my opinion, the originators of spam, and the selling of customer information to data miners

Looks great but

[BeoCluster]

Can I make a Beowulf Cluster of these search queries ?

So EFF stands for the free exchange of information

Except when it's information they don't like?

Why do they even have this stuff?

[Skadet]

Among the list of remedies proposed by the EFF include [...] hav[ing] the FTC bar [AOL] from storing users' search activities "except where necessary... to the rendition of AOL's services or the protection of AOL rights and property." At most, AOL should only be allowed to keep 14 days' worth of data, argues the EFF.

Why do they keep such logs, anyway? If it's to help tailor results better, or to help sell advertising, then why is it correlated with a user ID? My company, for example, saves a keyword search history, but there is no user-identfiable information correlated with it. And it's plenty of information for our needs.

If nothing else, it's a terrible, terrible reminder that no matter where you are, no matter what you're searching for, someone could be watching.

Re:Why do they even have this stuff?

[DerGeist]

More like someone is watching.

This user-search crap is an advertising goldmine. The internet is so vast and intricate that you need a search engine to find just about anything (unless you happen to enjoy posting to random forums in hopes for a response...in a few days or so).

But when you search, it says something about you personally. Just like when you buy things at the grocery store (don't forget to use your Super Shopper Saver Discount Card, Mister 60917492!) searching online indicates what you are interested in and what you're likely to buy in the future. By hopefully pegging your wants, desires, hobbies, interests, tastes and preferences into a conveniently distributable file advertisers hope to beam you laser-targetted ads for crap that you (and only you) will simply HAVE to buy in order to feel complete as a human being.

Without the personal identiciation, they can't hope to learn every intricate detail of your life in order to suck more of your money from your pockets (or packets, as the case may be :-). *ducks*

Re:Why do they even have this stuff?

Simple. It's called directed advertising. AOL not only has demographics on all their customers (age, gender, geographic location, etc.) but they can also correlate their personal interests by matching search terms with that data.

Re:Why do they even have this stuff?

[pclminion]

Why do they keep such logs, anyway? If it's to help tailor results better, or to help sell advertising, then why is it correlated with a user ID? My company, for example, saves a keyword search history, but there is no user-identfiable information correlated with it. And it's plenty of information for our needs.

First, the search database doesn't list AOL user IDs. It lists "unique IDs" for each user, but they are not correlated to whatever AOL's internal "User ID" is. But to assume that sanitizing the data by changing or completely removing user IDs will make people safe is boneheaded.

Let's start with a grep for social security numbers. I've blipped out the actual numbers themselves, but that's not much help for these poor folks, since anybody can get their hands on the database:

• find robert williams akron oh 44306 XXX-XX-XXXX
• birth certificate for debra ann collins 1-28-59 ss XXX-XX-XXXX
• locate keith ivan thompson born 3 may 64 social security XXX-XX-XXXX last address was XXXXXX colorado
• kristy nicole vega hammond la. social secruity number XXX-XX-XXXX birth date 03 08 81 drivers license number la. XXXXXXXXX address XXXXXXXX.

Moving on, check out this fascinating query:

• all i can say is you looked amazing in that photo. i would love to get achanceto know you. expect a call from me soon. are you looking for a friend or a companian just for future reference

Looks like somebody accidentally copy-pasted a portion of their private communication (email or IM, perhaps) into the search query box and clicked "Submit." Now their private thoughts are available for all to see. You'd be AMAZED at the stuff you'll find in these logs. The idea that by removing usernames/IDs from data is "instant sanitization" is naive and dangerous. There is more than enough information in many of these queries to identify specific individuals and examine EVERYTHING they have searched for in the past 6 months.

(I do question the sanity and intelligence of some of the people who submitted queries like the ones above, but ultimately this is not their fault.)

Re:Why do they even have this stuff?

[planckscale]

This type of thing gives me more reason to sign up with an anonymous proxy/vpn. Something like https://www.relakks.com/?lang=eng . I think the $5 to $10 a month would be worth it. No corporate reporting, no advertising scheming, and no identifying IP. Has anyone had luck with a private proxy/vpn?

Re:Why do they even have this stuff?

but ultimately this is not their fault.

How, exactly, are they absolved of any responsibility?

Re:Why do they even have this stuff?

[pclminion]

How, exactly, are they absolved of any responsibility?

The same way a rape victim is absolved of responsibility, even if they were wearing a provocative outfit, you fucking sociopath.

Re:Why do they even have this stuff?

There's no way of knowing if the individuals named in the example searches are the ones who did the queries. It could be somebody's boneheaded mother trying to track them down. Yet you blame the poor guy who's SSN is posted on the web? You're a real idiot.

I've been meaning to make a donation.

While I'm demonstrating my support, I thought I'd suggest some of you do the same.

Have you shown your support? EFF

Re:I've been meaning to make a donation.

[disc-chord]

They got some nice swag now for donating.

Suck it, PBS!

Re:I've been meaning to make a donation.

[verbatin01]

They also let a lot of stupid things happen, like not enforcing .xxx extensions on porn sites. That's something that would only make it easier for people to limit content when they don't feel that it's appropriate in a given situation. In my book, that's appropriate. Of course, that's not what the EFF is about, is it? How can I say that, right?! The EFF is all about the rights of others? Rights are a double-edge sword - everybody that made it out of high school understands that. You can't allow unlimited freedom without screwing over somebody else in the end. So just remember that - the EFF is NOT all about protecting your freedom.

Re:I've been meaning to make a donation.

I think a cursory analysis of the .xxx domain demonstrates that the idea, while "appropriate", was not workable. Here are some reasons, just off the top of my head:

• Different definitions of porn. Believe it or not, what constitutes pornography depends very much on cultural mores. For example, it is extremely common to see adverts for beauty products in French and German womens' magazines that feature topless models -- this is not seen as pornography, but to many Americans it would be. From the other side, in many middle eastern countries, a woman displaying her hair is considered sexually provocative and is illegal in public -- in these countries websites featuring photos of women not properly dressed might very well be considered pornography. Even without considering these sorts of extreme differences, the religious right in the US frequently accuses artists that work sexual themes into their paintings and films of producing pornography. Even if you agree that the work is needlessly explicit, would labeling it as 'xxx' be appropriate in this case?
• The international nature of the internet makes the whole thing unenforcable. Even now, many porn sites are hosted in countries like Russia, where laws or enforcement of laws regarding what is acceptable in pornography are slacker. Do you think that porn companies are going willingly go with the .xxx domain if they have the option of not doing so? Of course not. Because ISPs and companies will block the .xxx domain, and porn companies don't want to be blocked. In the US, you could (assuming that you can surmount the definition of porn problem I mentioned above) legislate this problem away, but what about Russian or Eastern European sites? As it stands many sites on the net are hosted in these countries. Leaving them out would make the .xxx domain rather useless, especially since porn companies currently hosted in the US would quickly move elsewhere to "route around the legislation." Internet companies can be hosted anywhere.

It makes far more sense for private companies to produce "block-lists" of porn sites, which you acquire for a small fee, and which they keep updated for you. This allows you to block porn sites regardless of their domain, and also allows you to shop around for a blocking company that fits your particular, subjective definition of porn. In the US, there most certainly is a market for this sort of software, which is why many such companies exist.

The problem with legislating the porn problem obviously is that you trust some politician to decide what's porn and what's not, and it doesn't even work because companies can just set up base elsewhere.

I personally have nothing against blocking porn, don't get me wrong. I just don't think the .xxx domain is a workable idea, at all.

Donate to these people

[MobyDisk]

The EFF is the "stop 1984 from happening" fund. If you read Slashdot, you know why you should be a member.
</soapbox>

Re:Donate to these people

[avalys]

Don't forget the ACLU.

Electronic freedom is nice, but freedom in the real world is all that matters in the end.

Re:Donate to these people

[eipgam]

Some semi-relevant links for UK residents:

http://www.cfoi.org.uk/
http://www.liberty-human-rights.org.uk/
http://www.cyber-rights.org/
http://www.justice.org.uk/

Re:Donate to these people

But they drink the blood of Christian babies!

Re:Donate to these people

[Just+Some+Guy]

And while we're at it, the NRA (for that amendment the ACLU forgot about).

Re:Donate to these people

[noidentity]

Electronic freedom is nice, but freedom in the real world is all that matters in the end.

I really hate it when people treat online as any less real than offline. Both involve communication between humans, and that communication is important for survival. As more things become dependent on online communications, "the real world" is expanding to cover it.

Re:Donate to these people

[Profane+MuthaFucka]

Right, because it's way more cool to get mowed down by a Tomahawk when you're holding a gun. Don't think that a bunch of old gits with guns are going to stop a determined dictator wielding the might of the US Army. If the EFF and the ACLU fail, we're fucked.

Re:Donate to these people

[pfz]

the real world? last time i checked the words, art, and actions we create using computers and technology is real!

Look on the bright side!

[PrescriptionWarning]

At least they provided a good 20 minutes of entertainment for me this morning :)

www.somethingawful.com/index.php?a=4016

Re:Look on the bright side!

Came here to post this :)

Re:So EFF stands for the free exchange of informat

[Recovering+Hater]

No, troll. From their main page : "What is EFF? EFF is a nonprofit group of passionate people -- lawyers, technologists, volunteers, and visionaries -- working to protect your digital rights.

Enjoin?

[Mateo_LeFou]

I wonder whether AOL could be enjoined from collecting any personal data about users until this case is decided?

I wonder

[LiquidCoooled]

Even if this *doesn't* get through court, could an AOL customer ask AOL for their export ID number?

Is the ID number we have all grown to know an integral part of every AOL account?
Does AOL even know who user 17556639 actually is or was it generated automatically and then lost in the data export?

Re:I wonder

[Ponga]

Ha. You can be sure that user 17556639 is correlated to an IP address somewhere. Discovering the real users' identity at that point is a trivial matter.

Re:I wonder

[merreborn]

From the .txt file that comes with the data:

"The data is sorted by anonymous user ID and sequentially arranged."

AOL probably doesn't have a direct maping of anonymous ID -> AOL user ID. Of course, they have the original data, and as such, could work it out trivially.

Free credit monitoring?

Uh... To punish them for releasing a database of search results (that are pretty much anonymous, though some detective work can put names to some) the offended customers should give them access to MORE confidential information (SSN, mother's maiden name, credit history...?)

Why credit monitoring?

[grylnsmn]

Among other things, the complaint asks AOL to notify all users affected by the data disclosure via certified mail and provide free credit monitoring for a year.

Why should AOL have to provide free credit monitoring? Did the search information include Social Secuirity Numbers, home addresses, mother's maiden name (and identifiable as such), PINs, or some other sort of data that could be used to affect someone's credit report? If not, then what reason is there to ask for credit monitoring?

Re:Why credit monitoring?

Yes..yes it did

Re:Why credit monitoring?

[GoRK]

Why should AOL have to provide free credit monitoring? Did the search information include Social Secuirity Numbers, home addresses, mother's maiden name (and identifiable as such), PINs, or some other sort of data that could be used to affect someone's credit report? If not, then what reason is there to ask for credit monitoring?

Really have you not heard about this? The data absolutely did contain exactly this sort of data.

Re:Why credit monitoring?

[budgenator]

Did the search information include Social Secuirity Numbers, home addresses, mother's maiden name (and identifiable as such), PINs, or some other sort of data that could be used to affect someone's credit report?
YES, many people run their personaly identifiable information through a search engine; don't you think that if google indexed a text file that was a dump of some perloined database on eveilhacker.com you'd want to know about it? For me for a search engine to turn over search queries is serious breach of confidence; I could never use Yahoo, MSN, or AOL for anything beyond trivial searches now, and I only use yahoo for yellowpages skimming at work.

Re:Why credit monitoring?

[Neil+Blender]

Heh, yeah. I searched it last night with some crude perl regexes. There were a bunch of full names and SSNs in the same search. One funny thing I kept finding was a search like:

"locate John L. Smith last address 123 Main Street, Houston, Texas social security number 123-45-6789"

Like AOL was some magic person finding machine. I kept thinking Star Trek, "Computer: Locate ..."

Re:Why credit monitoring?

Even without searching for other people, some can be searching for themselves. I'll admit it, back during the spate of stupid e-commerce sites putting files of all of their transactions including creditcard numbers up for google to index, I searched for my own credit card number on google. I figured that if it was already out there, it couldn't do any more damage by putting it out there again.

Incidentially it got no hits at the time, though it's been a couple of years now.

Re:Why credit monitoring?

[Richard_at_work]

If the data contained all of this, then so do the referrer logs of millions of webservers that get redirects from Google, AOL, Yahoo, you name it. This case highlights the sheer idiotic stupidity of users in the first place, typing their own personal information into a BOX on a SCREEN they *know* is connected to the internet, and expecting the data to remain 'secret'. Idiots, the lot of them. Im not saying AOL should be exonerated from all wrongdoing, but users have to take some blame for this themselves.

Re:Why credit monitoring?

[morcheeba]

I ran a quick check:

The term "SSN" was used by only 68 searches - and one referred to a ship.
Numbers of the format "111-11-1111" were searched 191 times. 22 of these searches had names attached. I didn't look in adjacent matches, so some more names might be inferred.
Nine-digit numbers were searched 246 times. I did a quick look-over, and none of these appeared to be SSN's.

Re:Why credit monitoring?

[joshier]

Right, as if anyones to know that AOL would do this. Yes, AOL is a complete pile of shit for a company, but this was unexpected. You cannot blaim these people, I feel for each one of them.

Re:Why credit monitoring?

[merreborn]

bash$ egrep '[0-7][0-9]{2,2}-[0-9]{2,2}-[0-9]{4,4}' user-ct-test-collection-*.txt | wc -l
183
bash$

183 search queries contain well formed SSNs (I'm sure there are hundreds more w/o dashes, etc) (I threw the [0-7] at the begining because wikipedia indicates that no SSNs with the first 3 digits over 772 have been issued). I looked at a handful and a lot of those searches contain a lot more than just SSNs, at that.

For example, the below (which I've actually removed the sensitive data from -- it's public, but I refuse to repost it):
4186504 locate keith ivan thompson born * *** ** social security ***-**-**** last address was *** street apt *** ****** colorado

Re:Why credit monitoring?

[gorbachev]

Yes, but if that SSN doesn't belong to the AOL user who performed the search, AOL is not LEGALLY required to do anything about it, as AOL's customer data was not leaked.

Tough nookies for Ivan Thompson, though.

Re:Why credit monitoring?

[merreborn]

True; kieth ivan thompson *probably* wasn't the one who issued that query. However, I'm willing to bet at least one of the 183 SSNs I found belonged to the searcher. And again -- I only found well-formed SSNs; I completely ignored those without dashes, which almost certainly number somewhere around 100, if not more.

Re:Why credit monitoring?

[Richard_at_work]

I can blame these people, they blindly put private and confidential information into a search box on a webpage. If they did it with AOL, who else did they do it with? These people have no understanding of the web, and yet they still submitted personal information to other peoples hands - how can they have any expectation that that information would have continued to be privileged? Im quite right in saying that the search engine string is now in the referrer logs of any website they visited from the results, so the information was already well beyond AOL. There is a level of personal responsability with your data.

Re:Why credit monitoring?

locate John O'Connor and Sarah O'Connor

Re:Why credit monitoring?

[GoRK]

Well yes, I suppose if you search for your SSN and then follow a link to a website then the referrer log has the SSN in it -- but then again so does the page that site is hosting. In addition, without the means to tie the data into all the other searches the user is doing, what you could get from a single entry in the referrer is probably going to be almost worthless in most cases.

I'm not saying that the user is not responsible when they key private data into a search form, but I think that it is reasonalbe to expect that that data is not going to be purposefully collected and deliberately made available to the public on an 'anything-goes' basis, particularly one where your individual habits are easily identified.

Re:So EFF stands for the free exchange of informat

100% Troll.
Yes, people are for things they like, and against things they don't like.
What's your point?

The worst

[Recovering+Hater]

More ignorance from the company recently voted worst technology of all time. http://www.pcworld.com/article/id,125772-page,2/ar ticle.html

This should...

[kingsean]

really be from the "little-tighter-with-those-tubes-please" department.

EFF Can't Do It Alone!!!

[pfz]

They need your help!

Watch EFF attorney Jason Schultz tear the roof off in the new documentary, ALTERNATIVE FREEDOM. Maybe you will learn something or be able to show your friends and then we can all make sure digital rights are always kept in mind...

http://alternativefreedom.org/

Why oh why oh why???

[atomic_toaster]

I'm not saying that in any way AOL users "deserved" this -- nobody does. No matter what or how much information you a company has about you, whether it be your net searches or how filthy your carpets are, you expect the company that holds this information to keep it private.

However, why in the world would you go with a company like AOL that has so many recorded existing problems that could be discovered with a modicum of research? Unfortunately, it seems much like U-Haul being one of/the biggest moving van rental companies despite all the bad press... It's a household name, so it has to be good, right?

Re:Why oh why oh why???

[mroonie]

Well said.... That database that AOL put up cost the company what little credibility it had left. We all know that AOL's going down the drain but that had to be the last straw. I mean, do you know how many people out there have searched their name just to see what they can find about themselves on the internet? That's all it takes for that person to become a victim of ID theft! AOL is already the breeding ground for spammers, scammers and hackers http://www.essentialsecurity.com/Documents/article 22.htm ...and now they have just welcomed more of them in with open arms.

Re:Why oh why oh why???

[Overzeetop]

Yeah, it's a good thing that "good" companies like Google don't do this sort of loggin... ...aw, shit.

Re:Why oh why oh why???

[Shadyman]

"I'm not saying that in any way AOL users "deserved" this -- nobody does"

Fair enough, but come on, not EVEN AOL users??? We have to draw the line somewhere.

Re:So EFF stands for the free exchange of informat

[megaditto]

The Government and the Corporations do not have a Constitutional right to privacy.

Hence all consumer (people) data must be treated as private by default, whereas the Government data must be treated as inherently public.

The EFF opposes the recent drive to turn this principle inside-out.

Even search terms could be a risk

[grahamsz]

I regularly google for

"1234 My Street, 80516 to somewhereelse, 80999"

in order to get driving directions.

If I were up to something nefarious then it would probably be quite obvious. Although i'm not up to anything and don't really care.

Re:Even search terms could be a risk

[russ1337]

you should only enter your zip as your starting address, for this very reason. (you should know your way around your zip, right?

Re:Even search terms could be a risk

[Intron]

Google already knows where you live and has a satellite picture of your house. They can even tell which computer behind your NAT is making each search, based on the cookies that they leave on your computer.

Re:Even search terms could be a risk

[man_ls]

I guess it doesn't help matters that I let them track every search I make and give it to me in a nice history organized by search term, and which links I clicked on below it.

I like having tons of information about myself available, even if it means it's available to someone else as well. The important difference here is that I'm making the informed decision to vacate some of my privacy in exchange for some data mining done for me on my behalf, rather than my privacy being violated without any choice in the matter on my end.

Re:Even search terms could be a risk

[grahamsz]

In addition to the fact that google know where I live and probably what I had for breakfast this morning, I'm right on the extremity of a zip code, and there's usually quite a big difference in local directions between my house and the centroid.

Relief doesn't match mistake

[dysk]

Yes, AOL made a mistake by releasing that information. They've admitted to the mistake, apologized, and I doubt anyone will try to do this again.

On the other hand, one needs to recognize that they didn't release the information for the purposes of making money, or defrauding the customers, or anything else. They collected the data in order to help a researcher write an extremely informative paper[pdf] about human behavior as it relates to searches. That researcher decided that other's might benefit from the information, and convinced AOL to make it publically available. It turns out that that was a huge lapse in judgement, but nonetheless, intentions are also important and while criticizing AOL, we should also complement them for their effort to interface with the academic community.

AOL has been punished enough in the press. Given the circumstances I don't think that any legal action is necessary.

Re:Relief doesn't match mistake

[fishbowl]

>AOL has been punished enough in the press. Given the circumstances I don't think that any legal action is necessary.

Others are of the opinion that the people responsible should spend decades in prision, and that the company should pay fines and restitution at the kinds of levels that would reduce them from a multi-billion-dollar-corporation to a startup looking for venture capital.

Somehwere in between that extreme and yours, there will be some appropriate consequences.

Re:Relief doesn't match mistake

This is more than a "huge lapse in judgment", it's criminal negligence and legal action should be taken (IANAL). It's hard to imagine a researcher or company could be so collosally brain-damaged as to freely give away this data to the public. I would actually be more understanding if it was stolen. If anything, the data should be available only to qualified researchers, and then only under an NDA that would only permit summarized forms of the data to be published.

There is more than enough information in here for identity theft and blackmail. In less than one day of casual inspection, I've identified a number of individuals, of which a half-dozen or so could be blackmail targets (affairs, sexual fetishes, pedophilia, drug abuse and alcoholism, etc.) The number who could be targets of identity theft is higher.

Re:Relief doesn't match mistake

Who cares if they made some informative paper? The fact is the information should have never been available to this researcher in the first place. Privacy > Research.

Re:Relief doesn't match mistake

So much /. bias whenever AOL is mentioned, it's like Microsoft but without the apologists.

When Google finally leaks some data, or has some stolen, we should revisit this topic. I wonder how many of you will be so quick to call for criminal prosecutions in that scenario.

The question is , why did AOL release info at all?

[rufusdufus]

It was a very strange thing for AOL to release that search history. Out of the blue, they suddenly announce they are giving away some of their data. Why did they do this? They must have had a reason. The only thing I can think of off hand is they needed a way to make the information public so it could be used legally by law enforcement?

who says they CAN notify the users?

[SuperBanana]

Among other things, the complaint asks AOL to notify all users affected by the data disclosure via certified mail and provide free credit monitoring for a year."

AOL probably -CAN'T- notify the users, because they probably didn't keep the username->ID# mapping.

Re:who says they CAN notify the users?

[Overzeetop]

Well, they certianly kept them long enough to generate lengthy trails of queries. I don't see why they wouldn't keep the mapping, if for no other reason than continued logging.

torrent of aol searches by ID

[C0llegeSTUDent]

For all you future statisticians, marketers, and creeps: http://www.torrentspy.com/torrent/823687/AOL_data_ tgz

Better question: Why only 1 year of monitoring?

[The_REAL_DZA]

Some possibilities I can think of are:

1. They think all AOL users will change their SSN's (or will have time to change them) within that time.
2. They think the spammers and identity thieves will forget all those juicy tidbits within that time.
3. They figure anyone lame enough to use AOL in the first place would probably give away their identity anyway within a calendar year, so there's no need setting a precedent.

My money's on #3.

I don't want certified mail

[dysk]

the complaint asks AOL to notify all users affected by the data disclosure via certified mail

Unless I'm being sued or in immediate legal danger, I don't want to get any certified mail. When I do, I have to interrupt my work day and drive 10 miles over questionable roads to the post office. The fact that some of my searches may have been leaked without my name on them is not a reason to send a certified letter, however an insert in my next bill would be completely reasonable.

The EFF has good intentions, but in this case they are going overboard.

Re:I don't want certified mail

I could not agree more. Also, why on earth would any of these anonymous "victims" need credit monitoring?

Memo to EFF: Stop that! You're embarassing us!

I thought so too, but it's really

[Benanov]

Be Back Quickly

Re:I thought so too, but it's really

[HTH+NE1]

Be Back Quickly

Oh!

Uhm...

Nah, I like barbecue better. It's funnier, in a kinda cannibalistic way.

AOL did the world a big service in this one

Before AOL did this I think only the most extreme privacy advocates cared about what the major search engines were storing about them. Now, I think everyone does.

While I feel sorry for the specific individuals that AOL abused, this was probably a good thing in the long term for the privacy of the rest of internet users everywhere.

Some weird people in the world, that's for sure

For example:

select * from aolsearches where anonid = 3620882;

yields a very strange individual... some brief examples (shortened for brevity... it's MUCH longer than this):

| 3620882 | bank robber hide-outs                       | 2006-03-01 22:22:04 |
| 3620882 | male sissy panty stories                    | 2006-03-01 22:35:41 |
| 3620882 | big bosom mothers                           | 2006-03-01 22:47:58 |
| 3620882 | sissy nightgown training                    | 2006-03-02 11:46:49 |
| 3620882 | special female training of sissy men        | 2006-03-02 17:16:24 |
| 3620882 | tight laced girdles                         | 2006-03-05 12:33:09 |
| 3620882 | baptist church directory                    | 2006-03-07 18:56:13 |
| 3620882 | pink panty discipline                       | 2006-03-07 19:41:53 |
| 3620882 | old curvy women                             | 2006-03-10 12:38:47 |
| 3620882 | independent baptist church directory        | 2006-03-12 11:45:44 |
| 3620882 | westboro baptist church                     | 2006-03-23 13:51:49 |
| 3620882 | baptist college directory                   | 2006-03-25 19:44:22 |
| 3620882 | adult diaper parties                        | 2006-04-04 13:51:30 |
| 3620882 | colorado mining claims for sale             | 2006-04-16 13:00:25 |
| 3620882 | husbands that are sissy                     | 2006-04-28 20:13:11 |
| 3620882 | very large bosoms                           | 2006-05-18 21:38:57 |
| 3620882 | how to make gun silencers                   | 2006-05-20 12:45:00 |
| 3620882 | male maid training                          | 2006-05-30 12:15:49 |

Really, I think of myself as a pretty tolerant person, but this seriously makes me wonder what kind of weird individuals roam this planet.

Re:Some weird people in the world, that's for sure

[kinglink]

This is the greatest search example yet. Upmod the parent!

In the very least it makes everyone feel better about all the perverted crap they have searched for.... Not that I have ever searched for anything perverted.

Re:Some weird people in the world, that's for sure

Please remove this post.
    Sincerely,
    Jerry Falwell

Re:Some weird people in the world, that's for sure

[Maserati]

No, the article on Something Awful has some that top that. It's been posted before under this article, but another link can't hurt. Mind you, some of them are kinda disturbing.

Re:Some weird people in the world, that's for sure

[Castar]

I think that if the world could see everyone's search data, we would come to realize that this isn't that strange after all. Just the internet in general quickly makes me realize, at least, that there are a lot of people out there with non-mainstream tastes. Perhaps more than there are people with strictly mainstream tastes (the long tail of sex?).

Don't be so quick to judge. Would we find anything strange in *your* porn collection?

The people in the AOL search thing who really bother me are the ones searching for murders and ways to commit them. SomethingAwful had one log that made it look like the guy was trying to figure out if he'd been fingered for serial killings. (Although, that's potentially a biased view based on a small view of his search history - illustrating another danger in the release of this information).

Personally, I'm somewhat glad this information is out. It's akin to the Kinsey studies of an earlier age... It might make you realize that your neighbors are not as "normal" as you assume them to be. And might make you more comfortable in your abnormality.

Re:Some weird people in the world, that's for sure

[Eil]

Jesus, how did you get that thing through the lameness filter?

Re:Some weird people in the world, that's for sure

It wasn't this person's sex obsessions alone that struck me as weird (I myself like the occasional "chicks with dicks" variation of Japanese hentai, or "futanari", and yes my friends do know I like it)... it's the fact that he seems to be deeply religious as well, in a religion that is against this sort of thing. I wouldn't trust a person who lies to themselves, I mean why be a member of a Baptist church when that kind of organization's beliefs and teachings discriminate against your own lifestyles? Either is fine, but they do seem like mutually exclusive interests. Why not join an organization where your peers won't disown and hate you if they found out about such weird fetishes? And the part about "how to make a gun silencer" and other search terms involving bank robberies and abandoned towns makes me wonder if there's some Bible-toting transvestite running around who robs banks while dressed as a French maid and has a large stash of transvestite-gold hidden in an abandoned coal mine.

Your 'real world' doesn't include electronic data?

[geekotourist]

Perhaps you're confused by the name "Electronic Frontier Foundation"?

• the "Electronic Frontier" is woven into everyone's life: what happens electronically can be more real, longer lasting, than any real-world event, and
• "Foundation" doesn't mean the same as "Bill & Melinda Gates Foundation" (it can buy countries), or the "Ford Foundation" (it can casually sponsor a year of PBS). The EFF, unless it wins the trillion-dollar lawsuit, is a small donor-supported non-profit.
• And in some cases, the ACLU doesn't do as well. The EFF's AT&T lawsuit is still going strong. The EFF filed in January to get that amazing 'not automatically dismissed on state secrets' ruling. I admit I'm biased- I know people there and am a supporter- but damn, they're good.

Consider warrantless searches. In your 'real world,' a set of police can only do a few warrantless searches per day- maybe 10 or 20 if they have their door-kick down. In the actual world, a set of searchers hooked into AT&Ts database can do millions of warrantless searches per day. And they don't leave busted doors behind as a clue.

Consider voter disenfranchisement. In the old days, you had to physically block people from voting, one by one. Now you can do badly-designed joins on voter-rolls and stop thousands of people from voting in an afternoon.

Consider Free Speech. In your world you have to hire goons- expensive at overtime- to physically intimidate speakers. In the actual world automated intimidation, expensive intimidation, exists. In the actual world, entire subjects can be disappeared from view, thousands in one software installation.

Or maybe you really don't worry about building innovative tech companies, music CDs, publishing electronically. You really don't worry about credit scores, credit card records, HIPAA, test results, university records, voter data, flight records, VoIP calls... in your world. Funny, I didn't think they'd let you online in Supermax, Mr. Kaczynski.

Re:The question is , why did AOL release info at a

[The_REAL_DZA]

Out of the blue, they suddenly announce they are giving away some of their data.

It's probably somewhere in their TOS (I haven't read it and don't care to/have time to) that they don't have to ask anyone's permission to "share" their "non-personally-identifiable information" with their "partners" (just to coin a few phrases from various TOS's and EULA's and CYA's I have bothered to read over the years...) but it would've been nice if they had announced they were planning to release a subset of their logs, to whom, and exactly when (and even offered an "opt-out" avenue to their users who so wished...) and then gathered some feedback before doing something so cosmically STUPID. That way, they would have had the benefit of all the regex advice and the pattern-matching advice (not to mention the most excellently very sound advice of all: "JUST DON'T DO IT"...)

bad data = no profiling

Someone needs to come up with a quick-and-dirty resident app that issues random search queries to Google and other engines at random intervals. You poison the value of the data and make it relatively useless.

Re:bad data = no profiling

[AlgorithMan]

too late...

Re:Your 'real world' doesn't include electronic da

[edward2020]

"What happens electronically can be more real, longer lasting, than any real-world event..." I've repeatedly said the same thing time and time again. When we rode to the gates of the Undercity and spat our defiance via /yell and /fart options will always remain with me. Seriously folks, the loss of our civil rights and uncounted "real" world atrocities aren't that big of a deal - its not like they have your social security numbers or e-bay accounts. Yet.

Re:So EFF stands for the free exchange of informat

[Coppit]

The Government and the Corporations do not have a Constitutional right to privacy.

Newsflash: neither do citizens. The closest the constitution comes is this:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

So your search history is fair game, as long as its not being used for searches and seizures. I get spam to an address I used for a Western Digital hard drive rebate. My neighbors kids get credit card offers after someone bought a kids magazine in their name. Privacy in the US is a joke compared to the strong laws in some countries (Germany IIRC is a good example).

In the meantime

[talledega500]

use a search proxy. http://www.blackboxsearch.com/

Re:The question is , why did AOL release info at a

[AlgorithMan]

well they say now that it didn't happen on purpose... but then I don't know why the names are replaced by IDs...

start finding identities

[AlgorithMan]

someone should start trying to find out the identities of the people whose search queries were published... I don't think you need too many queries by one person to pin him down...

maybe THIS would silence the guys that understate how horrible this is for privacy...

sounds like another job for the EFF ;)

Re:So EFF stands for the free exchange of informat

[john83]

So EFF stands for the free exchange of information except when it's information they don't like?

No, troll. From their main page : "What is EFF? EFF is a nonprofit group of passionate people -- lawyers, technologists, volunteers, and visionaries -- working to protect your digital rights.

That can't be for real. Lawyers? Working to help us? This changes everything. How can I make shark, parasite and ambulance chasing jokes in the future? Man, how could I have made just a gross simplification?

Re:So EFF stands for the free exchange of informat

[mrchaotica]

No, the Constitution comes much closer than that:

The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.

The powers not delegated to the United States by the Constitution, nor prohibited by it to the states, are reserved to the states respectively, or to the people.

It's an outrage that these 9th and 10th Amendments -- which are arguably the most important -- are also the most ignored. The Founding Fathers are spinning in their graves.