Saturday, August 26, 2006

AOL Employees Fired, CTO Resigns Over Privacy Leak

The following is from the August 25, 2006 Electronic Privacy Information Center "EPIC Alert" -

AOL's Chief Technology Officer has resigned and two staff have been fired two weeks after researchers released the search terms used by 650,000 users of AOL's search engine over a three month period. The data includes a unique identifier for each user, the terms searched for, the time and date of the search, and the result the user clicked on. It was intended to be a tool for researchers trying to design better search engines.

While AOL initially claimed the search data had been anonymized, since the users' names had been replaced with numeric identifiers, many of the search terms included personally identifiably information such as names, addresses, and even e-mail messages. This often makes the correlation of a user's search results with the user's real identity possible. For instance, the New York Times was able to identify user 4417749 as Thelma Arnold of Lilburn, Georgia. Her searches included queries about medical conditions of some of her friends. She also searched for landscapers in her area and other interests like traveling. Other users in the disclosed data searched for a wide range of topics, including relationship advice, escort services, and other personal queries.

Because a user is consistently identified by an identifying number, the user's searches can be seen over time covering a variety of subjects, and connections can be drawn between queries. As the New York Times found, multiple queries can be used to narrow down the identity of a searcher even without directly personally identifiable information being given. However, many users apparently entered personally identifiable information into their searches, including credit card and Social Security numbers.

AOL quickly took the data off its web site and later apologized, but other people who had downloaded the data have made it available. AOL has said it will review its privacy policies to prevent future disclosures like this one, but it and other major search engines plan to continue recording users' search terms.

The breach has led to calls for the Federal Trade Commission to investigate AOL for unfair and deceptive trade practices, since AOL's privacy policy states that personal information and search queries would not be disclosed without user consent. AOL's breach of information would also likely trigger the security breach laws of many states, requiring AOL to notify those customers whose information has been published.

World Privacy Forum's FTC Complaint (pdf)
Electronic Frontier Foundation's FTC Complaint (pdf)
World Privacy Forum Search Privacy Tips


Few are interested in this story in the blogosphere. It is very limited and very shortlived after each privacy gaffe. The press cares, comedians care. This Stephen Colbert Video went viral after the leak episode was discussed by the comedian. Yet there are no cries of outrage to politicians and few laws enacted to prevent further leaks and "Ooops!" moments by careless corporations.

Technorati: AOL Leak

Save To    Digg! Digg This!
posted by RealitySEO at 9:36 AM


Post a Comment

<< Home