Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

EFF Files Complaint with FTC Over AOL Data Leak

Posted by Zonk on Tue Aug 15, 2006 03:20 PM
from the little-tighter-with-those-pipes-please dept.
America Online Security
Quincy A. writes "Last week's exposure of search data on over 500,000 AOL users was a gigantic embarrassment for the company. It may be about to get worse, as the EFF has filed a complaint with the FTC over the incident. 'Citing AOL's own Network Privacy Policy, the EFF says that the company failed to "implement reasonable and appropriate measures to protect personal consumer information from public disclosure."' Among other things, the complaint asks AOL to notify all users affected by the data disclosure via certified mail and provide free credit monitoring for a year."
+ -
story

Related Stories

[+] Your Rights Online: AOL, Netflix and the End of Open Research 85 comments
An anonymous reader writes "In 2006, heads rolled at AOL after the company released anonymized logs of user searches. With last week's announcement that researchers had been able to learn the identities of users in the scrubbed Netflix dataset, could the days of companies sharing data with academic researchers be numbered? Shortly after the AOL incident, Google's Eric Schmidt called the data release 'a terrible thing,' and assured the public that 'this kind of thing could not happen at Google.' Will any high tech company ever take this kind of chance again? If not, how will this impact research and and the development of future technologies that could have come from the study of real data?"
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

EFF Files Complaint with FTC Over AOL Data Leak 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • I'm happy that AOL will be help *somewhat* accountable.

    • Re:While I am surprised the EFF took the case (Score:2, Insightful)

      by Anonymous Coward
      It is a good thing they'll face at least some minor repercussions, but it's a far cry from what should happen. At the minimum, AOL should be proscribed from logging this information in the future. More fairly, AOL should be forced to pay a hefty sum to each of its customers and be proscribed from logging the information again.

      Neither of these things will happen, though. AOL will keep spying on its customers and selling the information, future customers will not be notified of this fact except perhaps in

    • Re:While I am surprised the EFF took the case (Score:2, Insightful)

      by Anonymous Coward
      As slashbots, I imagine it's safe to say that we're not fond of AOL nor AOLers to begin with, and that's ok. Part of me wants to cite Chuck Darwin on this one, but I also understand that if it could happen at AOL, it may happen elsewhere. That's why I'm cheering the EFF on -- to send the message to every other ISP/search engine out there who doesn't get it yet. The privacy of your customers is very important.

      I must admit some of that data (if it weren't tied to ID's) could make for good sociology/psychol
      • The problem is that it is the searches which are revealing. It isn't possible to release complete search data AND protect privacy of all users because people search for things that are important to them, i.e., the searches are self revealing. That's why replacing usernames with a numerical identifier was so ineffectual for so many users.

        As an aside, I imported the data into a mysql database. I've never messed with that much data before and it was a good learning experience with respect to grep, awk, and sed and converting the tab deliminated files into something I could import into mysql. I do wonder however, if there is a way to just import the tab deliminated file without adding "insert" to lines and escaping the ' ( ) and ; characters that appear in the data. Any experts have a hint? On my athlon 2200+ with 512mb of ram, each search of the data takes about a minute to complete. It's actually faster to just grep for lower numbered userids and then kill grep once the output shows.

    • Re:While I am surprised the EFF took the case (Score:4, Insightful)

      by deviantphil (543645) on Tuesday August 15 2006, @03:39PM (#15913485)

      The accountability they take in the future might be less than inspiring. From the article:

      It is certain that AOL will vigorously contest the EFF's complaint, with the linchpin of its defense being that the whole thing was a horrible idea from AOL's new research unit that will never be repeated. Unfortunately, horrible ideas can have real-world ramifications, and even though AOL is "deeply sorry" and swears it will never happen again, there need to be some safeguards in place to prevent a recurrence.

      I wonder what would happen to a murder defendant that tried to use that defense. "I'm sorry your Honor....my left hand pulled the trigger without my permission. It won't happen again! I promise!

      Bottom line, respondeat superior [cch.com] says it is their unit, their employees, THE COMPANY is responsible.



  • with all the hype around personal privacy laws, and elections coming up this is a bad time for AOL. Nuff said though as they are in my opinion, the originators of spam, and the selling of customer information to data miners

  • Why do they even have this stuff? (Score:5, Insightful)

    by Skadet (528657) on Tuesday August 15 2006, @03:28PM (#15913325) Homepage
    Among the list of remedies proposed by the EFF include [...] hav[ing] the FTC bar [AOL] from storing users' search activities "except where necessary... to the rendition of AOL's services or the protection of AOL rights and property." At most, AOL should only be allowed to keep 14 days' worth of data, argues the EFF.
    Why do they keep such logs, anyway? If it's to help tailor results better, or to help sell advertising, then why is it correlated with a user ID? My company, for example, saves a keyword search history, but there is no user-identfiable information correlated with it. And it's plenty of information for our needs.

    If nothing else, it's a terrible, terrible reminder that no matter where you are, no matter what you're searching for, someone could be watching.

    • Re:Why do they even have this stuff? (Score:4, Insightful)

      by DerGeist (956018) on Tuesday August 15 2006, @03:47PM (#15913580)
      More like someone is watching.

      This user-search crap is an advertising goldmine. The internet is so vast and intricate that you need a search engine to find just about anything (unless you happen to enjoy posting to random forums in hopes for a response...in a few days or so).

      But when you search, it says something about you personally. Just like when you buy things at the grocery store (don't forget to use your Super Shopper Saver Discount Card, Mister 60917492!) searching online indicates what you are interested in and what you're likely to buy in the future. By hopefully pegging your wants, desires, hobbies, interests, tastes and preferences into a conveniently distributable file advertisers hope to beam you laser-targetted ads for crap that you (and only you) will simply HAVE to buy in order to feel complete as a human being.

      Without the personal identiciation, they can't hope to learn every intricate detail of your life in order to suck more of your money from your pockets (or packets, as the case may be :-). *ducks*

    • I regularly google for

      "1234 My Street, 80516 to somewhereelse, 80999"

      in order to get driving directions.

      If I were up to something nefarious then it would probably be quite obvious. Although i'm not up to anything and don't really care.

    • Re:Why do they even have this stuff? (Score:5, Interesting)

      by pclminion (145572) on Tuesday August 15 2006, @04:25PM (#15914037)

      Why do they keep such logs, anyway? If it's to help tailor results better, or to help sell advertising, then why is it correlated with a user ID? My company, for example, saves a keyword search history, but there is no user-identfiable information correlated with it. And it's plenty of information for our needs.

      First, the search database doesn't list AOL user IDs. It lists "unique IDs" for each user, but they are not correlated to whatever AOL's internal "User ID" is. But to assume that sanitizing the data by changing or completely removing user IDs will make people safe is boneheaded.

      Let's start with a grep for social security numbers. I've blipped out the actual numbers themselves, but that's not much help for these poor folks, since anybody can get their hands on the database:

      • find robert williams akron oh 44306 XXX-XX-XXXX
      • birth certificate for debra ann collins 1-28-59 ss XXX-XX-XXXX
      • locate keith ivan thompson born 3 may 64 social security XXX-XX-XXXX last address was XXXXXX colorado
      • kristy nicole vega hammond la. social secruity number XXX-XX-XXXX birth date 03 08 81 drivers license number la. XXXXXXXXX address XXXXXXXX.

      Moving on, check out this fascinating query:

      • all i can say is you looked amazing in that photo. i would love to get achanceto know you. expect a call from me soon. are you looking for a friend or a companian just for future reference

      Looks like somebody accidentally copy-pasted a portion of their private communication (email or IM, perhaps) into the search query box and clicked "Submit." Now their private thoughts are available for all to see. You'd be AMAZED at the stuff you'll find in these logs. The idea that by removing usernames/IDs from data is "instant sanitization" is naive and dangerous. There is more than enough information in many of these queries to identify specific individuals and examine EVERYTHING they have searched for in the past 6 months.

      (I do question the sanity and intelligence of some of the people who submitted queries like the ones above, but ultimately this is not their fault.)

    • This type of thing gives me more reason to sign up with an anonymous proxy/vpn. Something like https://www.relakks.com/?lang=eng [relakks.com] . I think the $5 to $10 a month would be worth it. No corporate reporting, no advertising scheming, and no identifying IP. Has anyone had luck with a private proxy/vpn?

  • I've been meaning to make a donation. (Score:5, Informative)

    by Anonymous Coward on Tuesday August 15 2006, @03:28PM (#15913328)
    While I'm demonstrating my support, I thought I'd suggest some of you do the same.

    Have you shown your support? EFF [eff.org]

  • Donate to these people (Score:5, Insightful)

    by MobyDisk (75490) on Tuesday August 15 2006, @03:28PM (#15913329) Homepage
    <soapbox>
    The EFF is the "stop 1984 from happening" fund. If you read Slashdot, you know why you should be a member.
    </soapbox>
  • At least they provided a good 20 minutes of entertainment for me this morning :)

    www.somethingawful.com/index.php?a=4016
  • I wonder whether AOL could be enjoined from collecting any personal data about users until this case is decided?

  • I wonder (Score:3, Interesting)

    by LiquidCoooled (634315) on Tuesday August 15 2006, @03:31PM (#15913369) Homepage Journal
    Even if this *doesn't* get through court, could an AOL customer ask AOL for their export ID number?

    Is the ID number we have all grown to know an integral part of every AOL account?
    Does AOL even know who user 17556639 actually is or was it generated automatically and then lost in the data export?

    • From the .txt file that comes with the data:

      "The data is sorted by anonymous user ID and sequentially arranged."

      AOL probably doesn't have a direct maping of anonymous ID -> AOL user ID. Of course, they have the original data, and as such, could work it out trivially.

  • EFF Can't Do It Alone!!! (Score:3, Interesting)

    by pfz (965654) on Tuesday August 15 2006, @03:43PM (#15913525) Homepage
    They need your help!

    Watch EFF attorney Jason Schultz tear the roof off in the new documentary, ALTERNATIVE FREEDOM. Maybe you will learn something or be able to show your friends and then we can all make sure digital rights are always kept in mind...

    http://alternativefreedom.org/ [alternativefreedom.org]

  • I'm not saying that in any way AOL users "deserved" this -- nobody does. No matter what or how much information you a company has about you, whether it be your net searches or how filthy your carpets are, you expect the company that holds this information to keep it private.

    However, why in the world would you go with a company like AOL that has so many recorded existing problems that could be discovered with a modicum of research? Unfortunately, it seems much like U-Haul being one of/the biggest moving va

  • Relief doesn't match mistake (Score:5, Informative)

    by dysk (621566) on Tuesday August 15 2006, @04:01PM (#15913779)
    Yes, AOL made a mistake by releasing that information. They've admitted to the mistake, apologized, and I doubt anyone will try to do this again.

    On the other hand, one needs to recognize that they didn't release the information for the purposes of making money, or defrauding the customers, or anything else. They collected the data in order to help a researcher write an extremely informative paper[pdf] [iit.edu] about human behavior as it relates to searches. That researcher decided that other's might benefit from the information, and convinced AOL to make it publically available. It turns out that that was a huge lapse in judgement, but nonetheless, intentions are also important and while criticizing AOL, we should also complement them for their effort to interface with the academic community.

    AOL has been punished enough in the press. Given the circumstances I don't think that any legal action is necessary.

    • >AOL has been punished enough in the press. Given the circumstances I don't think that any legal action is necessary.

      Others are of the opinion that the people responsible should spend decades in prision, and that the company should pay fines and restitution at the kinds of levels that would reduce them from a multi-billion-dollar-corporation to a startup looking for venture capital.

      Somehwere in between that extreme and yours, there will be some appropriate consequences.
  • It was a very strange thing for AOL to release that search history. Out of the blue, they suddenly announce they are giving away some of their data. Why did they do this? They must have had a reason. The only thing I can think of off hand is they needed a way to make the information public so it could be used legally by law enforcement?

    • Out of the blue, they suddenly announce they are giving away some of their data.

      It's probably somewhere in their TOS (I haven't read it and don't care to/have time to) that they don't have to ask anyone's permission to "share" their "non-personally-identifiable information" with their "partners" (just to coin a few phrases from various TOS's and EULA's and CYA's I have bothered to read over the years...) but it would've been nice if they had announced they were planning to release a subset of their logs,

  • Among other things, the complaint asks AOL to notify all users affected by the data disclosure via certified mail and provide free credit monitoring for a year."

    AOL probably -CAN'T- notify the users, because they probably didn't keep the username->ID# mapping.

  • I don't want certified mail (Score:3, Interesting)

    by dysk (621566) on Tuesday August 15 2006, @04:16PM (#15913925)
    the complaint asks AOL to notify all users affected by the data disclosure via certified mail
    Unless I'm being sued or in immediate legal danger, I don't want to get any certified mail. When I do, I have to interrupt my work day and drive 10 miles over questionable roads to the post office. The fact that some of my searches may have been leaked without my name on them is not a reason to send a certified letter, however an insert in my next bill would be completely reasonable.

    The EFF has good intentions, but in this case they are going overboard.

  • Some weird people in the world, that's for sure (Score:3, Funny)

    by Anonymous Coward on Tuesday August 15 2006, @04:18PM (#15913945)
    For example:

    select * from aolsearches where anonid = 3620882;

    yields a very strange individual... some brief examples (shortened for brevity... it's MUCH longer than this):

    | 3620882 | bank robber hide-outs                       | 2006-03-01 22:22:04 |
    | 3620882 | male sissy panty stories                    | 2006-03-01 22:35:41 |
    | 3620882 | big bosom mothers                           | 2006-03-01 22:47:58 |
    | 3620882 | sissy nightgown training                    | 2006-03-02 11:46:49 |
    | 3620882 | special female training of sissy men        | 2006-03-02 17:16:24 |
    | 3620882 | tight laced girdles                         | 2006-03-05 12:33:09 |
    | 3620882 | baptist church directory                    | 2006-03-07 18:56:13 |
    | 3620882 | pink panty discipline                       | 2006-03-07 19:41:53 |
    | 3620882 | old curvy women                             | 2006-03-10 12:38:47 |
    | 3620882 | independent baptist church directory        | 2006-03-12 11:45:44 |
    | 3620882 | westboro baptist church                     | 2006-03-23 13:51:49 |
    | 3620882 | baptist college directory                   | 2006-03-25 19:44:22 |
    | 3620882 | adult diaper parties                        | 2006-04-04 13:51:30 |
    | 3620882 | colorado mining claims for sale             | 2006-04-16 13:00:25 |
    | 3620882 | husbands that are sissy                     | 2006-04-28 20:13:11 |
    | 3620882 | very large bosoms                           | 2006-05-18 21:38:57 |
    | 3620882 | how to make gun silencers                   | 2006-05-20 12:45:00 |
    | 3620882 | male maid training                          | 2006-05-30 12:15:49 |

    Really, I think of myself as a pretty tolerant person, but this seriously makes me wonder what kind of weird individuals roam this planet.

    • Re:So EFF stands for the free exchange of informat (Score:4, Informative)

      by Recovering Hater (833107) on Tuesday August 15 2006, @03:30PM (#15913360)
      No, troll. From their main page : "What is EFF? EFF is a nonprofit group of passionate people -- lawyers, technologists, volunteers, and visionaries -- working to protect your digital rights.

    • Re:So EFF stands for the free exchange of informat (Score:5, Insightful)

      by megaditto (982598) on Tuesday August 15 2006, @03:44PM (#15913537)
      The Government and the Corporations do not have a Constitutional right to privacy.

      Hence all consumer (people) data must be treated as private by default, whereas the Government data must be treated as inherently public.

      The EFF opposes the recent drive to turn this principle inside-out.

      • Re:So EFF stands for the free exchange of informat (Score:4, Interesting)

        by Coppit (2441) on Tuesday August 15 2006, @05:42PM (#15914807) Homepage
        The Government and the Corporations do not have a Constitutional right to privacy.

        Newsflash: neither do citizens. The closest the constitution comes is this:

        "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

        So your search history is fair game, as long as its not being used for searches and seizures. I get spam to an address I used for a Western Digital hard drive rebate. My neighbors kids get credit card offers after someone bought a kids magazine in their name. Privacy in the US is a joke compared to the strong laws in some countries (Germany IIRC is a good example).

    • Why should AOL have to provide free credit monitoring? Did the search information include Social Secuirity Numbers, home addresses, mother's maiden name (and identifiable as such), PINs, or some other sort of data that could be used to affect someone's credit report? If not, then what reason is there to ask for credit monitoring?


      Really have you not heard about this? The data absolutely did contain exactly this sort of data.
      • Heh, yeah. I searched it last night with some crude perl regexes. There were a bunch of full names and SSNs in the same search. One funny thing I kept finding was a search like:

        "locate John L. Smith last address 123 Main Street, Houston, Texas social security number 123-45-6789"

        Like AOL was some magic person finding machine. I kept thinking Star Trek, "Computer: Locate ..."
      • If the data contained all of this, then so do the referrer logs of millions of webservers that get redirects from Google, AOL, Yahoo, you name it. This case highlights the sheer idiotic stupidity of users in the first place, typing their own personal information into a BOX on a SCREEN they *know* is connected to the internet, and expecting the data to remain 'secret'. Idiots, the lot of them. Im not saying AOL should be exonerated from all wrongdoing, but users have to take some blame for this themselves
        • Right, as if anyones to know that AOL would do this. Yes, AOL is a complete pile of shit for a company, but this was unexpected. You cannot blaim these people, I feel for each one of them.

    • Re:Why credit monitoring? (Score:4, Informative)

      by budgenator (254554) on Tuesday August 15 2006, @03:49PM (#15913610) Journal
      Did the search information include Social Secuirity Numbers, home addresses, mother's maiden name (and identifiable as such), PINs, or some other sort of data that could be used to affect someone's credit report?
      YES, many people run their personaly identifiable information through a search engine; don't you think that if google indexed a text file that was a dump of some perloined database on eveilhacker.com you'd want to know about it? For me for a search engine to turn over search queries is serious breach of confidence; I could never use Yahoo, MSN, or AOL for anything beyond trivial searches now, and I only use yahoo for yellowpages skimming at work.
      • I ran a quick check:

        The term "SSN" was used by only 68 searches - and one referred to a ship.
        Numbers of the format "111-11-1111" were searched 191 times. 22 of these searches had names attached. I didn't look in adjacent matches, so some more names might be inferred.
        Nine-digit numbers were searched 246 times. I did a quick look-over, and none of these appeared to be SSN's.
    • Some possibilities I can think of are:
      1. They think all AOL users will change their SSN's (or will have time to change them) within that time.
      2. They think the spammers and identity thieves will forget all those juicy tidbits within that time.
      3. They figure anyone lame enough to use AOL in the first place would probably give away their identity anyway within a calendar year, so there's no need setting a precedent.
      My money's on #3.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.