The Face of One AOL Searcher Exposed

Juha-Matti Laurio writes "No. 4417749 conducted hundreds of searches over a three-month period on topics ranging from "numb fingers" to "60 single men" to "dog that urinates on everything., report NYT journalists Michael Barbaro and Tom Zeller Jr., but with a permission from Mrs. Thelma Arnold, 62. "Those are my searches," she said, after a reporter read part of the list to her, continues the article."

and this is why anonet exsists

[Anonymous Coward]

this is the exact reason i use anonet [anonet.org]! its not just AOL keeping records.

Legal Standing?

[RagingFuryBlack]

FTA:

There are also many thousands of sexual queries, along with searches about "child porno" and "how to kill oneself by natural gas" that raise questions about what legal authorities can and should do with such information.

Now what kind of legal recourse can people expect from these search results? Can the man who searched for ways to kill his wife be tracked down? How about all of the paedophiles who searched for child pr0n? Oh, I can just see all of the "Come on AOL, think of the children...tell us who that was..." How closely tied are these numbers to the user's AOL Accounts, I mean, I'm sure AOL left themselves some tie to the user in their copy. What's stopping feds from making many major busts on people?

AOL - "Bypassing the 5th Amendment for You!"

[rolfwind]

I hope this issue brings more awareness to people about internet anonymity in general and that the government wants all your logs and that companies like Verizon roll over and let them have it.

AOL has went one step further and given their customer's information to the world. I googled the news to see if this story is being reported in the mainstream media, and it is minimally (minimal b/c of TimeWarner?) but I have to laugh as it is characterized as a "goof" and a "gaffe". Laughably understated and nice words for something that at best can be described as sheer bumbling negligence and at worst as a breach of privacy of the worst sort.

Even more ironic, the first news story to pop up on google has nothing to do with this but is:

"AOL offers free security software"
http://www.vnunet.com/vnunet/news/2161980/aol-offe rs-free-security [vnunet.com]

Re:Nothing we can do!

[LiquidCoooled]

The data is out there, what exactly could they do?
Erase it from peoples hard drives, remove it from all the pipes that its in, drug everyone who has seen it?

The fact they have this data is one thing, releasing it to the public is another.

Re:Legal Standing?

[CastrTroy]

And just for the sake of argument, what does searching for something prove. Sure in the case of child pr0n, they would probably be able to search the guy's house/computer for evidence, but other than that, can you really get arrested for something solely on the fact that you searched for it? Maybe the guy who was searching for how to kill is wife was just joking, seeing what would come up. There's a lot of crazy stuff on the internet. I know i've searched for things just to see what comes up. Just about everything is available on the internet, sometimes it's just fun to see what's out there.

Technology in the NY Times

[MobyDisk]

I found this interesting:

Next Article in Technology (1 of 27)

The NY times considers this an article on technology. Slashdot considers this an article on "Your Rights Online." That is the reason nothing will happen no matter how many times these privacy violations occur. People don't act on technology issues. They act on privacy, religion, and entertainment. I would shame the NY times that they still don't get it, but neither does most of the rest of the planet either.

Re:She should stay at AOL

[RagingFuryBlack]

Perhaps she's taking the first step in filing a lawsuit against the company for violation of privacy? It wouldn't look very good for her if she kept her account and still chose to sue.

The most importane part of TFA

[kent_eh]

"As unhappy as I am to see this data on people leaked, I'm heartened that we will have this conversation as a culture, which is long overdue."

Now, what can we do?
How about making sure "this conversation" happens, and continues to happen.

And not just here on /.

Interesting search...

[Anonymous Coward]

Here's an interesting search to add to Google's history database. [google.com]

What's even more interesting is the eBay ad offering to sell this. :)

Re:Legal Standing?

[evileyetmc]

Admittedly, you are correct in saying they are moving in that direction. My point was that once people realized that AOL was feeding the government prosecution fodder, they would avoid using AOL. At any rate, AOL is undoubtedly a sinking ship.

Re:She should sue the pants off AOL

[Anonymous Coward]

Search engine operators have this weird distinction between personalized data and anonymous data. Most think that queries are anonymous data. Many think that IP addresses are anonymous data because they're dynamic or proxied. There is no such distinction: Any meaningful interaction is potentially personal data. This comment is personal data. Even though it is posted as "anonymous coward" and doesn't mention anything personal, it contains information about its author: Choice of words, typical grammatical constructs and probably mistakes. I might post a similar comment (with respect to said unintentional "signature" properties) on another forum with a different topic where I'm not anonymous. Data-mining is much more powerful than just querying a database for a couple of keywords. If your privacy policy says that you won't divulge personally identifiable information, then that really means you can't divulge any information from or about me, and that's how it should be. Actually you shouldn't be collecting this information in the first place, but I'll file that with my hope that the Easter Bunny exists.

How to achieve change

[RagingFuryBlack]

After reading through all of the 0+ modded comments, I've seen everyone saying "God, I wish there was something that could be done to stop this from happening again". You want to see it stop? Find something that ties your local congressmen to their search histories on AOL. Contact them with that information. I can almost guarantee you that if you find enough dirt on enough congressmen/senators, you'll see legislation passed requiring that Search companies not keep records of searches. It quickly changes from "Think of the children" to "Think of saving my ass from dirt that can be used against me next election year"

Good!

[stormi]

I for one am glad that someone's identity was found from all of this, and I am glad that people are still able to go through that database of searches. Before anything will change, unfortunately, some big things are going to have to happen. I hope more people are identified and that it creates a media storm. Most people don't know or care about this story yet, and if they do hear about it they'll go 'oh, the information was taken down. and it's not me. ok then.' and they'll go on with their lives.

Someone important needs to be identified by their searches, and sue. In fact, it would be best of many people sued. And I hate to be so cynical, but the only way I see any real changes being made by AOL and other search engines would be if someone were identified by their searches, and something terrible happened to them as a result. I feel sorry for the person who this will inevitably happen to, but I also hope that a good change will come about as a result.

This is beyond 1984 / Reality of danger, promise

[mattr]

I wrote a little perl program to check on whether my family is in the released data.

This is very scary data, though also chock full of interesting info, interesting taken in many different ways. It was easy to find a number of people referencing my small home town of about 20,000 people. I shiver to imagine say a wife using AOL at home and her geek husband searching this stuff at work (not my problem).

Suffice it to say, the data is FULL of personally identifying information. AOL is not telling the truth. Heck, Google even gives you an address if you give it a phone number, people are used to typing people's names into the search box. And if you search for a given ID you can follow their trains of thought over time and it can be shattering; everyone looks for their own family online.. I even found an unknown relative that way once. AOL should hire some clueful people and get them into the loop, but it's too late for some people.

Incidentally, I found one of the most interesting words is "should". That, and "cocktail dresses" but I'm not going to get into that one. You see it turns out that not only do people sometimes unintentionally paste info from mail or webpages into the search field, they also ask questions that normally they might just write on paper and throw in the trash, or give up worrying about. So what AOL has done is closer to taping a confessional, what someone might ask of God or their doctor, or just worry endlessly about, and release it! What infants! It seems to say something about why doctors and priests have a professional code and know how to keep things private. Here are some search phrases, I'm not putting any in that have a person's name but you can probably get the idea from this.

what the fuck should i name my fetus
my nose is bleeding from cocaine what should i do
baby has something stuck in his foot what should i do
my mom is a hooker what should i do
how to tell a wife her husband is having an affair with you
caught my wife cheating
my wife cheated on me with a guy with a huge cock now what
spy on the wife
get revenge from a wife cheater
catch your wife having an affair
my cheating wife
got caught cheating on my wife and now she trying to take my kids away
my wife and kids are living with an ex con
very sexy baby nice pics i wanna c more lol u should take a look at my pic s tell me what ya think if u wanna chat my yahoo is lets get it mane and my aim is mhsplaya8
should a spouse stay married to a sex addict
should i let my son inlaw fuck me
i should have used a condom
dude read this its reallllly weird body hi. my name is kimi. it's too late now. you shouldn't have opened this bulletin but since you did you will die tonight if you dont keep reading. well i'm 19. i don't have eye lashes and i dont have a nose. pr
what should i do about heart palpitations after smoking crack
should a man go to a strip club the girlfriend is upset
should i see a married man
should i tell the other man's wife
should i confront my wife's adultery partner
mom showed me how to masterbate
why my girlfriend should give me head
should i buy extended warranty on my laptop
an employee jokes all day long what should i do
should parents let their children become stars
l want some pill to dead
l want to kill myself pill sleep
i want to kill myself
should i kill myself
i need someone to help me before i kill myself
help no one loves me i want to kill myself
best way to kill myself
i want to kill myself indiana hotline
god please my heart hurts help
l need to talk with a fbi
should informants be identified

Now maybe people will understand what AOL has done.
I am posting this because:

• I want strong pro-privacy legislation re search engines and other online venues
• The use of search engines as Voice-of-God or call-for-help is real. Search engines should be mandated to 1) not

Re:SQL injection target?

[Inataysia]

Just to pimp somebody else's work...

A neat paper was presented in the Software track at USENIX Security just a week or so ago about a technique that can be used to prevent all SQL injection attacks. It's a source code transformation that tracks one or two bits of "taint" information for every byte address in a program's address space.

The sysadmin or security admin can then define a policy with augmented regular expressions that have three Kleene-style operators that let you say e.g. (expr)^T, which matches the expression 'expr', iff every byte in expr is tainted, or (expr)^t which matches 'expr' iff at least one byte of expr is tainted. The last operator is ^u which means "iff none of these characters are tainted".

They prevent SQL injections by making a policy that says that whenever the function that actually executes the SQL query is called, its arguments are examined, and any string that matches.. (looks it up).. "(StrIdNum|Delim)*(SqlMetachar)^T(any)*", causes the system to either cause the call to fail with a given error, or causes the program to halt.

That's pretty neat, but it's already been done with pre-built binaries. The problem with those systems is that they use library preload hacks and have to run each instruction inside a lightweight VM to track the taint information (because they lack the semantics that come with having the source), giving performance hits of a factor of around 100. Since this solution transforms the source, GCC can optimize the transformed code a fair deal and they end up with around a 17% performance hit, which is an excellent tradeoff for security.

Since it's a C source transformation, they transformed apache, PHP, bash, and even glibc. Their technique can be used (and was demonstrated in the paper) to prevent a number of classes of attacks, not just specific attacks.

Look it up: "Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks", Wei Xu, Sandeep Bhatkar, R. Sekar, Stony Brook University. [sunysb.edu]

End pimp.

Re:Nothing we can do!

[assassinator42]

Well, AOL intentionally released this. I'm not sure what license they gave it. If it's not illegal, can AOL stop people from spreading it?