<html>
<body>
<font size=3><b>
<a href="http://www.washingtonpost.com/wp-dyn/content/article/2006/08/07/AR2006080701150_pf.html" eudora="autourl">
http://www.washingtonpost.com/wp-dyn/content/article/2006/08/07/AR2006080701150_pf.html<br>
<br>
</a></font><font size=5>AOL Takes Down Site With Users' Search Data<br>
</b></font><font size=3>Personal Details Posted in 'Screw-Up'<br><br>
</font><font size=2>By Ellen Nakashima<br>
Washington Post Staff Writer<br>
Tuesday, August 8, 2006; D01<br><br>
</font><font size=3>AOL issued an apology yesterday for posting on a
public Web site 20 million keyword searches conducted by hundreds of
thousands of its subscribers from March to May. But the company's
admission that it made a mistake did little to quell a barrage of
criticism from bloggers and privacy advocates who questioned the
company's security practices and said the data breach raised the risk of
identity theft.<br><br>
"This was a screw-up and we're angry and upset about it," the
company said in a statement. "Although there was no
personally-identifiable data linked to these accounts, we're absolutely
not defending this. It was a mistake, and we apologize."<br><br>
The posted data were similar to what the U.S. Justice Department had been
seeking when it subpoenaed Internet companies, including AOL, last year.
AOL complied and handed over search terms that were not linked to
individuals.
<a href="http://financial.washingtonpost.com/custom/wpost/html-qcn.asp?dispnav=business&mwpage=qcn&symb=GOOG&nav=el">
Google Inc.</a> fought the subpoena in court and won.<br><br>
The AOL data was posted at the end of last month on a special AOL Web
site designed by the company so researchers could learn more about how
people look for information on the Internet. The company removed the data
over the weekend when bloggers discovered it.<br><br>
The Washington Post did not review the full 439-megabyte data set but
contacted bloggers who had looked at it.<br><br>
For the posted data, each person using AOL's search engine was assigned a
unique number to maintain anonymity, the company said. But some privacy
experts said scrutinizing a user's searches could reveal information to
help deduce the person's identity.<br><br>
Michael Arrington, editor of the blog TechCrunch, said some of the data
contained credit card numbers, Social Security numbers, addresses and
names.<br><br>
"People put anything they can think of into the search boxes,"
he said.<br><br>
Based on his analysis so far, out of 20 million queries, the number that
contained sensitive personal financial information such as credit card
and Social Security numbers is probably "in the hundreds," he
said.<br><br>
"Most people aren't stupid enough to type their Social Security
numbers in a search engine, but it's definitely enough to make AOL look
stupid," he said.<br><br>
Some bloggers said some of the information available included queries on
how to kill one's spouse and child pornography.<br><br>
Experts said people search for all sorts of personal data -- including
their own names -- with the assumption that it will remain
private.<br><br>
"I search on myself," said David H. Holtzman, president of
GlobalPOV, a blog and consulting firm on privacy and security and author
of the forthcoming book "Privacy Lost." "Now you think you
have a disease or you have some emotional issue -- I'm a single parent
and I'm always looking for things. All of a sudden there's a correlation
between my name and something very private that I don't expect to have
dumped all over the Internet."<br><br>
Kevin Bankston, an attorney with the San Francisco-based Electronic
Frontier Foundation, said AOL's apology was appreciated but the damage
had already been done.<br><br>
"The horse is out of the barn," he said. "The data's out
there and been copied. This incident highlights the dangers of these
companies storing so much intimate data about their users."<br><br>
The mishap was rooted in an effort by AOL to design a Web site aimed at
helping researchers do their jobs more effectively by including AOL
open-source data tools, company spokesman Andrew Weinstein said.<br><br>
A technician posted the data to the site without running them past an
in-house privacy department, not realizing the implications, Weinstein
said. An internal investigation is underway to determine what happened
and how to prevent future occurrences, he said.<br><br>
However, Weinstein also noted that identifying an individual by search
terms alone is difficult because someone could have typed in a friend's
name or address instead of his own. The AOL search network had 42.7
million unique visitors in May, so the total data set covered 1.5 percent
of search users that month. The 20 million search records represent about
one-third of 1 percent of the total searches conducted on the AOL network
in that period, the company said.<br><br>
The data were gleaned from searches conducted by people with AOL user
accounts in the United States.<br>
</font></body>
<br />--
<br />This message has been scanned for viruses and
<br />dangerous content by
<a href="http://www.mailscanner.info/"><b>MailScanner</b></a>, and is
<br />believed to be clean.
</html>