EFF Files Complaint with FTC Over AOL Data Leak

← Back to Stories (view on slashdot.org)

EFF Files Complaint with FTC Over AOL Data Leak

Posted by ryuzaki0 on Tuesday August 15, 2006 @08:20AM from the little-tighter-with-those-pipes-please dept.

Quincy A. writes "Last week's exposure of search data on over 500,000 AOL users was a gigantic embarrassment for the company. It may be about to get worse, as the EFF has filed a complaint with the FTC over the incident. 'Citing AOL's own Network Privacy Policy, the EFF says that the company failed to "implement reasonable and appropriate measures to protect personal consumer information from public disclosure."' Among other things, the complaint asks AOL to notify all users affected by the data disclosure via certified mail and provide free credit monitoring for a year."

19 of 114 comments (clear)

Min score:

Reason:

Sort:

While I am surprised the EFF took the case by umm+qasr · 2006-08-15 08:22 · Score: 4, Interesting

I'm happy that AOL will be help *somewhat* accountable.
1. Re:While I am surprised the EFF took the case by deviantphil · 2006-08-15 08:39 · Score: 4, Insightful
  
  The accountability they take in the future might be less than inspiring. From the article:
  
  It is certain that AOL will vigorously contest the EFF's complaint, with the linchpin of its defense being that the whole thing was a horrible idea from AOL's new research unit that will never be repeated. Unfortunately, horrible ideas can have real-world ramifications, and even though AOL is "deeply sorry" and swears it will never happen again, there need to be some safeguards in place to prevent a recurrence.
  
  I wonder what would happen to a murder defendant that tried to use that defense. "I'm sorry your Honor....my left hand pulled the trigger without my permission. It won't happen again! I promise!
  
  Bottom line, respondeat superior says it is their unit, their employees, THE COMPANY is responsible.
2. Re:While I am surprised the EFF took the case by anagama · 2006-08-15 09:10 · Score: 3, Insightful
  
  The problem is that it is the searches which are revealing. It isn't possible to release complete search data AND protect privacy of all users because people search for things that are important to them, i.e., the searches are self revealing. That's why replacing usernames with a numerical identifier was so ineffectual for so many users.
  
  As an aside, I imported the data into a mysql database. I've never messed with that much data before and it was a good learning experience with respect to grep, awk, and sed and converting the tab deliminated files into something I could import into mysql. I do wonder however, if there is a way to just import the tab deliminated file without adding "insert" to lines and escaping the ' ( ) and ; characters that appear in the data. Any experts have a hint? On my athlon 2200+ with 512mb of ram, each search of the data takes about a minute to complete. It's actually faster to just grep for lower numbered userids and then kill grep once the output shows.
  
  --
  What changed under Obama? Nothing Good
Why do they even have this stuff? by Skadet · 2006-08-15 08:28 · Score: 4, Insightful

Among the list of remedies proposed by the EFF include [...] hav[ing] the FTC bar [AOL] from storing users' search activities "except where necessary... to the rendition of AOL's services or the protection of AOL rights and property." At most, AOL should only be allowed to keep 14 days' worth of data, argues the EFF.
Why do they keep such logs, anyway? If it's to help tailor results better, or to help sell advertising, then why is it correlated with a user ID? My company, for example, saves a keyword search history, but there is no user-identfiable information correlated with it. And it's plenty of information for our needs.

If nothing else, it's a terrible, terrible reminder that no matter where you are, no matter what you're searching for, someone could be watching.

--
Sony ha
1. Re:Why do they even have this stuff? by DerGeist · 2006-08-15 08:47 · Score: 3, Insightful
  
  More like someone is watching.
  This user-search crap is an advertising goldmine. The internet is so vast and intricate that you need a search engine to find just about anything (unless you happen to enjoy posting to random forums in hopes for a response...in a few days or so).
  But when you search, it says something about you personally. Just like when you buy things at the grocery store (don't forget to use your Super Shopper Saver Discount Card, Mister 60917492!) searching online indicates what you are interested in and what you're likely to buy in the future. By hopefully pegging your wants, desires, hobbies, interests, tastes and preferences into a conveniently distributable file advertisers hope to beam you laser-targetted ads for crap that you (and only you) will simply HAVE to buy in order to feel complete as a human being.
  Without the personal identiciation, they can't hope to learn every intricate detail of your life in order to suck more of your money from your pockets (or packets, as the case may be :-). *ducks*
2. Re:Why do they even have this stuff? by pclminion · 2006-08-15 09:25 · Score: 5, Interesting
  Why do they keep such logs, anyway? If it's to help tailor results better, or to help sell advertising, then why is it correlated with a user ID? My company, for example, saves a keyword search history, but there is no user-identfiable information correlated with it. And it's plenty of information for our needs.
  
  First, the search database doesn't list AOL user IDs. It lists "unique IDs" for each user, but they are not correlated to whatever AOL's internal "User ID" is. But to assume that sanitizing the data by changing or completely removing user IDs will make people safe is boneheaded.
  
  Let's start with a grep for social security numbers. I've blipped out the actual numbers themselves, but that's not much help for these poor folks, since anybody can get their hands on the database:
  
  find robert williams akron oh 44306 XXX-XX-XXXX
  
  birth certificate for debra ann collins 1-28-59 ss XXX-XX-XXXX
  
  locate keith ivan thompson born 3 may 64 social security XXX-XX-XXXX last address was XXXXXX colorado
  
  kristy nicole vega hammond la. social secruity number XXX-XX-XXXX birth date 03 08 81 drivers license number la. XXXXXXXXX address XXXXXXXX.
  
  Moving on, check out this fascinating query:
  
  all i can say is you looked amazing in that photo. i would love to get achanceto know you. expect a call from me soon. are you looking for a friend or a companian just for future reference
  
  Looks like somebody accidentally copy-pasted a portion of their private communication (email or IM, perhaps) into the search query box and clicked "Submit." Now their private thoughts are available for all to see. You'd be AMAZED at the stuff you'll find in these logs. The idea that by removing usernames/IDs from data is "instant sanitization" is naive and dangerous. There is more than enough information in many of these queries to identify specific individuals and examine EVERYTHING they have searched for in the past 6 months.
  
  (I do question the sanity and intelligence of some of the people who submitted queries like the ones above, but ultimately this is not their fault.)
I've been meaning to make a donation. by Anonymous Coward · 2006-08-15 08:28 · Score: 5, Informative

While I'm demonstrating my support, I thought I'd suggest some of you do the same.

Have you shown your support? EFF
Donate to these people by MobyDisk · 2006-08-15 08:28 · Score: 4, Insightful

The EFF is the "stop 1984 from happening" fund. If you read Slashdot, you know why you should be a member.
</soapbox>
1. Re:Donate to these people by avalys · 2006-08-15 08:35 · Score: 4, Insightful
  
  Don't forget the ACLU.
  
  Electronic freedom is nice, but freedom in the real world is all that matters in the end.
  
  --
  This space intentionally left blank.
2. Re:Donate to these people by eipgam · 2006-08-15 08:47 · Score: 4, Insightful
  
  Some semi-relevant links for UK residents:
  
  http://www.cfoi.org.uk/
  http://www.liberty-human-rights.org.uk/
  http://www.cyber-rights.org/
  http://www.justice.org.uk/
3. Re:Donate to these people by Just+Some+Guy · 2006-08-15 10:09 · Score: 4, Insightful
  
  And while we're at it, the NRA (for that amendment the ACLU forgot about).
  
  --
  Dewey, what part of this looks like authorities should be involved?
Re:So EFF stands for the free exchange of informat by Recovering+Hater · 2006-08-15 08:30 · Score: 4, Informative

No, troll. From their main page : "What is EFF? EFF is a nonprofit group of passionate people -- lawyers, technologists, volunteers, and visionaries -- working to protect your digital rights.

--
My humor is probably your flamebait
I wonder by LiquidCoooled · 2006-08-15 08:31 · Score: 3, Interesting

Even if this *doesn't* get through court, could an AOL customer ask AOL for their export ID number?

Is the ID number we have all grown to know an integral part of every AOL account?
Does AOL even know who user 17556639 actually is or was it generated automatically and then lost in the data export?

--
liqbase :: faster than paper
EFF Can't Do It Alone!!! by pfz · 2006-08-15 08:43 · Score: 3, Interesting

They need your help!

Watch EFF attorney Jason Schultz tear the roof off in the new documentary, ALTERNATIVE FREEDOM. Maybe you will learn something or be able to show your friends and then we can all make sure digital rights are always kept in mind...

http://alternativefreedom.org/
Re:So EFF stands for the free exchange of informat by megaditto · 2006-08-15 08:44 · Score: 4, Insightful

The Government and the Corporations do not have a Constitutional right to privacy.

Hence all consumer (people) data must be treated as private by default, whereas the Government data must be treated as inherently public.

The EFF opposes the recent drive to turn this principle inside-out.

--
Obama likes poor people so much, he wants to make more of them.
Re:Why credit monitoring? by budgenator · 2006-08-15 08:49 · Score: 3, Informative

Did the search information include Social Secuirity Numbers, home addresses, mother's maiden name (and identifiable as such), PINs, or some other sort of data that could be used to affect someone's credit report?
YES, many people run their personaly identifiable information through a search engine; don't you think that if google indexed a text file that was a dump of some perloined database on eveilhacker.com you'd want to know about it? For me for a search engine to turn over search queries is serious breach of confidence; I could never use Yahoo, MSN, or AOL for anything beyond trivial searches now, and I only use yahoo for yellowpages skimming at work.

--
Apocalypse Cancelled, Sorry, No Ticket Refunds
Relief doesn't match mistake by dysk · 2006-08-15 09:01 · Score: 4, Informative

Yes, AOL made a mistake by releasing that information. They've admitted to the mistake, apologized, and I doubt anyone will try to do this again.

On the other hand, one needs to recognize that they didn't release the information for the purposes of making money, or defrauding the customers, or anything else. They collected the data in order to help a researcher write an extremely informative paper[pdf] about human behavior as it relates to searches. That researcher decided that other's might benefit from the information, and convinced AOL to make it publically available. It turns out that that was a huge lapse in judgement, but nonetheless, intentions are also important and while criticizing AOL, we should also complement them for their effort to interface with the academic community.

AOL has been punished enough in the press. Given the circumstances I don't think that any legal action is necessary.
Some weird people in the world, that's for sure by Anonymous Coward · 2006-08-15 09:18 · Score: 3, Funny

For example: select * from aolsearches where anonid = 3620882; yields a very strange individual... some brief examples (shortened for brevity... it's MUCH longer than this): | 3620882 | bank robber hide-outs | 2006-03-01 22:22:04 | | 3620882 | male sissy panty stories | 2006-03-01 22:35:41 | | 3620882 | big bosom mothers | 2006-03-01 22:47:58 | | 3620882 | sissy nightgown training | 2006-03-02 11:46:49 | | 3620882 | special female training of sissy men | 2006-03-02 17:16:24 | | 3620882 | tight laced girdles | 2006-03-05 12:33:09 | | 3620882 | baptist church directory | 2006-03-07 18:56:13 | | 3620882 | pink panty discipline | 2006-03-07 19:41:53 | | 3620882 | old curvy women | 2006-03-10 12:38:47 | | 3620882 | independent baptist church directory | 2006-03-12 11:45:44 | | 3620882 | westboro baptist church | 2006-03-23 13:51:49 | | 3620882 | baptist college directory | 2006-03-25 19:44:22 | | 3620882 | adult diaper parties | 2006-04-04 13:51:30 | | 3620882 | colorado mining claims for sale | 2006-04-16 13:00:25 | | 3620882 | husbands that are sissy | 2006-04-28 20:13:11 | | 3620882 | very large bosoms | 2006-05-18 21:38:57 | | 3620882 | how to make gun silencers | 2006-05-20 12:45:00 | | 3620882 | male maid training | 2006-05-30 12:15:49 | Really, I think of myself as a pretty tolerant person, but this seriously makes me wonder what kind of weird individuals roam this planet.
Re:So EFF stands for the free exchange of informat by Coppit · 2006-08-15 10:42 · Score: 3, Interesting

The Government and the Corporations do not have a Constitutional right to privacy.
Newsflash: neither do citizens. The closest the constitution comes is this:
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
So your search history is fair game, as long as its not being used for searches and seizures. I get spam to an address I used for a Western Digital hard drive rebate. My neighbors kids get credit card offers after someone bought a kids magazine in their name. Privacy in the US is a joke compared to the strong laws in some countries (Germany IIRC is a good example).