Forgot your password?
typodupeerror

EFF Files Complaint with FTC Over AOL Data Leak 114

Posted by Zonk
from the little-tighter-with-those-pipes-please dept.
Quincy A. writes "Last week's exposure of search data on over 500,000 AOL users was a gigantic embarrassment for the company. It may be about to get worse, as the EFF has filed a complaint with the FTC over the incident. 'Citing AOL's own Network Privacy Policy, the EFF says that the company failed to "implement reasonable and appropriate measures to protect personal consumer information from public disclosure."' Among other things, the complaint asks AOL to notify all users affected by the data disclosure via certified mail and provide free credit monitoring for a year."
This discussion has been archived. No new comments can be posted.

EFF Files Complaint with FTC Over AOL Data Leak

Comments Filter:
  • by umm qasr (72190) <{leith} {at} {bu.edu}> on Tuesday August 15, 2006 @04:22PM (#15913234) Homepage
    I'm happy that AOL will be help *somewhat* accountable.
    • I agree, although I'd prefer it if they were being held accountable :-P
    • by Anonymous Coward
      It is a good thing they'll face at least some minor repercussions, but it's a far cry from what should happen. At the minimum, AOL should be proscribed from logging this information in the future. More fairly, AOL should be forced to pay a hefty sum to each of its customers and be proscribed from logging the information again.

      Neither of these things will happen, though. AOL will keep spying on its customers and selling the information, future customers will not be notified of this fact except perhaps in
      • How is it "spying" when all the data collected is submited to AOL by the users to be used as search terms? They aren't recording anything not sent to them on purpose by the users. That's like saying it's spying to save emails people send you.

        But I know, it's trendy to bash AOL for the hell of it.
    • by Anonymous Coward
      As slashbots, I imagine it's safe to say that we're not fond of AOL nor AOLers to begin with, and that's ok. Part of me wants to cite Chuck Darwin on this one, but I also understand that if it could happen at AOL, it may happen elsewhere. That's why I'm cheering the EFF on -- to send the message to every other ISP/search engine out there who doesn't get it yet. The privacy of your customers is very important.

      I must admit some of that data (if it weren't tied to ID's) could make for good sociology/psychol
      • The problem is that it is the searches which are revealing. It isn't possible to release complete search data AND protect privacy of all users because people search for things that are important to them, i.e., the searches are self revealing. That's why replacing usernames with a numerical identifier was so ineffectual for so many users.

        As an aside, I imported the data into a mysql database. I've never messed with that much data before and it was a good learning experience with respect to grep, awk, and sed and converting the tab deliminated files into something I could import into mysql. I do wonder however, if there is a way to just import the tab deliminated file without adding "insert" to lines and escaping the ' ( ) and ; characters that appear in the data. Any experts have a hint? On my athlon 2200+ with 512mb of ram, each search of the data takes about a minute to complete. It's actually faster to just grep for lower numbered userids and then kill grep once the output shows.

      • >I must admit some of that data (if it weren't tied to ID's) could make for good sociology/psychology papers.

        And the data should be treated precisely the same as psych experiments on human subjects, because that is exactly what it is. If you have never tried to do a research project involving human subjects in your experiments, you probably don't realize the hoops you have to jump through or the accountability you are required to take.

        By "experiments", I mean, even getting permission to present a slide
    • by deviantphil (543645) on Tuesday August 15, 2006 @04:39PM (#15913485)

      The accountability they take in the future might be less than inspiring. From the article:

      It is certain that AOL will vigorously contest the EFF's complaint, with the linchpin of its defense being that the whole thing was a horrible idea from AOL's new research unit that will never be repeated. Unfortunately, horrible ideas can have real-world ramifications, and even though AOL is "deeply sorry" and swears it will never happen again, there need to be some safeguards in place to prevent a recurrence.

      I wonder what would happen to a murder defendant that tried to use that defense. "I'm sorry your Honor....my left hand pulled the trigger without my permission. It won't happen again! I promise!

      Bottom line, respondeat superior [cch.com] says it is their unit, their employees, THE COMPANY is responsible.

    • by Anonymous Coward
      Before AOL did this I think only the most extreme privacy advocates cared about what the major search engines were storing about them. Now, I think everyone does.


      While I feel sorry for the specific individuals that AOL abused, this was probably a good thing in the long term for the privacy of the rest of internet users everywhere.



  • with all the hype around personal privacy laws, and elections coming up this is a bad time for AOL. Nuff said though as they are in my opinion, the originators of spam, and the selling of customer information to data miners
  • by Skadet (528657) on Tuesday August 15, 2006 @04:28PM (#15913325) Homepage
    Among the list of remedies proposed by the EFF include [...] hav[ing] the FTC bar [AOL] from storing users' search activities "except where necessary... to the rendition of AOL's services or the protection of AOL rights and property." At most, AOL should only be allowed to keep 14 days' worth of data, argues the EFF.
    Why do they keep such logs, anyway? If it's to help tailor results better, or to help sell advertising, then why is it correlated with a user ID? My company, for example, saves a keyword search history, but there is no user-identfiable information correlated with it. And it's plenty of information for our needs.

    If nothing else, it's a terrible, terrible reminder that no matter where you are, no matter what you're searching for, someone could be watching.

    • by DerGeist (956018) on Tuesday August 15, 2006 @04:47PM (#15913580)
      More like someone is watching.

      This user-search crap is an advertising goldmine. The internet is so vast and intricate that you need a search engine to find just about anything (unless you happen to enjoy posting to random forums in hopes for a response...in a few days or so).

      But when you search, it says something about you personally. Just like when you buy things at the grocery store (don't forget to use your Super Shopper Saver Discount Card, Mister 60917492!) searching online indicates what you are interested in and what you're likely to buy in the future. By hopefully pegging your wants, desires, hobbies, interests, tastes and preferences into a conveniently distributable file advertisers hope to beam you laser-targetted ads for crap that you (and only you) will simply HAVE to buy in order to feel complete as a human being.

      Without the personal identiciation, they can't hope to learn every intricate detail of your life in order to suck more of your money from your pockets (or packets, as the case may be :-). *ducks*

    • I regularly google for

      "1234 My Street, 80516 to somewhereelse, 80999"

      in order to get driving directions.

      If I were up to something nefarious then it would probably be quite obvious. Although i'm not up to anything and don't really care.
      • you should only enter your zip as your starting address, for this very reason. (you should know your way around your zip, right?
        • Google already knows where you live and has a satellite picture of your house. They can even tell which computer behind your NAT is making each search, based on the cookies that they leave on your computer.
          • I guess it doesn't help matters that I let them track every search I make and give it to me in a nice history organized by search term, and which links I clicked on below it.

            I like having tons of information about myself available, even if it means it's available to someone else as well. The important difference here is that I'm making the informed decision to vacate some of my privacy in exchange for some data mining done for me on my behalf, rather than my privacy being violated without any choice in the
        • In addition to the fact that google know where I live and probably what I had for breakfast this morning, I'm right on the extremity of a zip code, and there's usually quite a big difference in local directions between my house and the centroid.
    • by pclminion (145572) on Tuesday August 15, 2006 @05:25PM (#15914037)

      Why do they keep such logs, anyway? If it's to help tailor results better, or to help sell advertising, then why is it correlated with a user ID? My company, for example, saves a keyword search history, but there is no user-identfiable information correlated with it. And it's plenty of information for our needs.

      First, the search database doesn't list AOL user IDs. It lists "unique IDs" for each user, but they are not correlated to whatever AOL's internal "User ID" is. But to assume that sanitizing the data by changing or completely removing user IDs will make people safe is boneheaded.

      Let's start with a grep for social security numbers. I've blipped out the actual numbers themselves, but that's not much help for these poor folks, since anybody can get their hands on the database:

      • find robert williams akron oh 44306 XXX-XX-XXXX
      • birth certificate for debra ann collins 1-28-59 ss XXX-XX-XXXX
      • locate keith ivan thompson born 3 may 64 social security XXX-XX-XXXX last address was XXXXXX colorado
      • kristy nicole vega hammond la. social secruity number XXX-XX-XXXX birth date 03 08 81 drivers license number la. XXXXXXXXX address XXXXXXXX.

      Moving on, check out this fascinating query:

      • all i can say is you looked amazing in that photo. i would love to get achanceto know you. expect a call from me soon. are you looking for a friend or a companian just for future reference

      Looks like somebody accidentally copy-pasted a portion of their private communication (email or IM, perhaps) into the search query box and clicked "Submit." Now their private thoughts are available for all to see. You'd be AMAZED at the stuff you'll find in these logs. The idea that by removing usernames/IDs from data is "instant sanitization" is naive and dangerous. There is more than enough information in many of these queries to identify specific individuals and examine EVERYTHING they have searched for in the past 6 months.

      (I do question the sanity and intelligence of some of the people who submitted queries like the ones above, but ultimately this is not their fault.)

    • This type of thing gives me more reason to sign up with an anonymous proxy/vpn. Something like https://www.relakks.com/?lang=eng [relakks.com] . I think the $5 to $10 a month would be worth it. No corporate reporting, no advertising scheming, and no identifying IP. Has anyone had luck with a private proxy/vpn?

  • by Anonymous Coward on Tuesday August 15, 2006 @04:28PM (#15913328)
    While I'm demonstrating my support, I thought I'd suggest some of you do the same.

    Have you shown your support? EFF [eff.org]
    • They got some nice swag now for donating.

      Suck it, PBS!
    • They also let a lot of stupid things happen, like not enforcing .xxx extensions on porn sites. That's something that would only make it easier for people to limit content when they don't feel that it's appropriate in a given situation. In my book, that's appropriate. Of course, that's not what the EFF is about, is it? How can I say that, right?! The EFF is all about the rights of others? Rights are a double-edge sword - everybody that made it out of high school understands that. You can't allow unlim
  • by MobyDisk (75490) on Tuesday August 15, 2006 @04:28PM (#15913329) Homepage
    <soapbox>
    The EFF is the "stop 1984 from happening" fund. If you read Slashdot, you know why you should be a member.
    </soapbox>
  • At least they provided a good 20 minutes of entertainment for me this morning :)

    www.somethingawful.com/index.php?a=4016
  • I wonder whether AOL could be enjoined from collecting any personal data about users until this case is decided?
  • I wonder (Score:3, Interesting)

    by LiquidCoooled (634315) on Tuesday August 15, 2006 @04:31PM (#15913369) Homepage Journal
    Even if this *doesn't* get through court, could an AOL customer ask AOL for their export ID number?

    Is the ID number we have all grown to know an integral part of every AOL account?
    Does AOL even know who user 17556639 actually is or was it generated automatically and then lost in the data export?

    • Ha. You can be sure that user 17556639 is correlated to an IP address somewhere. Discovering the real users' identity at that point is a trivial matter.
    • From the .txt file that comes with the data:

      "The data is sorted by anonymous user ID and sequentially arranged."

      AOL probably doesn't have a direct maping of anonymous ID -> AOL user ID. Of course, they have the original data, and as such, could work it out trivially.
  • More ignorance from the company recently voted worst technology of all time. http://www.pcworld.com/article/id,125772-page,2/ar ticle.html [pcworld.com]
  • really be from the "little-tighter-with-those-tubes-please" department.
  • by pfz (965654) on Tuesday August 15, 2006 @04:43PM (#15913525) Homepage
    They need your help!

    Watch EFF attorney Jason Schultz tear the roof off in the new documentary, ALTERNATIVE FREEDOM. Maybe you will learn something or be able to show your friends and then we can all make sure digital rights are always kept in mind...

    http://alternativefreedom.org/ [alternativefreedom.org]

  • I'm not saying that in any way AOL users "deserved" this -- nobody does. No matter what or how much information you a company has about you, whether it be your net searches or how filthy your carpets are, you expect the company that holds this information to keep it private.

    However, why in the world would you go with a company like AOL that has so many recorded existing problems that could be discovered with a modicum of research? Unfortunately, it seems much like U-Haul being one of/the biggest moving va
    • Well said.... That database that AOL put up cost the company what little credibility it had left. We all know that AOL's going down the drain but that had to be the last straw. I mean, do you know how many people out there have searched their name just to see what they can find about themselves on the internet? That's all it takes for that person to become a victim of ID theft! AOL is already the breeding ground for spammers, scammers and hackers http://www.essentialsecurity.com/Documents/article 22.htm [essentialsecurity.com] .
    • Yeah, it's a good thing that "good" companies like Google don't do this sort of loggin... ...aw, shit.
    • "I'm not saying that in any way AOL users "deserved" this -- nobody does"

      Fair enough, but come on, not EVEN AOL users??? We have to draw the line somewhere.
  • by dysk (621566) on Tuesday August 15, 2006 @05:01PM (#15913779)
    Yes, AOL made a mistake by releasing that information. They've admitted to the mistake, apologized, and I doubt anyone will try to do this again.

    On the other hand, one needs to recognize that they didn't release the information for the purposes of making money, or defrauding the customers, or anything else. They collected the data in order to help a researcher write an extremely informative paper[pdf] [iit.edu] about human behavior as it relates to searches. That researcher decided that other's might benefit from the information, and convinced AOL to make it publically available. It turns out that that was a huge lapse in judgement, but nonetheless, intentions are also important and while criticizing AOL, we should also complement them for their effort to interface with the academic community.

    AOL has been punished enough in the press. Given the circumstances I don't think that any legal action is necessary.

    • >AOL has been punished enough in the press. Given the circumstances I don't think that any legal action is necessary.

      Others are of the opinion that the people responsible should spend decades in prision, and that the company should pay fines and restitution at the kinds of levels that would reduce them from a multi-billion-dollar-corporation to a startup looking for venture capital.

      Somehwere in between that extreme and yours, there will be some appropriate consequences.
    • by Anonymous Coward
      This is more than a "huge lapse in judgment", it's criminal negligence and legal action should be taken (IANAL). It's hard to imagine a researcher or company could be so collosally brain-damaged as to freely give away this data to the public. I would actually be more understanding if it was stolen. If anything, the data should be available only to qualified researchers, and then only under an NDA that would only permit summarized forms of the data to be published.

      There is more than enough information in her
  • It was a very strange thing for AOL to release that search history. Out of the blue, they suddenly announce they are giving away some of their data. Why did they do this? They must have had a reason. The only thing I can think of off hand is they needed a way to make the information public so it could be used legally by law enforcement?
    • Out of the blue, they suddenly announce they are giving away some of their data.

      It's probably somewhere in their TOS (I haven't read it and don't care to/have time to) that they don't have to ask anyone's permission to "share" their "non-personally-identifiable information" with their "partners" (just to coin a few phrases from various TOS's and EULA's and CYA's I have bothered to read over the years...) but it would've been nice if they had announced they were planning to release a subset of their logs,

    • well they say now that it didn't happen on purpose... but then I don't know why the names are replaced by IDs...
  • Among other things, the complaint asks AOL to notify all users affected by the data disclosure via certified mail and provide free credit monitoring for a year."

    AOL probably -CAN'T- notify the users, because they probably didn't keep the username->ID# mapping.

  • by dysk (621566) on Tuesday August 15, 2006 @05:16PM (#15913925)
    the complaint asks AOL to notify all users affected by the data disclosure via certified mail
    Unless I'm being sued or in immediate legal danger, I don't want to get any certified mail. When I do, I have to interrupt my work day and drive 10 miles over questionable roads to the post office. The fact that some of my searches may have been leaked without my name on them is not a reason to send a certified letter, however an insert in my next bill would be completely reasonable.

    The EFF has good intentions, but in this case they are going overboard.

  • by Anonymous Coward on Tuesday August 15, 2006 @05:18PM (#15913945)
    For example:

    select * from aolsearches where anonid = 3620882;

    yields a very strange individual... some brief examples (shortened for brevity... it's MUCH longer than this):

    | 3620882 | bank robber hide-outs                       | 2006-03-01 22:22:04 |
    | 3620882 | male sissy panty stories                    | 2006-03-01 22:35:41 |
    | 3620882 | big bosom mothers                           | 2006-03-01 22:47:58 |
    | 3620882 | sissy nightgown training                    | 2006-03-02 11:46:49 |
    | 3620882 | special female training of sissy men        | 2006-03-02 17:16:24 |
    | 3620882 | tight laced girdles                         | 2006-03-05 12:33:09 |
    | 3620882 | baptist church directory                    | 2006-03-07 18:56:13 |
    | 3620882 | pink panty discipline                       | 2006-03-07 19:41:53 |
    | 3620882 | old curvy women                             | 2006-03-10 12:38:47 |
    | 3620882 | independent baptist church directory        | 2006-03-12 11:45:44 |
    | 3620882 | westboro baptist church                     | 2006-03-23 13:51:49 |
    | 3620882 | baptist college directory                   | 2006-03-25 19:44:22 |
    | 3620882 | adult diaper parties                        | 2006-04-04 13:51:30 |
    | 3620882 | colorado mining claims for sale             | 2006-04-16 13:00:25 |
    | 3620882 | husbands that are sissy                     | 2006-04-28 20:13:11 |
    | 3620882 | very large bosoms                           | 2006-05-18 21:38:57 |
    | 3620882 | how to make gun silencers                   | 2006-05-20 12:45:00 |
    | 3620882 | male maid training                          | 2006-05-30 12:15:49 |

    Really, I think of myself as a pretty tolerant person, but this seriously makes me wonder what kind of weird individuals roam this planet.
  • by Anonymous Coward
    Someone needs to come up with a quick-and-dirty resident app that issues random search queries to Google and other engines at random intervals. You poison the value of the data and make it relatively useless.

  • use a search proxy. http://www.blackboxsearch.com/ [blackboxsearch.com]
  • someone should start trying to find out the identities of the people whose search queries were published... I don't think you need too many queries by one person to pin him down...

    maybe THIS would silence the guys that understate how horrible this is for privacy...

    sounds like another job for the EFF ;)

A method of solution is perfect if we can forsee from the start, and even prove, that following that method we shall attain our aim. -- Leibnitz

Working...