Protect Personal and Financial Privacy

Computers, Freedom, and Privacy Conference 2008

2008-04-29T23:37:00.000-07:00

Below is the announcement email from - well as you can see:

COMPUTERS, FREEDOM, AND PRIVACY: TECHNOLOGY POLICY '08
http://cfp2008.org/
18th Annual CFP conference
May 20-23, 2008
Omni Hotel
New Haven, CT

DEADLINES this Week:
Early Bird Registration: Fri., May 2, 2008
YJoLT Tech Policy Essay Contest: Mon., May 5, 2008

Conference Blog: http://cfp08.blogspot.com/
Facebook Group: http://www.facebook.com/group.php?gid=10926816973

ABOUT CFP: TECHNOLOGY POLICY `08

What should the technology policy priorities of the next administration
be?

As the choice of presidential candidates becomes clearer and election
year moves towards a comparison of the candidates' platforms on the
issues, technology policy is increasingly relevant to the forefront of
public debate. In the areas of privacy, intellectual property,
cybersecurity, telecommunications, and freedom of speech, topics that
were once confined to experts now appear in the mainstream of political
issues. We now know that our decisions about technology policy are being
made at a time as the architectures of our information and communication
technologies are still being built.

This year, the 18th annual Computers, Freedom, and Privacy conference is
focusing on those issues at the forefront of technology policy this
election year. With plenary panels on the "National Security State and
the Next Administration" and "The 21st Century Panopticon?" the
discussions taking place look towards our present and future priorities.

CFP: Technology Policy '08 is an opportunity to participate in shaping
those issues being made into laws and regulations and those technological
infrastructures being developed. Policies ranging from spyware and
national security, to ISP filtering and patent reform, e-voting to
electronic medical records, and more will be addressed by expert panels
of technologists, policymakers, business leaders, and activists. The
panel topics are listed below and full panel descriptions are available
on the conference website at:

http://www.cfp2008.org/wiki/index.php/Program.

The CFP: Technology Policy `08 conversation has already begun in the
virtual spaces connected to the conference. Even if you are unable to
attend the conference this year, there are several opportunities to
participate remotely. The guiding principles that ought to guide our
policies are being debated on the conference blog. Social networking
groups on Facebook and LinkedIn are providing new spaces for the CFP
community to meet and discuss. The Yale Journal of Law and Technology is
hosting a call for essays, on the priorities of the next administration,
with more details below.

We look forward to seeing you in New Haven on May 20-23.

CONFERENCE PROGRAM

Plenary Sessions
Presidential Technology Policy: Priorities for the Next Executive
The 21st Century Panopticon?
The National Security State and the Next Adminstration

Tutorials
A Short History of Privacy
Constitutional Law in Cyberspace
e-Deceptive Campaign Practices: Elections 2.0
Maintaining Privacy While Accessing On-line Information

Panel Sessions
Activism and Education Using Social Networks
Breaking the Silence: Iranians Find a Voice on the Internet
Charismatic Content: Wikis, Social Networks, and the Future of
User-Generated Content
Filtering Out Copyright Infringement: Possibilities, Practicalities, and
Legalities
Filtering and Censorship in Europe
Hate Speech and Oppression in Cyberspace
Interoperability at the Crossroads?: The "Liberal Order" versus
Fragmentation
Law, Regulation, and Software Licensing for the Electronic Medical Record
Measuring Global Threats to Internet Freedom
Network Neutrality: Beyond the Slogans
New Challenges for Spyware Policy
Patents: The Bleeding Edge of Technology Policy
Privacy, Reputation, and the Management of Online Communities
Rights & Responsibilities for Software Programs?
States as Incubators of Change
"The Transparent Society:" Ten Years Later
Towards Trustworthy e-Voting: An Open Source Approach?

CALL FOR ESSAYS

Yale Journal of Law & Technology Call for Essays on the Technology Policy
of the New Administration
Deadline: Monday, May 5th

The Yale Journal of Law & Technology (YJoLT) is seeking essay-length
submissions concerning the technology policy platform of the new American
presidential administration. Essays selected for publication will appear
in the Fall Issue of YJoLT (publication date November 2008).

Ideal submissions will discuss the priorities and guiding principles that
American technology policy should follow. Submissions analyzing a
particular technology policy issue in depth will also be accepted.

Essays of less than 5,000 words are preferred. Please submit all essays
to yjolt.submissions@gmail.com. Please include the text "CFP Essay"
in the subject line of the email. The authors of essays selected for
publication will be notified on a rolling basis. Any questions can be
directed to Lara Rogers, lara.rogers@yale.edu.

--------------
Eddan Katz
CFP: Technology Policy '08 Program Chair
http://www.cfp2008.org/

International Affairs Director, Electronic Frontier Foundation
http://www.eff.org/
Lecturer and Associate Research Scholar, Yale Law School
Senior Fellow, Yale Information Society Project
http://isp.law.yale.edu/

Yahoo Open Strategy (Y!OS) vs Privacy

2008-04-26T12:11:00.000-07:00

I attended the O'Reilly Web 2.0 Expo Friday at Moscone West in San Francisco where I attended two sessions I'd like to address here. First was titled "Yahoo and Open Platforms - A Deeper Dive" by Yahoo Chief Architect of Platforms, Neal Sample. The second was a (Yahoo-owned) Flickr presentation on "Casual Privacy" by Kellan Elliot-McCrae. (This Flickr photo sharing tool is aptly titled and the technology consists only of a simplistic use of hard to guess complex URL's - once posted to a blog they become exposed to search engines and lose all privacy.)

I often come away from sessions like the first one mentioned above thinking "Wow! There are some scary smart people working on some really incredible things out there." But when looked at through the filter of personal privacy, the "Scary" part stands out for me.

Scary simply because the "Yahoo Open Strategy" takes personal data and distributes Yahoo user profiles across a multitude of Yahoo properties and makes it available to all Yahoo services once a user is logged in. Scary only because it means this database of personally identifiable information on anyone who opts-in becomes distributed widely across those Yahoo properties. I hope that user preferences for which services it is shared with come with their own privacy settings - necessarily complex settings to boot.

I had to miss two Web 2.0 sessions, one Wednesday and another on Thursday that I'd wanted to attend when a work project required immediate attention. Those included one with Joseph Smarr from Plaxo titled "Data Portability, Privacy and the Emergence of the Social Web" and I had heard Smarr speak at WebGuild event on OpenSocial launch in November, hosted on the Google campus.

The second session I had to miss was the Yahoo announcement of "Yahoo Open Strategy" by Ari Balogh, Chief Technology Officer at Yahoo! during his keynote on Thursday. This last announcement was major and has been characterized as a move against the Microsoft takeover bid. Personally, I think it's too big and sweeping to not have already been in progress before the bid became public. It involves reworking the entire system to incorporate the "Open Strategy" into most Yahoo properties, including Yahoo Mail, the home page, their Open Search platform, (announced at SMX West in Santa Clara in March). Bits a bytes of this have been leaking out here and there since then.

My reaction at the SMX show was "Wow, sounds cool!" and I'm still excited about how this might change the face of search and usability, and I'll address that elsewhere, but for now I'm pulling back a bit due to Privacy concerns related to this "Openness" because it makes me nervous that all of the aggregation of data (potentially in the hands of Microsoft) has me concerned about willingly providing all my data to one source.

I had my first privacy concerns when I noticed, on (Yahoo-owned) MyBlogLog, a request for extensive (and yes, publicly available) data from all my social sites. Having had a bit more time to digest this all - and now looking at it in the full light of the Yahoo Open Strategy announcement, It's losing its shininess due to privacy concerns.

The commenter on the previous post where I address this concern points to the MyBlogLog Blog discussing the new tools. But nothing is really addressed there except that this data will be offered to users from their own profile and made available to their own "Friends" if they opt-in. Swell, despite the fact that I want to define my "Friends" and what they see, differently based on they kind of friend they are, (marketing, business, true close friends, co-workers, management, family, etc.)

I'm going to leave that for now and look purely at this one fact: Despite the wonderfully friendly UI and utility of this "Openness" I'm not liking the need to gather all my own data and hand it to others to use as they see fit. In this case, Yahoo, in the future, Microhoo and who knows who else if they choose to "Share" it in aggregate or "Ooops" leak it out like AOL did in August of 2006.

I just don't know that I'll ever give Yahoo, or Microhoo - all of my public data to aggregate (and maybe leak) regardless of how convenient it is (and only on Yahoo-owned properties) or how easy it makes my online life. The aggregation and distribution of public social profiles is interesting, but once it starts getting distributed through API's to each social network or service - you've lost all control of who sees what and when.

This only truly matters if you DON'T want family seeing ALL of your Flickr photos or DON'T want your employer looking at resumes posted on job boards on social networks, or DON'T want your clients reviewing your connections with their competitors on business social networks - this list could go on endlessly and with thousands of DON'T wants - because we've already seen people fired from corporations due to private information or photos or personal associations being exposed on social networks.

Some people live their entire lives in full public view - others prefer a bit of control and security of that data. If everyone gave serious thought to how they want this information shared, it would surprise me. But for those who care, fine control of where the information flows should be an option. I doubt that level of control will ever be available, with the full ability to change or delete all data in all places it flows via API's and "Open Strategies."

All Your Datas are Belong to Yahoo: Social=NO Privacy

2008-04-13T10:18:00.000-07:00

I belong to and use about a dozen social networking sites, including LInkedIn, Facebook, Plaxo, a bunch of Google services and publicly link to profiles on several that I want to be public. But it wasn't until I visited my settings page on MyBlogLog (a Yahoo owned social network) that I realized how companies hope to "mine" that data and use it for their own purposes.

The first annoyance was when I jumped over to MyBlogLog and was asked for my Yahoo ID - which I begrudgingly provided and thought to myself, "Damn! I wish they didn't own so many things!" From there it took me to a screen with tabs across the top, one of which was labeled "Data Collection" - "Well," I thought, "at least they are being honest about that title - most times it is marked something tame like "Your info" or "Details" - but being charmed by their honesty didn't last long after visiting the page. (shown below)

Uploaded with plasq's Skitch!

I noted that I was "Opted-in" by default, realizing that being a part of this community meant sharing my photo or avatar and publicly agreeing to be tracked across the MyBlogLog member communities that I visited. I like this service and use it fairly often. One thing I like is how the service prompts you to "Join Community" after you've visited a blog a preset number of times *(mine is set to 10 visits - but you can choose 5). Alright, I realize they need to track me to make this feature work and I find it useful.

But then I got REALLY disturbed when I clicked on a tab that is benignly labeled "Services" to see a list of over 40 online social sites with those I had previously provided were pre-filled with each of my identities and/or URL's. But then I started to scroll the list to see over 40 other services listed, including OpenID, Plaxo and other aggregators. This is a bit much - what does this do to improve the MyBlogLog user experience? It seems to me that it only helps Yahoo track members of MyBlogLog - no?

Uploaded with plasq's Skitch!

These are hard to read at this size, but click the images to see larger versions. What do you think - is this useful for you as a member of MyBlogLog? How would listing your membership data for all of those services/sites improve your user experience? Am I missing something here? Why are they collecting that data? Why do people provide it willingly? Hmmm.

Internet Service Providers Spying on Users

2008-04-05T22:33:00.000-07:00

The New York Times has an editorial piece today on ISP tracking of users and selling that information for behavioral targeting. Doesn't mention that the information is already sold to net tracking firms (yes in anonymized aggragate form supposedly) but it is becoming pervasive and nobody seems to care enough to attempt to stop it. The NY Times editorial, by Adam Cohen titled The Already Big Thing on the Internet: Spying on Users quotes the famous New Yorker cartoon

One dog, sitting at a computer, tells another: “On the Internet, nobody knows you’re a dog.” Fifteen years later, that anonymity is gone.

Then says ominously, "It’s not paranoia: they really are spying on you."

Yes, many of us know that and have been complaining about it for years now. The question becomes... What can be done to stop it? The question before that is ... How do you get the public to care?

Security Conscious Loose with Private Financial Data

2008-02-26T04:41:00.000-08:00

The linked headline leads to a Silicon.com commentary on how careless we all are with personal financial information while comparing how cautious companies sometimes are with that same information it holds on millions of individual customers. The author discusses his own care with customer data, while marveling at how careless he is with his own financial information

I wonder how much I pay as a consumer for the privilege of using digital and electronics for purchases and to manage my life.
Whatever that cost, I'm certain that given the needs of online businesses and with the scale of the information flow there are major gaps in the handling of personal data.
In many cases these failings may not be created through ignorance but rather complexity. It is rapid growth and oversights that cause personal information to be exposed.

What Will Make Privacy Important to Public & Business?

2007-09-23T19:01:00.000-07:00

For several years now I've blogged about privacy laws, data mining, data breaches, search privacy, cookies, phishing, spyware, data theft and big brother.

What never fails to amaze me is the fact that few people care about privacy until it touches them personally through identity theft, harmed reputation, excessive spamming, loss of work or public embarrassment.

I've searched for ways to spur public discussion of the need for effective privacy laws and protections. There is the ocassional flare-up in public interest when AOL leaks the private searches of their users to the world. There are dumb moves by our government when they over-reach their authority and exceed reason as when the Department of Justice demanded 30 days of search data from the top tier search engines.

There are silly stumbles of companies when they expose users to spam by including ALL their customer database of emails in stupid slip-ups. There are major cases of careless greed when data mining companies continuously sell consumer data to criminals because they won't bother to check their own customers need for (or even the right to) private financial data. There is the proposal by the Bush Administration that we have a (poorly designed) defacto National ID required of us to travel anywhere, which becomes an even greater risk to security and privacy.

I could go on for days with this. But to get to the point of this post, I've searched for ways to engage the public in discussion of important privacy issues of the day, so far without effect.

So when I see ways that may help expose the privacy issues discussion to more people, I leap on it with gusto in the hopes that it will bring more attention to privacy laws and protections. I've discovered a tool that may help bring privacy to more bloggers and those involved in building the technologies of the web.

It's called BlogRush and works on the principle of the old banner exchange model - but this one operates with an embeddable widget. The more times you display the widget, the more "credits" you get for your posts being displayed within the widgets of other members of the BlogRush Network. The concept is extended beyond simple one-to-one numbers as those who get their widgets from you, then expose your widget to their own audience and you gain more credits for display of your post headlines across the network on all bloggers using the widget. It seems like the model will overextend itself at some point unless growth is phenomenal and sustained over time.

Nevertheless, I'm happy to try it out and see if the model works for exposing privacy concerns to the world of influential bloggers. Take the BlogRush widget you see to the right on this blog and see how it works for you to increase the visibility of your most important topic. If your topic involves the need to research privacy at all - try out our Privacy Search Engine which draws ONLY from authoritative privacy sources via the Google Custom Search Engine.

Google on International Internet Privacy Standards

2007-09-15T19:58:00.000-07:00

Google Calls for International Standards on Internet Privacy and has taken some lumps from privacy advocates which may not be justifiable - YET. The linked Washington post article above quotes comments from Google's global privacy counsel, Peter Fleischer where he makes a case for a standards body to set and enforce privacy rules internationally.

Not a bad idea, especially if European standards are incorporated into that mix. But the fact is that Google is very likely to be making this call for international privacy standards simply to deflect concerns about their DoubleClick acquisition when a decision is made by the FTC.

I recently ran across the video below at the VortexDNA Blog. It is a whiteboard discussion of Google Privacy Policy by senior search engineer Maile Ohye - which makes no direct mention of major public concerns - but somehow manages to calm fears - even if you are a bit sceptical of the safety or your private information under current Google privacy practices.

All I can say to this issue is that Google has proven themselves trustworthy so far and has suffered no major data losses or privacy gaffes. This call for international privacy standards from Google appears at a time when they are under scrutiny for the DoubleClick acquisition and after Ask announced the "Ask Eraser" product which will allow any user to completely wipe out their search history and delete all information already gathered and opt out of future data gathering by Ask. Google and all other search engines should consider adopting the Ask Eraser model. Although right now it is all talk and little action by Ask as it is simply a promised product and not a reality.

Privacy Conference, Ottawa, Canada September 25-28, 2007

2007-09-14T21:47:00.000-07:00

OTTAWA, Sept. 6 PRNewswire - The who's who of the privacy world will meet in Montreal this month to explore ways to better protect privacy in the face of rapidly changing technologies and heightened national security concerns.

The Office of the Privacy Commissioner of Canada is hosting the 29th International Conference of Data Protection and Privacy Commissioners in Montreal from September 25 to 28th. Among the topics to be explored are: public safety, globalization, Radio Frequency Identification, nanotechnology, children and privacy, location-based tracking, data mining and Internet crime.

Speakers include:

Michael Chertoff, Secretary of the US Department of Homeland Security, who will give a keynote address on privacy and public security.
Peter Fleischer, Google's global privacy counsel.
Bruce Schneier, internationally renowned privacy and security guru and best-selling author of books such as Beyond Fear: Thinking Sensibly about Security in an Uncertain World and Secrets and Lies.
Katherine Albrecht, widely recognized as one of the world's leading experts on consumer privacy for her work as director of CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering), an organization she founded to address retail privacy invasion.
Simon Davies, a pioneer of the international privacy arena and the founder and director of the watchdog group Privacy International.

The complete program and speakers list are available at: http://www.privacyconference2007.gc.ca. Media are encouraged to complete and submit an accreditation form, also available online, before the conference.

Out-of-town journalists are encouraged to reserve hotel rooms as soon as possible.

Search Privacy: You Are What You Search For - Er What You Eat

2007-09-14T20:57:00.000-07:00

The following comes from AltSearchEngines and was used by permission

Search Engines & The Illusion of Privacy

For those who don’t recognize this image, this is the ubiquitous “Cone of Silence” from the TV series “Get Smart.” Whatever was said in the Cone stayed in the Cone! The privacy of your conversation was absolutely guaranteed.

Let’s see, I’ll be 60 years old…

The story from the Associated Press (AP) that greeted me this morning looked like it was just an update on one of the Homeland Security Department’s policies. It said, in part, that instead of keeping risk assessments on you and me for 40 years, they will only keep them for 15 years. What a break! Oh, and by-the-by, you’re not allowed to see your risk assessment, or even why they have one on you.

You are what you eat!

But what really got my attention was that they will try to deduce whether or not we are terrorists by the names of our traveling companions, the number of hotel beds requested, and -wait for it- airline meal choices! That made me wonder, does Homeland Security know what groceries I buy (with my credit card, to make it a little easier for them)? Do they know what cereal I had for breakfast? What do terrorists eat when they travel? I sure don’t want to order that…

Alternative Search Engines

What does any of this have to do with the alternative search engines? That’s what I was wondering. On Mondays at AltSearchEngines we usually feature a different Vertical search category. But after reading this news, search engines that I once thought of as helpful and innocuous, now seemed to be under a black cloud of suspicion.

People Search

Of course People search is often singled out as the bad guy. What do they know about me? Why is Facebook releasing my profile? If I misspell “kiddie horns” when I search for my nephew’s birthday party favors, am I going to be tagged as a pervert? Personal data and issues of privacy will always be at the top of everyone’s concern. The alternative People search engines and the social networking sites will always have that special burden of reassuring their users that it’s safe to use their site. (Or at the very least that the benefits outweigh the risks.)

Likewise the Job search engines. Before today I would have only wondered which one is most likely to find a good position. But in a parallel paranoid universe, what if “something” happened and my boss found that I have been searching for a new job while I was on the clock! After all, didn’t Monster.com have a theft of confidential information?

Health Search? Could a prospective employer surreptitiously buy a list that revealed that I have a preexisting condition and then find another reason not to hire me?

Travel search? Yep, he’s a terrorist. Probably off to training camp.

Search engines that track blogs, discussions, buzz, and other readily available Internet chatter; if I make a joke about renting out my basement to “that guy on the video,” will they “accidentally” fire bomb my house?

Video search? Buy Season Three of “24″ ? Not any more; no way.

Image search. More bad news. Another article, again, in this morning’s paper, said that if they catch a child pornography suspect with a picture of a child on a red blanket, they perform a search for all photos with red blankets. My beach towel is red! I could be looking at 10-15 years of hard time - and lose my beach towel.

Conclusion

We live in a world where every email, every outdoor camera, every Internet search on every search engine, every hotel we book or meal that we order might be captured by someone and used against us. The “Age of Innocence” has run head-on into the “Illusion of Privacy,” and the result is the “Plague of Paranoia” that is sweeping our world like an electronic epidemic.

Now, what would a terrorist order for lunch?

Here’s a bonus, check out this really creative UI for a local restaurant search!

DHS Shuts ADVISE Data-Mining System Citing Privacy

2007-08-27T12:39:00.000-07:00

According to the Christian Science Monitor, a Department of Homeland Security (DHS) Data Mining project called ADVISE (Analysis, Dissemination, Visualization, Insight and Semantic Enhancement - WHEW!) had been in effect for over 18 months before it was killed by privacy assessment requirements from their own "Office of the Inspector General" (OIG) While at first blush it appears that we've got sufficient oversight in place with the OIG of DHS, I think it more likely that they simply chose to avoid informing that office of the status and scope of the project - or that OIG got involved only after a muckracking journalist or whistleblowing staffer got involved.

The interesting thing here is that DHS launched this project after two similar projects were killed - Total Information Awareness from the Defense Advanced Research Projects Administration (DARPA) and the TALON Terrorism database program headed by the Pentagon - were shut down for the same reasons, although oversight for those agencies comes from the GAO (Government Accountability Office).

So the question becomes which government agency is currently working on a similar program and do they all share their data and findings with each other as each project is killed for privacy concerns. These data mining spooks are bound to come up with a fully operational system that stays out of the privacy spotlight by the time a fifth or sixth agency has built their system and input all the data from each of the other programs.

Each agency in turn develops new advances and seeks more ways to stay out of the crosshairs of privacy advocates, then shuts down operations and passes it to the next agency when they are found out.

Ask Eraser To Erase Search History

2007-07-23T20:18:00.000-07:00

Ask.com To Launch Ask Eraser To Erase Search History & New Data Retention Policy. This is an excellent coverage by Search Engine Land of the newly announced Ask Privacy Initiative with the cute name. It appears that with the "Me Too!" announcement by Microsoft they will honor privacy concerns of users by anonymizing data after 18 months (as Google already has), that pressure is building on the search engines to offer privacy as a feature to lure new searchers.

According to Wired Magazine, Yahoo is now doing the "Me Too!" dance with this statement:

"We have decided on 13 month policy because we believe it is consistent with our commitment to our users' privacy and consistent with local data protection laws across the world," said Yahoo spokesman Jim Cullinan in a written statement.

Of all the hand waving and foot stomping, Ask really does appear to have the strongest privacy intentions. We'll see when all the noise dies down who does privacy best and who offers the most search privacy.

Meanwhile, if you want to stay on top of the news about search privacy, may I suggest you consider trying our Google Co-op powered Privacy Search Engine

Microsoft & Ask Call for Privacy Initiatives

2007-07-23T16:06:00.000-07:00

REDMOND, Wash., and OAKLAND, Calif. — July 22, 2007 — Building on their respective efforts to protect consumer privacy, industry leaders Microsoft Corp. and Ask.com, a wholly owned business of IAC (NASDAQ: IACI), today joined together in the commitment to call on the industry to develop global privacy principles for data collection, use and protection related to searching and online advertising. The companies will work with other technology leaders, consumer advocacy organizations and academics to come together and join them in working on the development of these principles, which could include developing and sharing best practices to provide more control for consumers.

“As search and other online services progress, it’s important for our customers to be able to trust that their information is being used appropriately and in a way that provides value to them,” said Peter Cullen, chief privacy strategist at Microsoft. “We hope others in the industry will join us in developing and supporting principles that address these important issues. People should be able to search and surf online without having to navigate a complicated patchwork of privacy policies.”

“Anonymous user data can be very useful to enhance search products for all users, but people should have access to privacy controls based on their level of comfort around the storage of their search data,” said Doug Leeds, vice president of product management at Ask.com. “We’re committed to developing new ways to give consumers the control they are entitled to when it comes to searching online, and hope others will join us in engaging in dialogue on these important issues.”

Microsoft and Ask.com are proposing that leading search providers, online advertising companies and privacy advocates convene to engage in an active dialogue to discuss privacy considerations posed by the proliferation of online advertising and search. The goal of the dialogue is to determine ways that the industry can work cooperatively to define privacy principles that take these new considerations into account. The companies will provide an update on their progress in September.

More information about Microsoft’s and Ask.com’s current privacy policies and practices is available at http://www.microsoft.com/privacy and http://about.ask.com/en/docs/about/privacy.shtml.

About Ask.com

A leading search engine on the Web, Ask.com combines world-class search technology with one-of-a-kind search tools to help people get what they are looking for faster. Ask.com sites include Ask.com US (www.Ask.com), Ask.com Deutschland, Ask.com Espana, Ask.com France, Ask.com Italia, Ask.com Japan, Ask.com Nederlands and Ask.com UK. Additionally, Ask.com syndicates its search technology and advertising units to a network of affiliate partners. Ask.com is a division of IAC Search & Media, a wholly-owned business of IAC (NASDAQ: IACI).

About Microsoft

Founded in 1975, Microsoft (Nasdaq “MSFT”) is the worldwide leader in software, services and solutions that help people and businesses realize their full potential.

Real ID - Oppose Defacto National ID - Driver License

2007-05-01T19:28:00.000-07:00

FOR IMMEDIATE RELEASE
May 1, 2007

Contact:
Melissa Ngo
Director, EPIC Identification and Surveillance Project
(202) 483-1140 ext. 123
ngo AT epic.org

FORTY-THREE GROUPS ANNOUNCE NATIONAL REAL ID PUBLIC CAMPAIGN

WASHINGTON, DC - Today, 43 organizations representing transpartisan, nonpartisan, privacy, consumer, civil liberty, civil rights, and immigrant organizations have joined to launch a national campaign to solicit public comments to stop the nation's first national ID system: REAL ID.

The groups joining in the anti-REAL ID campaign are concerned about the increased threat of counterfeiting and identity theft, lack of security to protect against unauthorized access to the document's machine readable content, increased cost to taxpayers, diverting of state funds intended for homeland security, increased costs for obtaining a license or state issued ID card, and because the REAL ID would create a false belief that it is secure and unforgeable.

This effort builds on the momentum that is signaling broad opposition to the REAL ID in the states. Montana has become the fifth state, following Maine, Idaho, Arkansas, and Washington, to prohibit cooperation with the Department of Homeland Security in implementing the REAL ID national identification system.

Under the Act, states and federal government would share access to a vast national database that could include images of birth certificates, marriage licenses, divorce papers, court ordered separations, medical records, and detailed information on the name, date of birth, race, religion, ethnicity, gender, address, telephone, e-mail address, Social Security Number for more than 240 million with no requirements or controls on how this database might be used. Many may not have the documents required to obtain a REAL ID, or they may face added requirements base on arbitrary and capricious decisions made by DMV employees.

EPIC joins this group of 43 organizations in a fight against the national identification system created by the Department of Homeland Security. "Make no mistake, this is a national identification system that will affect your everyday life," said Melissa Ngo, Director of EPIC's Identification and Surveillance Project. "Critics of the REAL ID scheme are called anti-security, but it is not anti-security to reject a national identification system that will harm our national security and make it easier for criminals to pretend to be law-abiding Americans."

The draft regulations to implement the REAL ID Act are open for comment until 5 p.m. EST on May 8, 2007. To take action and submit comments against the fundamentally flawed national identification scheme, under Docket No. 2006-0030-0001.

Online: Through the public submission portal at:

http://www.regulations.gov

Or use one of the more user-friendly sites found at the following web addresses:

EFF

Privacy Activism

To Fax Comments to the Department of Homeland Security:

Electronic Frontier Foundation

Privacy Coalition

Or send a letter to the agency. Fax: 1-866-466-5370.

Postal mail:
Department of Homeland Security
Attn: NAC 1-12037
Washington, DC 20528

All comments must be received by until 5:00 PM EST on May 8, 2007.

Visit the Stop REAL ID Campaign site

Visit EPIC's National ID Cards and REAL ID Act page

List of all of the Groups Supporting this Campaign:

American Federation of Labor-Congress of Industrial Organizations
American Library Association
American Policy Center
American-Arab Anti-Discrimination Committee
Association of American Physicians & Surgeons
Bill of Rights Defense Committee
Center for Digital Democracy
Center for Financial Privacy and Human Rights
Citizen Outreach Project.
Citizens Against Government Waste
Common Cause
Computing Professionals for Social Responsibility
Consumer Action
DownsizeDC.org
Electronic Frontier Foundation
Electronic Privacy Information Center
Fairfax County Privacy Council
Give Me Back My Rights Coalition
Government Accountability Project
Gun Owners of America
Immigrant Workers Union
Leadership Conference on Civil Rights
Liberty Coalition
National Center for Transgender Equality
National Council of Jewish Women
National Council of La Raza
National Gay and Lesbian Task Force
National Immigration Law Center
OpenCarry.org
Parents, Families and Friends of Lesbians and Gays
Patient Privacy Rights Foundation
People for the American Way
Privacy Activism
Privacy Rights Clearinghouse
Privacy Times
Republican Liberty Caucus
Rutherford Institute, The
The Arc of the United States United Cerebral Palsy
The Multiracial Activist
US Bill of Rights Foundation
Virginia Citizens Defense League
Virginia Gun Owners Coalition
World Privacy Forum

Search Privacy & Google Personalized Search

2007-04-30T20:37:00.000-07:00

Could Google Personalized Search and their Web History feature be the "tipping point" for privacy issues online? The headline on this post links to a BigMouthMedia (UK SEO Company) study about user "Trust" of search engines with their personal data. The SEM company's marketing push (press release) twists the actual perceptions around to seem opposite of the real results when they suggest that users don't trust Google with their personal data (Web History, Search History, Contact Info, Financial details, etc.) when the survey numbers show very clearly that more people trust Google (38%) than trust Yahoo (23%) and trust MSN (21%) with the title "Uncertainty Over Google's Privacy Intentions".

How disingenuous. They put Google in the headline to elicit public interest when their own results show MORE people trust Google (38%) than Yahoo (23%) or MSN (21%). If the press release had been honestly headlined, it might have read "Searchers Trust Google by Two to One Margin over Other Search Engines". Is that not obvious or do people read with that shallowly and with so much disinterest? How does this benefit a search marketing company to discuss this topic just as Google Personalized Search and Web History are launching? Hmmm.

I spoke yesterday about search privacy as it relates to Google after seeing a minor flurry of posts on blogs and search industry forums. I had no idea privacy discussions would balloon because of Web History and Personalized Search from Google. The funny thing is that my personal level of trust in Google with my personal information is probably at about 80%.

Google Personalized Web History & Privacy

2007-04-26T15:57:00.000-07:00

The following is adapted from my comments left today at Google Engineer Matt Cutts blog. To those reading this blog who aren't aware of him, Matt is the unofficial Google top search engine spam cop. He often attends Search Engine Strategies shows discussing quality guidelines for web content among attendees who are search engine optimization specialists.

I don't often mention on this blog that I make my living as an SEO, because privacy issues are usually more related to data security than search. The issues of search and privacy do cross paths on occassion, like when AOL exposes user search queries to the world, or when the Department of Justice demands search history from the top 4 search engines.

But as I've said on my RealitySEO blog, I trust Google with my data as they've so far proven trustworthy. I've even expressed a love for Google that is beyond reason, but my high opinion of Google is not shared by everyone interested in privacy protection. With that introduction, I'll share what I had to say on Google Web History with Matt Cutts:

I'm glad to hear that privacy protection is on the mind of Googlers. The fact that Matt Cutts is discussing privacy suggests that the Web History feature has brought up internal discussions that I hope will lead to protecting that data (and all the information Google holds on individuals) from leaks, hacks and employee error.
Privacy gets little attention by anyone until their own is threatened. I attended the "Search and Privacy" session at Search Engine Strategies New York to hear an amazing panel speak to a paltry 15 attendees. The topic of privacy flares up when there is a huge gaffe committed by a major company or when the DOJ makes absurd demands. Most ignore the issue until it gets personal.
But we need to pay attention to security and privacy issues on a daily basis because data retention adds up all those daily activities into a very much larger mass of information than anyone intends for one organization to hold. Aggregation of databases is inevitable as companies sell their clickstream data, credit info, contact data, email addresses, etc. to partners, clients and customers and sometimes to bad guys.
Wherever that data resides, it will get leaked, hacked or subpoenaed. Even Google can't entirely prevent things from going wrong at every turn. I tend to trust Google simply because they have proven themselves to be trustworthy so far. If those at the top are committed to privacy protection and security of the data they hold, we're very much better off.
The data portability idea sounds great - but I suspect we'd all be shocked should we ever see the totality of information held on each of us by Google. I'm very happy to hear that protecting that data is important to you.

Google Dumps User IP Data Mining

2007-03-14T21:03:00.000-07:00

Google Moves to Protect User ID's from their search records over two years old by trimming IP addresses off user log files. This means that the computer IP address is being dumped from massive silos of old user search records stored for past searches.

I suspect this is more to preserve space in stored data than entirely about protecting privacy. But either way the result is the same - the move protects privacy of Google users. Why they insist on keeping newer information if what should be scrutinized. How is it relevant other than "Anonymous user A did this type of searches" in their research and data mining? Anonymized data would serve them just as well.

The bottom line is that it is a move in the right direction toward privacy protection - so three cheers for Google. Now we've reached the end of the first quarter of this privacy game. What's the next play in the playbook coach Schmidt? What do Brin & Page have to say about anonymizing search data for current searches? There's the whistle! Start the second quarter!

2007-03-10T07:20:00.000-08:00

Pizza Surveillance film

National ID is here and this scenario shows what we can expect if it proceeds through approval. States are defying the pressure tactics requiring them to adopt RealID or lose funding. But the federal government may require RealID to board aircraft or cross borders, essentially forcing anyone who wants to travel to accept a national ID card. View the video opposing RealID at http://action.aclu.org/privacypower

FBI Taps Cell Phone Mic to Eavesdrop

2006-12-01T20:12:00.000-08:00

FBI taps cell phone mic as eavesdropping tool. The Declan McCullagh article at C|Net discusses a new technique which allows remotely activating any cell phone microphone to eavesdrop on any conversation within range of that phone. An opinion by District Judge Lewis Kaplan calls the technique a "roving bug" and it works whether the phone is turned on or off.

The bugging technique apparently requires judicial approval for surveillance for legal use and was employed in this case to listen in on powerful mafia leaders, but the fact that this bugging technique is possible suggests that hackers and other geeks would be able to work out the details and use the eavesdropping ability on any target for identity theft or other nefarious reasons.

Cell phone software which can be installed remotely is all that would be required - perhaps by calling a particular number or accessing a web site over the target handset - which could be initiated by text messages, emails or some pretexting method.

This bugging method was created by government spooks, possibly employing hackers for development and was meant to listen in on paranoid bad guys who avoided cell phone conversations and routinely sweep rooms for bugging devices. So now that they know about the FBI ability to listen from their cell phones, they may resort to removing their batteries at all times - which is the only way to disable the remote enabling of their cell phone microphone.

Assuming we completely trust the government and law enforcement to only use the "roving bug" with court ordered surveillance, what will the rest of us do to avoid bad guy hackers and identity thieves who work out how to turn on cell phone mics of their targets? Don't say your ATM pin as you key it in at the gas pump or at the bank, never say your credit card numbers and expiration date out loud within reach of your cell phone. Never speak your social security number, bank account numbers, driver license number, etc.

Technorati: Cell Phone Tap, surveillance, Privacy, roving bug

Homeland Security Privacy Report 18 Months Late

2006-12-01T12:56:00.000-08:00

Homeland Security Releases Overdue Privacy Report

The Department of Homeland Security Privacy Office has released its report on the Privacy Office's activities over the past two years. The law creating the Department of Homeland Security requires the Privacy Office to issue a report every year, but the report was delayed without explanation for a year and a half.

The Homeland Security Act of 2002, § 222, gave the Secretary of Homeland Security the responsibility to "appoint a senior official in the Department to assume primary responsibility for privacy policy." The responsibilities of the Chief Privacy Officer include:

assuring that the use of technologies sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of personal information;
assuring that personal information contained in Privacy Act systems of records is handled in full compliance with fair information practices as set out in the Privacy Act of 1974;
evaluating legislative and regulatory proposals involving collection, use, and disclosure of personal information by the Federal Government;
conducting a privacy impact assessment of proposed rules of the Department or that of the Department on the privacy of personal information, including the type of personal information collected and the number of people affected; and
preparing a report to Congress on an annual basis on activities of the Department that affect privacy, including complaints of privacy violations, implementation of the Privacy Act of 1974, internal controls, and other matters.

The report discusses general efforts the Privacy Office has made since July 2004 to "embed" privacy considerations into the evaluation processes in the Department of Homeland Security, but there is no information on whether these efforts have succeeded in reducing threats to Americans' privacy. The report is lighter on specifics than the previous report, covering through June of 2004. The new report discusses the Privacy Office's work with airport and immigration screening, but it ignores recent programs like video surveillance of public spaces.

The report identifies several privacy problems in DHS programs. In 2005 Congress ordered the Government Accountability Office to investigate the Transportation Security Administration's airline passenger screening programs. The GAO found significant problems with handling of personal information and violations of privacy laws. The GAO turned its findings over to the Privacy Office, which then did its own investigation. The Privacy Office claims to have continued its work with the TSA to resolve these issues. However, the report did not resolve EPIC's concerns about TSA redress procedures -- namely that citizens do not have the right to litigate to ensure their records are correct or even to view their records.

The Department of Homeland Security has received wide criticism for its identification card programs, many of which use radio frequency identification technology. The Privacy Office's report did not mention a draft report by the Department of Homeland Security Data Privacy and Integrity Advisory Committee also recommending against the use of RFID in identification documents. "RFID appears to offer little benefit when compared to the consequences it brings for privacy and data integrity," the committee said.

Earlier this year, EPIC wrote to the Department of Homeland Security to urge the release of the report. Then President Bush issued a statement in which he said the "executive branch shall construe section 522 of the Act, relating to privacy officer reports, in a manner consistent with the President's constitutional authority to supervise the unitary executive branch." The White House influence on federal privacy policy can be found in Section V of the agency's report.

Congress will be able to use the new report to evaluate the Privacy Office's performance.

DHS Chief Privacy Officer Report Covering July 2004 to July 2006 (PDF)

EPIC's Letter to Chief Privacy Officer Teufel (PDF)

Department of Homeland Security Data Privacy and Integrity Advisory Committee: The Use of RFID for Human Identification (PDF)

Homeland Security Act of 2002 (PDF)

Presidential Signing Statement, H.R. 5441

EPIC's page on Privacy Report Held Hostage

Technorati: Homeland Security, privacy office, Privacy

AT&T Loses Customer Credit Card Info to Hackers

2006-08-30T08:00:00.000-07:00

AT&T has been targeted by hackers hitting the DSL products store looking for customer credit card data. The hackers successfully accessed the store database for 19,000 customer credit card numbers and card owner information. The standard line, issued by most victims of hacking attacks, was also offered by AT&T when they offered the limp statement,

"The company is notifying customers by e-mail, phone and letter. So far, there is no indication that the hackers have used the financial information fraudulently... We deeply regret this incident and we intend to pay for credit monitoring services for customers whose accounts have been impacted."

Paying for credit monitoring services is far from sufficient if anything is discovered while monitoring. It's the actual financial damage done by bad guy identity thieves that matters and all companies that hold customer financial data should pay for restitution - in ADDITION to credit monitoring.

AOL Employees Fired, CTO Resigns Over Privacy Leak

2006-08-26T09:36:00.000-07:00

The following is from the August 25, 2006 Electronic Privacy Information Center "EPIC Alert" -

AOL's Chief Technology Officer has resigned and two staff have been fired two weeks after researchers released the search terms used by 650,000 users of AOL's search engine over a three month period. The data includes a unique identifier for each user, the terms searched for, the time and date of the search, and the result the user clicked on. It was intended to be a tool for researchers trying to design better search engines.

While AOL initially claimed the search data had been anonymized, since the users' names had been replaced with numeric identifiers, many of the search terms included personally identifiably information such as names, addresses, and even e-mail messages. This often makes the correlation of a user's search results with the user's real identity possible. For instance, the New York Times was able to identify user 4417749 as Thelma Arnold of Lilburn, Georgia. Her searches included queries about medical conditions of some of her friends. She also searched for landscapers in her area and other interests like traveling. Other users in the disclosed data searched for a wide range of topics, including relationship advice, escort services, and other personal queries.

Because a user is consistently identified by an identifying number, the user's searches can be seen over time covering a variety of subjects, and connections can be drawn between queries. As the New York Times found, multiple queries can be used to narrow down the identity of a searcher even without directly personally identifiable information being given. However, many users apparently entered personally identifiable information into their searches, including credit card and Social Security numbers.

AOL quickly took the data off its web site and later apologized, but other people who had downloaded the data have made it available. AOL has said it will review its privacy policies to prevent future disclosures like this one, but it and other major search engines plan to continue recording users' search terms.

The breach has led to calls for the Federal Trade Commission to investigate AOL for unfair and deceptive trade practices, since AOL's privacy policy states that personal information and search queries would not be disclosed without user consent. AOL's breach of information would also likely trigger the security breach laws of many states, requiring AOL to notify those customers whose information has been published.

World Privacy Forum's FTC Complaint (pdf)
Electronic Frontier Foundation's FTC Complaint (pdf)
World Privacy Forum Search Privacy Tips

END OF EPIC Alert

Few are interested in this story in the blogosphere. It is very limited and very shortlived after each privacy gaffe. The press cares, comedians care. This Stephen Colbert Video went viral after the leak episode was discussed by the comedian. Yet there are no cries of outrage to politicians and few laws enacted to prevent further leaks and "Ooops!" moments by careless corporations.

Technorati: AOL Leak

Search Engine Privacy Dilemmas - Paths Toward Solutions

2006-08-23T09:05:00.000-07:00

This NYT story neatly encapsulates the overall state of search engine query data retention issues.

The observant reader will note that despite the rising tide of concerns regarding search query privacy, the industry as a whole is still pretty much in a state of denial, made all the more confusing by various signals from the U.S. Department of Justice.

This is turning into such a mess that it's becoming difficult to even keep the various participants and their positions completely clear. There is every reason to believe that without heroic action by the players involved, we may be heading toward a privacy, legislative, and judicial nightmare. But maybe there's a way out.

Let's review:

AOL's release of search query data made obvious to everyone what many of us knew all along -- that such data contains all manner of personal information, even when the identity of the party making the query is not immediately known directly from usage logs. In the AOL case, the individual query entries were linked by "anonymized" user IDs, but even without such linkages the query items alone can be highly privacy-invasive. The AOL release triggered (as did DOJ vs. Google) broad calls for mandated search query data destruction policies.

The personal nature of the AOL query data serves nicely to liquidate the DOJ's arguments (again, as in DOJ vs. Google) that such data is not privacy-invasive so long as the query source is unidentified. The expressed DOJ reasoning is this regard is obviously faulty.

Search engine companies have been reluctant to voluntarily dispose of query data on a regular basis. This data has considerable R&D, marketing, and other value. Since the incremental cost of keeping all queries archived forever is so low, there is little incentive within the normal business structure to dispose of this resource, absent overriding considerations.

Even while laudably expressing concerns about the potential for third-party misuse of query data, search engine firms (e.g. Google) have proclaimed their intention to keep collecting and saving this data indefinitely. If AOL actually sets in place an aggressive data destruction schedule, it will be something of a watershed event that may (or may not) have broad impacts across the search engine industry. Fears of being placed at a competitive disadvantage will tend to make unilateral moves toward query data destruction difficult to propose or implement.

Meanwhile, DOJ is moving in exactly the opposite direction, apparently preparing to propose long-term (perhaps measured in years) mandated data retention schedules, requiring the saving of the very data for which destruction demands are being made in other quarters. DOJ is using child abuse (and as of late anti-terrorism efforts) as their hooks to justify such legislation.

This situation has all the elements of a painful and wasteful deadlock, potentially triggering years of litigation while the overall search engine issues continue to fester and become even bigger privacy, business, and political problems.

If we wish to avoid this scenario -- or at least have a good shot of avoiding it -- we need to act now, and we need to do so cooperatively. There are policy and technological approaches to the search query dilemma that can be applied in ways that will serve the interests of all stakeholders. Cooperation and compromise mean that nobody is likely to get everything that they'd ideally want, but to paraphrase the great philosopher Mick Jagger, perhaps we can all get much of what we need.

Therefore, I propose the formation of a high-level Internet working group/consortium dedicated specifically to the cooperative discussion of these issues and the formulation of possible policy and technology constructs that can be applied toward their amelioration. Such a working group would be as open as possible, though proprietary concerns would likely necessitate some closed aspects if progress is to be accelerated as much as possible.

Participation by all stakeholders would be invited. Representatives of the major search engine firms and concerned government agencies, outside technologists and other persons involved in privacy and search issues, and other entities as appropriate would all play important roles.

Of course, it's easy -- especially for large corporate enterprises -- to simply ignore such efforts and just plow ahead independently. Obviously, without the participation of the key players, the effort that I'm proposing would be useless, and I will not continue to promote it if that situation ensues.

However, I suggest that it will be in the long-term best interests, both financially and in terms of corporate and organizational responsibility, for major stakeholders to actively join such a project, since the alternative seems ever more likely to be somewhere between highly disruptive and extremely draconian.

Interested? Please let me know. All responses will be treated as confidential unless the sender indicates otherwise.

Thank you for your consideration.

--Lauren-

Lauren Weinstein lauren@vortex.com or lauren@pfir.org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR - People For Internet Responsibility
Co-Founder, IOIC - International Open Internet Coalition
Moderator, PRIVACY Forum
Member, ACM Committee on Computers and Public Policy
Lauren's Blog
DayThink

Please Contact Lauren Directly at the above numbers if you'd like to participate or comment on the above proposal.

Stop Search Engines Tracking Search Data

2006-08-17T09:55:00.000-07:00

AOL, the fourth most popular search engine, recently released search queries of 650,000 AOL subscribers on the Internet. Though AOL now says that it was a mistake and quickly removed the search data from their website, mirror copies of AOL search terms continue to be available across the web.

It is a universal truth that all search engines, including Yahoo, Google and MSN, retain search data of their users which can easily give a clue about the person's identity and a glimpse into his mind and online activity.

Though it is highly unlikely that Google users will ever come across this "AOL Data Spill" like embarrassing situation, the possibility cannot be ruled out completely especially after Eric Schmidt's remark that ".. this sort of thing would not happen at Google although you can never say never."

If you are worried that some day Google, by mistake, might disclose your private search terms into public internet domain, try some of the following suggestion that may fool the search engine or give it a hard time recognizing you.

The background is that when you perform a search on Google, the site search logs keep a record of your computer IP address, cookie ID and the search query terms. Google may also track your clicks on the search results by rewriting the destination URL. So we will look at possible ways to manipulate each of this information:

1. Disallow Google to Store Cookies - The important thing is that it doesn't suffice blocking cookies from just google.com domain, you must also block cookies from google site in your country.

For example, in India, one would block google.com and google.co.in - This is because Google redirects you to your local country page when you type in google.com in the browser address bar.

To block cookies, open the Cookie blocking dialog in your browser, type the site url and click disallow or block.

IE: Click Tools->Internet Options->Privacy->Sites
Firefox: Click Tool->Options->Privacy->Cookies->Exceptions

Remember that Google Personalized Search History won't work after you disable cookies from Google.com. Also, you may have to type the user name and password of other Google services like each time you have to login since cookies are disabled and you won't be automatically logged in.

2. Use Scandoo - Scandoo is a wonderful wrapper written around search engines that warns you of malicious websites in search results. Now the good part is that Scandoo can help you search Google, Yahoo or MSN without disclosing your actual geographic location (or IP Address) to the search engine.

Scandoo interace remains invisible to the end user and one would feel that he is searching via Google itself. [Scandoo Google, Scandoo IE Toolbar]

3. Download HideMyIp software - Your IP address is one big link between your search queries. You would be lucky if your ISP provides you a dynamic IP address that changes frequently but if you are stuck with a static IP, you can still hide it with Hide MyIP address software.

HideMyIP conceals your real IP address and shows a fake IP with a hostname to the sites that you visit. You can set Hide-My-IP to change your IP address every minute. [Download Hide-My-IP.com]

4. Download CustomizeGoogle for Firefox - If you Google using Firefox, this is a highly recommended extension that completely enhances your Googling experience. It can help remove Googel Ads, anonymize your Google userid, remove click tracking or filter google search results. [Install CutomizeGoogle]

5. Block cookies from Yahoo, Google and MSN. Then use Dogpile.com for searching these three search engines simultaneously. [Dogpile Search]

6. Block Google from Tracking Your Clicks

7. Don't use Google or Yahoo to search the web as they will store your entire trail of activity on their servers. Try Clusty.com or Ixquick.com which do not save users search data. Clusty is a meta search engine based on Vivisimo clustered search - It queries several top search engines, combines the results, and generates an ordered list based on comparative ranking.

8. Finally, you can try Scroogle Google Scraper, a search wrapper around Google (and yahoo) search that lets you anonymously search Google and promises not maintaining your search query terms. [Google Scroogle]

Amit Agarwal is a technology writer and professional blogger. He writes for Digital Inspiration and also runs a business weblog consulting company. Some of his writings are quoted in The Wall Street Journal, MSNBC, CNN Money.com, CNet, MSN, Yahoo News, IDGNews, Computer World, Motley Fool, InformIt and Slashdot. Amit provides one-to-one professional consulting to both companies and professionals and specializes on technical writing, e-learning, blog publishing, reviewing new software and web services, search technologies, and on online monetization opportunities for small and large content publishers.

AOL Privacy Breach of Search Queries Exposes Users

2006-08-14T10:22:00.000-07:00

* EFF Demands FTC Investigation and Privacy Reform After AOL Data Release

Internet Company's Publication of Search Logs Exposes Customers' Private Lives

San Francisco - The Electronic Frontier Foundation (EFF) will ask the Federal Trade Commission (FTC) today to investigate America Online (AOL) and require changes in its privacy practices, after the company recently released search history logs that exposed the private lives of more than a half-million of its customers.

Last week, news reports revealed that AOL published to the Internet three months of search queries from about 650,000 users. In its complaint, EFF argues that the release of this data violated AOL's privacy policy and the Federal Trade Commission Act and should be investigated. EFF further requests that the FTC require AOL to notify customers affected by the disclosure and to stop logging search data except when absolutely necessary.

"Search terms can expose the most intimate details of a person's life -- private information about your family problems, your medical history, your financial situation, your political and religious beliefs, your sexual preferences, and much more," said EFF Staff Attorney Marcia Hofmann. "At the very least, AOL should notify every customer whose privacy has been jeopardized by the company's careless handling of this incredibly private information, and AOL should not store this kind of data in the future when it doesn't have to."

While AOL has removed the data from its own web site, the data is still freely available from other sites on the Internet. And although specific AOL screen names were not released, the data is associated with unique ID numbers, allowing each user's search terms to be grouped together. Whether because of users' searches for their own names or MySpace profiles, or searches related to their cities and neighborhoods, these search histories can expose -- and in some cases, already have exposed -- particular users' private searches to the world. In support of its complaint, EFF will confidentially submit examples of search queries containing personally identifiable information and search histories that could likely be tied to particular AOL subscribers.

"We're asking the FTC to make sure that AOL rectifies the damage that's been done and improve its privacy protections for the future," said EFF Staff Attorney Kevin Bankston. "But this problem isn't limited to AOL -- every search company stores this kind of data. Hopefully, AOL's shocking violationof its users' privacy will spur Congress to clarify that the same law that prevents these companies from disclosing our personal emails also applies to our search logs."

The FTC complaint will be made available here

Technorati security, encryption, privacy, data protection

AOL Leaks User Search Data

2006-08-11T16:15:00.000-07:00