[Dataloss] AOL Takes Down Site With Users' Search Data

blitz blitz at strikenet.kicks-ass.net
Tue Aug 8 02:51:07 EDT 2006 

http://www.washingtonpost.com/wp-dyn/content/article/2006/08/07/AR2006080701150_pf.html

AOL Takes Down Site With Users' Search Data
Personal Details Posted in 'Screw-Up'

By Ellen Nakashima
Washington Post Staff Writer
Tuesday, August 8, 2006; D01

AOL issued an apology yesterday for posting on a public Web site 20 
million keyword searches conducted by hundreds of thousands of its 
subscribers from March to May. But the company's admission that it 
made a mistake did little to quell a barrage of criticism from 
bloggers and privacy advocates who questioned the company's security 
practices and said the data breach raised the risk of identity theft.

"This was a screw-up and we're angry and upset about it," the company 
said in a statement. "Although there was no personally-identifiable 
data linked to these accounts, we're absolutely not defending this. 
It was a mistake, and we apologize."

The posted data were similar to what the U.S. Justice Department had 
been seeking when it subpoenaed Internet companies, including AOL, 
last year. AOL complied and handed over search terms that were not 
linked to individuals. 
<http://financial.washingtonpost.com/custom/wpost/html-qcn.asp?dispnav=business&mwpage=qcn&symb=GOOG&nav=el>Google 
Inc. fought the subpoena in court and won.

The AOL data was posted at the end of last month on a special AOL Web 
site designed by the company so researchers could learn more about 
how people look for information on the Internet. The company removed 
the data over the weekend when bloggers discovered it.

The Washington Post did not review the full 439-megabyte data set but 
contacted bloggers who had looked at it.

For the posted data, each person using AOL's search engine was 
assigned a unique number to maintain anonymity, the company said. But 
some privacy experts said scrutinizing a user's searches could reveal 
information to help deduce the person's identity.

Michael Arrington, editor of the blog TechCrunch, said some of the 
data contained credit card numbers, Social Security numbers, 
addresses and names.

"People put anything they can think of into the search boxes," he said.

Based on his analysis so far, out of 20 million queries, the number 
that contained sensitive personal financial information such as 
credit card and Social Security numbers is probably "in the hundreds," he said.

"Most people aren't stupid enough to type their Social Security 
numbers in a search engine, but it's definitely enough to make AOL 
look stupid," he said.

Some bloggers said some of the information available included queries 
on how to kill one's spouse and child pornography.

Experts said people search for all sorts of personal data -- 
including their own names -- with the assumption that it will remain private.

"I search on myself," said David H. Holtzman, president of GlobalPOV, 
a blog and consulting firm on privacy and security and author of the 
forthcoming book "Privacy Lost." "Now you think you have a disease or 
you have some emotional issue -- I'm a single parent and I'm always 
looking for things. All of a sudden there's a correlation between my 
name and something very private that I don't expect to have dumped 
all over the Internet."

Kevin Bankston, an attorney with the San Francisco-based Electronic 
Frontier Foundation, said AOL's apology was appreciated but the 
damage had already been done.

"The horse is out of the barn," he said. "The data's out there and 
been copied. This incident highlights the dangers of these companies 
storing so much intimate data about their users."

The mishap was rooted in an effort by AOL to design a Web site aimed 
at helping researchers do their jobs more effectively by including 
AOL open-source data tools, company spokesman Andrew Weinstein said.

A technician posted the data to the site without running them past an 
in-house privacy department, not realizing the implications, 
Weinstein said. An internal investigation is underway to determine 
what happened and how to prevent future occurrences, he said.

However, Weinstein also noted that identifying an individual by 
search terms alone is difficult because someone could have typed in a 
friend's name or address instead of his own. The AOL search network 
had 42.7 million unique visitors in May, so the total data set 
covered 1.5 percent of search users that month. The 20 million search 
records represent about one-third of 1 percent of the total searches 
conducted on the AOL network in that period, the company said.

The data were gleaned from searches conducted by people with AOL user 
accounts in the United States.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20060808/2788612f/attachment.html

More information about the Dataloss mailing list