EFF Files Complaint with FTC Over AOL Data Leak 114
Quincy A. writes "Last week's exposure of search data on over 500,000 AOL users was a gigantic embarrassment for the company. It may be about to get worse, as the EFF has filed a complaint with the FTC over the incident. 'Citing AOL's own Network Privacy Policy, the EFF says that the company failed to "implement reasonable and appropriate measures to protect personal consumer information from public disclosure."' Among other things, the complaint asks AOL to notify all users affected by the data disclosure via certified mail and provide free credit monitoring for a year."
While I am surprised the EFF took the case (Score:5, Interesting)
Re:While I am surprised the EFF took the case (Score:1)
Re:While I am surprised the EFF took the case (Score:1, Offtopic)
Re:While I am surprised the EFF took the case (Score:2, Insightful)
Neither of these things will happen, though. AOL will keep spying on its customers and selling the information, future customers will not be notified of this fact except perhaps in
Re:While I am surprised the EFF took the case (Score:1)
But I know, it's trendy to bash AOL for the hell of it.
Re:While I am surprised the EFF took the case (Score:2, Insightful)
I must admit some of that data (if it weren't tied to ID's) could make for good sociology/psychol
Re:While I am surprised the EFF took the case (Score:4, Insightful)
As an aside, I imported the data into a mysql database. I've never messed with that much data before and it was a good learning experience with respect to grep, awk, and sed and converting the tab deliminated files into something I could import into mysql. I do wonder however, if there is a way to just import the tab deliminated file without adding "insert" to lines and escaping the ' ( ) and ; characters that appear in the data. Any experts have a hint? On my athlon 2200+ with 512mb of ram, each search of the data takes about a minute to complete. It's actually faster to just grep for lower numbered userids and then kill grep once the output shows.
Re:While I am surprised the EFF took the case (Score:3, Informative)
http://mysql.com/doc/refman/5.0/en/mysqlimport.ht
Re:While I am surprised the EFF took the case (Score:2, Informative)
Then use this statement:
load data infile '/path/to/file/file.txt' into table name_of_table;
Tab delimited is the default delimiter for that statement but you can change it.
And as someone who regularly works with this amount of data - dump grep, sed and awk and learn Perl. It is way, way faster and is exactly the tool for this kind of job. Oh, and put an index on your search term column.
Re:While I am surprised the EFF took the case (Score:2)
Re:While I am surprised the EFF took the case (Score:2)
Assuming a table named aol_search, with columns user_id and search_term, this will speed things up:
alter table aol_search add index users(user_id)
alter table aol_search add index terms(search_term)
If you're querying on the URLs, add an index for those too.
Re:While I am surprised the EFF took the case (Score:1)
>I must admit some of that data (if it weren't tied to ID's) could make for good sociology/psychology papers.
And the data should be treated precisely the same as psych experiments on human subjects, because that is exactly what it is. If you have never tried to do a research project involving human subjects in your experiments, you probably don't realize the hoops you have to jump through or the accountability you are required to take.
By "experiments", I mean, even getting permission to present a slide
Re:While I am surprised the EFF took the case (Score:4, Insightful)
The accountability they take in the future might be less than inspiring. From the article:
It is certain that AOL will vigorously contest the EFF's complaint, with the linchpin of its defense being that the whole thing was a horrible idea from AOL's new research unit that will never be repeated. Unfortunately, horrible ideas can have real-world ramifications, and even though AOL is "deeply sorry" and swears it will never happen again, there need to be some safeguards in place to prevent a recurrence.
I wonder what would happen to a murder defendant that tried to use that defense. "I'm sorry your Honor....my left hand pulled the trigger without my permission. It won't happen again! I promise!
Bottom line, respondeat superior [cch.com] says it is their unit, their employees, THE COMPANY is responsible.
AOL did the world a big service in this one (Score:1, Insightful)
While I feel sorry for the specific individuals that AOL abused, this was probably a good thing in the long term for the privacy of the rest of internet users everywhere.
Re:AOL issues a press release: (Score:2)
I was thinking more along the lines of "LOS GTG!!1"
(Lawyers Over Shoulder.)
Re:AOL issues a press release: (Score:2)
I thought so too, but it's really (Score:2)
Re:I thought so too, but it's really (Score:2)
Oh!
Uhm...
Nah, I like barbecue better. It's funnier, in a kinda cannibalistic way.
bad for aol, good for aol. (Score:2)
with all the hype around personal privacy laws, and elections coming up this is a bad time for AOL. Nuff said though as they are in my opinion, the originators of spam, and the selling of customer information to data miners
Why do they even have this stuff? (Score:5, Insightful)
If nothing else, it's a terrible, terrible reminder that no matter where you are, no matter what you're searching for, someone could be watching.
Re:Why do they even have this stuff? (Score:4, Insightful)
This user-search crap is an advertising goldmine. The internet is so vast and intricate that you need a search engine to find just about anything (unless you happen to enjoy posting to random forums in hopes for a response...in a few days or so).
But when you search, it says something about you personally. Just like when you buy things at the grocery store (don't forget to use your Super Shopper Saver Discount Card, Mister 60917492!) searching online indicates what you are interested in and what you're likely to buy in the future. By hopefully pegging your wants, desires, hobbies, interests, tastes and preferences into a conveniently distributable file advertisers hope to beam you laser-targetted ads for crap that you (and only you) will simply HAVE to buy in order to feel complete as a human being.
Without the personal identiciation, they can't hope to learn every intricate detail of your life in order to suck more of your money from your pockets (or packets, as the case may be :-). *ducks*
Even search terms could be a risk (Score:2)
"1234 My Street, 80516 to somewhereelse, 80999"
in order to get driving directions.
If I were up to something nefarious then it would probably be quite obvious. Although i'm not up to anything and don't really care.
Re:Even search terms could be a risk (Score:2)
Re:Even search terms could be a risk (Score:3, Insightful)
Re:Even search terms could be a risk (Score:2)
I like having tons of information about myself available, even if it means it's available to someone else as well. The important difference here is that I'm making the informed decision to vacate some of my privacy in exchange for some data mining done for me on my behalf, rather than my privacy being violated without any choice in the
Re:Even search terms could be a risk (Score:2)
Re:Why do they even have this stuff? (Score:5, Interesting)
Why do they keep such logs, anyway? If it's to help tailor results better, or to help sell advertising, then why is it correlated with a user ID? My company, for example, saves a keyword search history, but there is no user-identfiable information correlated with it. And it's plenty of information for our needs.
First, the search database doesn't list AOL user IDs. It lists "unique IDs" for each user, but they are not correlated to whatever AOL's internal "User ID" is. But to assume that sanitizing the data by changing or completely removing user IDs will make people safe is boneheaded.
Let's start with a grep for social security numbers. I've blipped out the actual numbers themselves, but that's not much help for these poor folks, since anybody can get their hands on the database:
Moving on, check out this fascinating query:
Looks like somebody accidentally copy-pasted a portion of their private communication (email or IM, perhaps) into the search query box and clicked "Submit." Now their private thoughts are available for all to see. You'd be AMAZED at the stuff you'll find in these logs. The idea that by removing usernames/IDs from data is "instant sanitization" is naive and dangerous. There is more than enough information in many of these queries to identify specific individuals and examine EVERYTHING they have searched for in the past 6 months.
(I do question the sanity and intelligence of some of the people who submitted queries like the ones above, but ultimately this is not their fault.)
Re:Why do they even have this stuff? (Score:2)
How, exactly, are they absolved of any responsibility?
The same way a rape victim is absolved of responsibility, even if they were wearing a provocative outfit, you fucking sociopath.Re:Why do they even have this stuff? (Score:2)
I've been meaning to make a donation. (Score:5, Informative)
Have you shown your support? EFF [eff.org]
Re:I've been meaning to make a donation. (Score:2)
Suck it, PBS!
Re:I've been meaning to make a donation. (Score:1)
Donate to these people (Score:5, Insightful)
The EFF is the "stop 1984 from happening" fund. If you read Slashdot, you know why you should be a member.
</soapbox>
Re:Donate to these people (Score:5, Insightful)
Electronic freedom is nice, but freedom in the real world is all that matters in the end.
Re:Donate to these people (Score:4, Insightful)
http://www.cfoi.org.uk/ [cfoi.org.uk]
http://www.liberty-human-rights.org.uk/ [liberty-hu...hts.org.uk]
http://www.cyber-rights.org/ [cyber-rights.org]
http://www.justice.org.uk/ [justice.org.uk]
Your 'real world' doesn't include electronic data? (Score:3, Insightful)
Re:Your 'real world' doesn't include electronic da (Score:1)
Re:Donate to these people (Score:1, Funny)
Re:Donate to these people (Score:5, Insightful)
Re:Donate to these people (Score:1)
Re:Donate to these people (Score:1)
I really hate it when people treat online as any less real than offline. Both involve communication between humans, and that communication is important for survival. As more things become dependent on online communications, "the real world" is expanding to cover it.
Re:Donate to these people (Score:1)
Look on the bright side! (Score:2, Interesting)
www.somethingawful.com/index.php?a=4016
Enjoin? (Score:2)
I wonder (Score:3, Interesting)
Is the ID number we have all grown to know an integral part of every AOL account?
Does AOL even know who user 17556639 actually is or was it generated automatically and then lost in the data export?
Re:I wonder (Score:1)
Re:I wonder (Score:2)
"The data is sorted by anonymous user ID and sequentially arranged."
AOL probably doesn't have a direct maping of anonymous ID -> AOL user ID. Of course, they have the original data, and as such, could work it out trivially.
The worst (Score:1)
This should... (Score:1)
EFF Can't Do It Alone!!! (Score:3, Interesting)
Watch EFF attorney Jason Schultz tear the roof off in the new documentary, ALTERNATIVE FREEDOM. Maybe you will learn something or be able to show your friends and then we can all make sure digital rights are always kept in mind...
http://alternativefreedom.org/ [alternativefreedom.org]
Why oh why oh why??? (Score:2)
However, why in the world would you go with a company like AOL that has so many recorded existing problems that could be discovered with a modicum of research? Unfortunately, it seems much like U-Haul being one of/the biggest moving va
Re:Why oh why oh why??? (Score:1)
Re:Why oh why oh why??? (Score:2)
Re:Why oh why oh why??? (Score:1)
Fair enough, but come on, not EVEN AOL users??? We have to draw the line somewhere.
Relief doesn't match mistake (Score:5, Informative)
On the other hand, one needs to recognize that they didn't release the information for the purposes of making money, or defrauding the customers, or anything else. They collected the data in order to help a researcher write an extremely informative paper[pdf] [iit.edu] about human behavior as it relates to searches. That researcher decided that other's might benefit from the information, and convinced AOL to make it publically available. It turns out that that was a huge lapse in judgement, but nonetheless, intentions are also important and while criticizing AOL, we should also complement them for their effort to interface with the academic community.
AOL has been punished enough in the press. Given the circumstances I don't think that any legal action is necessary.
Re:Relief doesn't match mistake (Score:2, Insightful)
>AOL has been punished enough in the press. Given the circumstances I don't think that any legal action is necessary.
Others are of the opinion that the people responsible should spend decades in prision, and that the company should pay fines and restitution at the kinds of levels that would reduce them from a multi-billion-dollar-corporation to a startup looking for venture capital.
Somehwere in between that extreme and yours, there will be some appropriate consequences.
Re:Relief doesn't match mistake (Score:2, Insightful)
There is more than enough information in her
The question is , why did AOL release info at all? (Score:2)
Re:The question is , why did AOL release info at a (Score:2)
It's probably somewhere in their TOS (I haven't read it and don't care to/have time to) that they don't have to ask anyone's permission to "share" their "non-personally-identifiable information" with their "partners" (just to coin a few phrases from various TOS's and EULA's and CYA's I have bothered to read over the years...) but it would've been nice if they had announced they were planning to release a subset of their logs,
Re:The question is , why did AOL release info at a (Score:1)
who says they CAN notify the users? (Score:2)
Among other things, the complaint asks AOL to notify all users affected by the data disclosure via certified mail and provide free credit monitoring for a year."
AOL probably -CAN'T- notify the users, because they probably didn't keep the username->ID# mapping.
Re:who says they CAN notify the users? (Score:2)
I don't want certified mail (Score:3, Interesting)
The EFF has good intentions, but in this case they are going overboard.
Some weird people in the world, that's for sure (Score:3, Funny)
select * from aolsearches where anonid = 3620882;
yields a very strange individual... some brief examples (shortened for brevity... it's MUCH longer than this):
| 3620882 | bank robber hide-outs | 2006-03-01 22:22:04 |
| 3620882 | male sissy panty stories | 2006-03-01 22:35:41 |
| 3620882 | big bosom mothers | 2006-03-01 22:47:58 |
| 3620882 | sissy nightgown training | 2006-03-02 11:46:49 |
| 3620882 | special female training of sissy men | 2006-03-02 17:16:24 |
| 3620882 | tight laced girdles | 2006-03-05 12:33:09 |
| 3620882 | baptist church directory | 2006-03-07 18:56:13 |
| 3620882 | pink panty discipline | 2006-03-07 19:41:53 |
| 3620882 | old curvy women | 2006-03-10 12:38:47 |
| 3620882 | independent baptist church directory | 2006-03-12 11:45:44 |
| 3620882 | westboro baptist church | 2006-03-23 13:51:49 |
| 3620882 | baptist college directory | 2006-03-25 19:44:22 |
| 3620882 | adult diaper parties | 2006-04-04 13:51:30 |
| 3620882 | colorado mining claims for sale | 2006-04-16 13:00:25 |
| 3620882 | husbands that are sissy | 2006-04-28 20:13:11 |
| 3620882 | very large bosoms | 2006-05-18 21:38:57 |
| 3620882 | how to make gun silencers | 2006-05-20 12:45:00 |
| 3620882 | male maid training | 2006-05-30 12:15:49 |
Really, I think of myself as a pretty tolerant person, but this seriously makes me wonder what kind of weird individuals roam this planet.
Re:Some weird people in the world, that's for sure (Score:2)
In the very least it makes everyone feel better about all the perverted crap they have searched for.... Not that I have ever searched for anything perverted.
Re:Some weird people in the world, that's for sure (Score:2)
Re:Some weird people in the world, that's for sure (Score:1, Funny)
Sincerely,
Jerry Falwell
Re:Some weird people in the world, that's for sure (Score:2)
Don't be so quick to judge. Would we find anything strange in *your* porn collection?
The people in the AOL search thing who really bother me are the ones searc
Re:Some weird people in the world, that's for sure (Score:2)
bad data = no profiling (Score:1, Insightful)
Re:bad data = no profiling (Score:1)
In the meantime (Score:1)
start finding identities (Score:1)
maybe THIS would silence the guys that understate how horrible this is for privacy...
sounds like another job for the EFF
Re:So EFF stands for the free exchange of informat (Score:4, Informative)
Re:So EFF stands for the free exchange of informat (Score:1)
That can't be for real. Lawyers? Working to help us? This changes everything. How can I make shark, parasite and ambulance chasing jokes in the future? Man, how could I have made just a gross simplification?
Re:So EFF stands for the free exchange of informat (Score:5, Insightful)
Hence all consumer (people) data must be treated as private by default, whereas the Government data must be treated as inherently public.
The EFF opposes the recent drive to turn this principle inside-out.
Re:So EFF stands for the free exchange of informat (Score:4, Interesting)
Newsflash: neither do citizens. The closest the constitution comes is this:
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
So your search history is fair game, as long as its not being used for searches and seizures. I get spam to an address I used for a Western Digital hard drive rebate. My neighbors kids get credit card offers after someone bought a kids magazine in their name. Privacy in the US is a joke compared to the strong laws in some countries (Germany IIRC is a good example).
Re:So EFF stands for the free exchange of informat (Score:2)
No, the Constitution comes much closer than that:
It's an outrage that these 9th and 10th Amendments -- which are arguably the most important -- are also the most ignored. The Founding Fathers are spinning in their grav
Re:Why credit monitoring? (Score:3, Informative)
Really have you not heard about this? The data absolutely did contain exactly this sort of data.
Re:Why credit monitoring? (Score:2, Interesting)
"locate John L. Smith last address 123 Main Street, Houston, Texas social security number 123-45-6789"
Like AOL was some magic person finding machine. I kept thinking Star Trek, "Computer: Locate
Re:Why credit monitoring? (Score:2)
Re:Why credit monitoring? (Score:2, Insightful)
Re:Why credit monitoring? (Score:2)
Re:Why credit monitoring? (Score:2)
I'm not saying that the user is not responsible when they key private data into a search form, but I think that it is reasonalb
Re:Why credit monitoring? (Score:2)
183
bash$
183 search queries contain well formed SSNs (I'm sure there are hundreds more w/o dashes, etc) (I threw the [0-7] at the begining because wikipedia indicates that no SSNs with the first 3 digits over 772 have been issued). I looked at a handful and a lot of those searches contain a lot more than just SSNs, at that.
For example, the below (which I've actually removed the sensitive data from -- it's public, but I
Re:Why credit monitoring? (Score:2)
Tough nookies for Ivan Thompson, though.
Re:Why credit monitoring? (Score:2)
Re:Why credit monitoring? (Score:4, Informative)
YES, many people run their personaly identifiable information through a search engine; don't you think that if google indexed a text file that was a dump of some perloined database on eveilhacker.com you'd want to know about it? For me for a search engine to turn over search queries is serious breach of confidence; I could never use Yahoo, MSN, or AOL for anything beyond trivial searches now, and I only use yahoo for yellowpages skimming at work.
Re:Why credit monitoring? (Score:2)
The term "SSN" was used by only 68 searches - and one referred to a ship.
Numbers of the format "111-11-1111" were searched 191 times. 22 of these searches had names attached. I didn't look in adjacent matches, so some more names might be inferred.
Nine-digit numbers were searched 246 times. I did a quick look-over, and none of these appeared to be SSN's.
Better question: Why only 1 year of monitoring? (Score:2)