Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

EFF Files Complaint with FTC Over AOL Data Leak

Zonk posted more than 7 years ago | from the little-tighter-with-those-pipes-please dept.

114

Quincy A. writes "Last week's exposure of search data on over 500,000 AOL users was a gigantic embarrassment for the company. It may be about to get worse, as the EFF has filed a complaint with the FTC over the incident. 'Citing AOL's own Network Privacy Policy, the EFF says that the company failed to "implement reasonable and appropriate measures to protect personal consumer information from public disclosure."' Among other things, the complaint asks AOL to notify all users affected by the data disclosure via certified mail and provide free credit monitoring for a year."

cancel ×

114 comments

Sorry! There are no comments related to the filter you selected.

While I am surprised the EFF took the case (4, Interesting)

umm qasr (72190) | more than 7 years ago | (#15913234)

I'm happy that AOL will be help *somewhat* accountable.

Re:While I am surprised the EFF took the case (1)

kkiller (945601) | more than 7 years ago | (#15913405)

I agree, although I'd prefer it if they were being held accountable :-P

Re:While I am surprised the EFF took the case (0, Offtopic)

umm qasr (72190) | more than 7 years ago | (#15913532)

Yeah. Typo corrections are funny.

Re:While I am surprised the EFF took the case (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#15913411)

gsf bitches

Re:While I am surprised the EFF took the case (0)

Anonymous Coward | more than 7 years ago | (#15913472)

gsf bitches2

Re:While I am surprised the EFF took the case (0)

Anonymous Coward | more than 7 years ago | (#15913579)

gsf bitches3

Re:While I am surprised the EFF took the case (2, Insightful)

Anonymous Coward | more than 7 years ago | (#15913439)

It is a good thing they'll face at least some minor repercussions, but it's a far cry from what should happen. At the minimum, AOL should be proscribed from logging this information in the future. More fairly, AOL should be forced to pay a hefty sum to each of its customers and be proscribed from logging the information again.

Neither of these things will happen, though. AOL will keep spying on its customers and selling the information, future customers will not be notified of this fact except perhaps in some microscopic-print contract term, and in a few weeks almost everyone will have forgotten.

Re:While I am surprised the EFF took the case (1)

Dog-Cow (21281) | more than 7 years ago | (#15915683)

How is it "spying" when all the data collected is submited to AOL by the users to be used as search terms? They aren't recording anything not sent to them on purpose by the users. That's like saying it's spying to save emails people send you.

But I know, it's trendy to bash AOL for the hell of it.

Re:While I am surprised the EFF took the case (2, Insightful)

Anonymous Coward | more than 7 years ago | (#15913480)

As slashbots, I imagine it's safe to say that we're not fond of AOL nor AOLers to begin with, and that's ok. Part of me wants to cite Chuck Darwin on this one, but I also understand that if it could happen at AOL, it may happen elsewhere. That's why I'm cheering the EFF on -- to send the message to every other ISP/search engine out there who doesn't get it yet. The privacy of your customers is very important.

I must admit some of that data (if it weren't tied to ID's) could make for good sociology/psychology papers.

Re:While I am surprised the EFF took the case (3, Insightful)

anagama (611277) | more than 7 years ago | (#15913863)

The problem is that it is the searches which are revealing. It isn't possible to release complete search data AND protect privacy of all users because people search for things that are important to them, i.e., the searches are self revealing. That's why replacing usernames with a numerical identifier was so ineffectual for so many users.

As an aside, I imported the data into a mysql database. I've never messed with that much data before and it was a good learning experience with respect to grep, awk, and sed and converting the tab deliminated files into something I could import into mysql. I do wonder however, if there is a way to just import the tab deliminated file without adding "insert" to lines and escaping the ' ( ) and ; characters that appear in the data. Any experts have a hint? On my athlon 2200+ with 512mb of ram, each search of the data takes about a minute to complete. It's actually faster to just grep for lower numbered userids and then kill grep once the output shows.

Re:While I am surprised the EFF took the case (2, Informative)

Neil Blender (555885) | more than 7 years ago | (#15914095)

If the file has say, 5 columns that are tab delimited - make a table with five columns of the appropriate type

Then use this statement:

load data infile '/path/to/file/file.txt' into table name_of_table;

Tab delimited is the default delimiter for that statement but you can change it.

And as someone who regularly works with this amount of data - dump grep, sed and awk and learn Perl. It is way, way faster and is exactly the tool for this kind of job. Oh, and put an index on your search term column.

Re:While I am surprised the EFF took the case (1)

anagama (611277) | more than 7 years ago | (#15914189)

thanks to you both -- I'll definitely take your hints.

Re:While I am surprised the EFF took the case (1)

fishbowl (7759) | more than 7 years ago | (#15914052)


>I must admit some of that data (if it weren't tied to ID's) could make for good sociology/psychology papers.

And the data should be treated precisely the same as psych experiments on human subjects, because that is exactly what it is. If you have never tried to do a research project involving human subjects in your experiments, you probably don't realize the hoops you have to jump through or the accountability you are required to take.

By "experiments", I mean, even getting permission to present a slide show to a group and ask them questions, that sort of thing.

Re:While I am surprised the EFF took the case (4, Insightful)

deviantphil (543645) | more than 7 years ago | (#15913485)

The accountability they take in the future might be less than inspiring. From the article:

It is certain that AOL will vigorously contest the EFF's complaint, with the linchpin of its defense being that the whole thing was a horrible idea from AOL's new research unit that will never be repeated. Unfortunately, horrible ideas can have real-world ramifications, and even though AOL is "deeply sorry" and swears it will never happen again, there need to be some safeguards in place to prevent a recurrence.

I wonder what would happen to a murder defendant that tried to use that defense. "I'm sorry your Honor....my left hand pulled the trigger without my permission. It won't happen again! I promise!

Bottom line, respondeat superior [cch.com] says it is their unit, their employees, THE COMPANY is responsible.

AOL did the world a big service in this one (1, Insightful)

Anonymous Coward | more than 7 years ago | (#15913941)

Before AOL did this I think only the most extreme privacy advocates cared about what the major search engines were storing about them. Now, I think everyone does.


While I feel sorry for the specific individuals that AOL abused, this was probably a good thing in the long term for the privacy of the rest of internet users everywhere.

AOL issues a press release: (0, Offtopic)

Anonymous Coward | more than 7 years ago | (#15913236)

OMGWTFBBQ!

Re:AOL issues a press release: (1)

SuperBanana (662181) | more than 7 years ago | (#15913818)

OMGWTFBBQ!

I was thinking more along the lines of "LOS GTG!!1"

(Lawyers Over Shoulder.)

Re:AOL issues a press release: (1)

MMC Monster (602931) | more than 7 years ago | (#15913823)

Oh My God, What The F?ck, Bar-B-Q???

I thought so too, but it's really (1)

Benanov (583592) | more than 7 years ago | (#15913938)

Be Back Quickly

Re:I thought so too, but it's really (1)

HTH NE1 (675604) | more than 7 years ago | (#15914852)

Be Back Quickly

Oh!

Uhm...

Nah, I like barbecue better. It's funnier, in a kinda cannibalistic way.

slogan (-1)

MrSquirrel (976630) | more than 7 years ago | (#15913267)

AOL's new slogan: "Whoopsie-doodles!"

bad for aol, good for aol. (1)

Brigadier (12956) | more than 7 years ago | (#15913293)



with all the hype around personal privacy laws, and elections coming up this is a bad time for AOL. Nuff said though as they are in my opinion, the originators of spam, and the selling of customer information to data miners

Looks great but (0, Offtopic)

BeoCluster (995566) | more than 7 years ago | (#15913301)

Can I make a Beowulf Cluster of these search queries ?

So EFF stands for the free exchange of information (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#15913311)

Except when it's information they don't like?

Re:So EFF stands for the free exchange of informat (4, Informative)

Recovering Hater (833107) | more than 7 years ago | (#15913360)

No, troll. From their main page : "What is EFF? EFF is a nonprofit group of passionate people -- lawyers, technologists, volunteers, and visionaries -- working to protect your digital rights.

Re:So EFF stands for the free exchange of informat (0)

Anonymous Coward | more than 7 years ago | (#15913418)

100% Troll.
Yes, people are for things they like, and against things they don't like.
What's your point?

Re:So EFF stands for the free exchange of informat (4, Insightful)

megaditto (982598) | more than 7 years ago | (#15913537)

The Government and the Corporations do not have a Constitutional right to privacy.

Hence all consumer (people) data must be treated as private by default, whereas the Government data must be treated as inherently public.

The EFF opposes the recent drive to turn this principle inside-out.

Re:So EFF stands for the free exchange of informat (3, Interesting)

Coppit (2441) | more than 7 years ago | (#15914807)

The Government and the Corporations do not have a Constitutional right to privacy.

Newsflash: neither do citizens. The closest the constitution comes is this:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

So your search history is fair game, as long as its not being used for searches and seizures. I get spam to an address I used for a Western Digital hard drive rebate. My neighbors kids get credit card offers after someone bought a kids magazine in their name. Privacy in the US is a joke compared to the strong laws in some countries (Germany IIRC is a good example).

Why do they even have this stuff? (4, Insightful)

Skadet (528657) | more than 7 years ago | (#15913325)

Among the list of remedies proposed by the EFF include [...] hav[ing] the FTC bar [AOL] from storing users' search activities "except where necessary... to the rendition of AOL's services or the protection of AOL rights and property." At most, AOL should only be allowed to keep 14 days' worth of data, argues the EFF.
Why do they keep such logs, anyway? If it's to help tailor results better, or to help sell advertising, then why is it correlated with a user ID? My company, for example, saves a keyword search history, but there is no user-identfiable information correlated with it. And it's plenty of information for our needs.

If nothing else, it's a terrible, terrible reminder that no matter where you are, no matter what you're searching for, someone could be watching.

Re:Why do they even have this stuff? (3, Insightful)

DerGeist (956018) | more than 7 years ago | (#15913580)

More like someone is watching.

This user-search crap is an advertising goldmine. The internet is so vast and intricate that you need a search engine to find just about anything (unless you happen to enjoy posting to random forums in hopes for a response...in a few days or so).

But when you search, it says something about you personally. Just like when you buy things at the grocery store (don't forget to use your Super Shopper Saver Discount Card, Mister 60917492!) searching online indicates what you are interested in and what you're likely to buy in the future. By hopefully pegging your wants, desires, hobbies, interests, tastes and preferences into a conveniently distributable file advertisers hope to beam you laser-targetted ads for crap that you (and only you) will simply HAVE to buy in order to feel complete as a human being.

Without the personal identiciation, they can't hope to learn every intricate detail of your life in order to suck more of your money from your pockets (or packets, as the case may be :-). *ducks*

Re:Why do they even have this stuff? (0)

Anonymous Coward | more than 7 years ago | (#15913625)

Simple. It's called directed advertising. AOL not only has demographics on all their customers (age, gender, geographic location, etc.) but they can also correlate their personal interests by matching search terms with that data.

Even search terms could be a risk (1)

grahamsz (150076) | more than 7 years ago | (#15913642)

I regularly google for

"1234 My Street, 80516 to somewhereelse, 80999"

in order to get driving directions.

If I were up to something nefarious then it would probably be quite obvious. Although i'm not up to anything and don't really care.

Re:Even search terms could be a risk (1)

russ1337 (938915) | more than 7 years ago | (#15913853)

you should only enter your zip as your starting address, for this very reason. (you should know your way around your zip, right?

Re:Even search terms could be a risk (2, Insightful)

Intron (870560) | more than 7 years ago | (#15914294)

Google already knows where you live and has a satellite picture of your house. They can even tell which computer behind your NAT is making each search, based on the cookies that they leave on your computer.

Re:Even search terms could be a risk (1)

man_ls (248470) | more than 7 years ago | (#15914695)

I guess it doesn't help matters that I let them track every search I make and give it to me in a nice history organized by search term, and which links I clicked on below it.

I like having tons of information about myself available, even if it means it's available to someone else as well. The important difference here is that I'm making the informed decision to vacate some of my privacy in exchange for some data mining done for me on my behalf, rather than my privacy being violated without any choice in the matter on my end.

Re:Why do they even have this stuff? (5, Interesting)

pclminion (145572) | more than 7 years ago | (#15914037)

Why do they keep such logs, anyway? If it's to help tailor results better, or to help sell advertising, then why is it correlated with a user ID? My company, for example, saves a keyword search history, but there is no user-identfiable information correlated with it. And it's plenty of information for our needs.

First, the search database doesn't list AOL user IDs. It lists "unique IDs" for each user, but they are not correlated to whatever AOL's internal "User ID" is. But to assume that sanitizing the data by changing or completely removing user IDs will make people safe is boneheaded.

Let's start with a grep for social security numbers. I've blipped out the actual numbers themselves, but that's not much help for these poor folks, since anybody can get their hands on the database:

  • find robert williams akron oh 44306 XXX-XX-XXXX
  • birth certificate for debra ann collins 1-28-59 ss XXX-XX-XXXX
  • locate keith ivan thompson born 3 may 64 social security XXX-XX-XXXX last address was XXXXXX colorado
  • kristy nicole vega hammond la. social secruity number XXX-XX-XXXX birth date 03 08 81 drivers license number la. XXXXXXXXX address XXXXXXXX.

Moving on, check out this fascinating query:

  • all i can say is you looked amazing in that photo. i would love to get achanceto know you. expect a call from me soon. are you looking for a friend or a companian just for future reference

Looks like somebody accidentally copy-pasted a portion of their private communication (email or IM, perhaps) into the search query box and clicked "Submit." Now their private thoughts are available for all to see. You'd be AMAZED at the stuff you'll find in these logs. The idea that by removing usernames/IDs from data is "instant sanitization" is naive and dangerous. There is more than enough information in many of these queries to identify specific individuals and examine EVERYTHING they have searched for in the past 6 months.

(I do question the sanity and intelligence of some of the people who submitted queries like the ones above, but ultimately this is not their fault.)

Re:Why do they even have this stuff? (1)

planckscale (579258) | more than 7 years ago | (#15914118)

This type of thing gives me more reason to sign up with an anonymous proxy/vpn. Something like https://www.relakks.com/?lang=eng [relakks.com] . I think the $5 to $10 a month would be worth it. No corporate reporting, no advertising scheming, and no identifying IP. Has anyone had luck with a private proxy/vpn?

I've been meaning to make a donation. (5, Informative)

Anonymous Coward | more than 7 years ago | (#15913328)

While I'm demonstrating my support, I thought I'd suggest some of you do the same.

Have you shown your support? EFF [eff.org]

Re:I've been meaning to make a donation. (1)

disc-chord (232893) | more than 7 years ago | (#15913354)

They got some nice swag now for donating.

Suck it, PBS!

Re:I've been meaning to make a donation. (1)

verbatin01 (995609) | more than 7 years ago | (#15915257)

They also let a lot of stupid things happen, like not enforcing .xxx extensions on porn sites. That's something that would only make it easier for people to limit content when they don't feel that it's appropriate in a given situation. In my book, that's appropriate. Of course, that's not what the EFF is about, is it? How can I say that, right?! The EFF is all about the rights of others? Rights are a double-edge sword - everybody that made it out of high school understands that. You can't allow unlimited freedom without screwing over somebody else in the end. So just remember that - the EFF is NOT all about protecting your freedom.

Donate to these people (4, Insightful)

MobyDisk (75490) | more than 7 years ago | (#15913329)

<soapbox>
The EFF is the "stop 1984 from happening" fund. If you read Slashdot, you know why you should be a member.
</soapbox>

Re:Donate to these people (4, Insightful)

avalys (221114) | more than 7 years ago | (#15913419)

Don't forget the ACLU.

Electronic freedom is nice, but freedom in the real world is all that matters in the end.

Your 'real world' doesn't include electronic data? (2, Insightful)

geekotourist (80163) | more than 7 years ago | (#15914005)

Perhaps you're confused by the name "Electronic Frontier Foundation"?
  • the "Electronic Frontier" is woven into everyone's life: what happens electronically can be more real, longer lasting, than any real-world event, and
  • "Foundation" doesn't mean the same as "Bill & Melinda Gates Foundation" (it can buy countries), or the "Ford Foundation" (it can casually sponsor a year of PBS). The EFF, unless it wins the trillion-dollar lawsuit, is a small donor-supported non-profit.
  • And in some cases, the ACLU doesn't do as well [slashdot.org] . The EFF's AT&T lawsuit is still going strong [slashdot.org] . The EFF filed in January to get that amazing 'not automatically dismissed on state secrets' ruling. I admit I'm biased- I know people there and am a supporter- but damn, they're good.
Consider warrantless searches. [eff.org] In your 'real world,' a set of police can only do a few warrantless searches per day- maybe 10 or 20 if they have their door-kick down. In the actual world, a set of searchers hooked into AT&Ts database can do millions of warrantless searches per day. And they don't leave busted doors behind as a clue.

Consider voter disenfranchisement [eff.org] . In the old days, you had to physically block people from voting, one by one. Now you can do badly-designed joins on voter-rolls and stop thousands of people from voting in an afternoon.

Consider Free Speech [eff.org] . In your world you have to hire goons- expensive at overtime- to physically intimidate speakers. In the actual world automated intimidation, expensive intimidation, [chillingeffects.org] exists. In the actual world, entire subjects can be disappeared from view [eff.org] , thousands in one software installation.

Or maybe you really don't worry about building innovative tech companies [eff.org] , music CDs [eff.org] , publishing electronically [eff.org] . You really don't worry about credit scores, credit card records, HIPAA, test results, university records, voter data, flight records, VoIP calls... in your world. Funny, I didn't think they'd let you online in Supermax, Mr. Kaczynski.

Re:Your 'real world' doesn't include electronic da (1)

edward2020 (985450) | more than 7 years ago | (#15914401)

"What happens electronically can be more real, longer lasting, than any real-world event..." I've repeatedly said the same thing time and time again. When we rode to the gates of the Undercity and spat our defiance via /yell and /fart options will always remain with me. Seriously folks, the loss of our civil rights and uncounted "real" world atrocities aren't that big of a deal - its not like they have your social security numbers or e-bay accounts. Yet.

Re:Donate to these people (1, Funny)

Anonymous Coward | more than 7 years ago | (#15914057)

But they drink the blood of Christian babies!

Re:Donate to these people (4, Insightful)

Just Some Guy (3352) | more than 7 years ago | (#15914485)

And while we're at it, the NRA (for that amendment the ACLU forgot about).

Re:Donate to these people (1)

Profane MuthaFucka (574406) | more than 7 years ago | (#15914875)

Right, because it's way more cool to get mowed down by a Tomahawk when you're holding a gun. Don't think that a bunch of old gits with guns are going to stop a determined dictator wielding the might of the US Army. If the EFF and the ACLU fail, we're fucked.

Re:Donate to these people (1)

noidentity (188756) | more than 7 years ago | (#15914534)

Electronic freedom is nice, but freedom in the real world is all that matters in the end.


I really hate it when people treat online as any less real than offline. Both involve communication between humans, and that communication is important for survival. As more things become dependent on online communications, "the real world" is expanding to cover it.

Re:Donate to these people (1)

pfz (965654) | more than 7 years ago | (#15914928)

the real world? last time i checked the words, art, and actions we create using computers and technology is real!

Look on the bright side! (2, Interesting)

PrescriptionWarning (932687) | more than 7 years ago | (#15913342)

At least they provided a good 20 minutes of entertainment for me this morning :)

www.somethingawful.com/index.php?a=4016

Enjoin? (1)

Mateo_LeFou (859634) | more than 7 years ago | (#15913366)

I wonder whether AOL could be enjoined from collecting any personal data about users until this case is decided?

I wonder (3, Interesting)

LiquidCoooled (634315) | more than 7 years ago | (#15913369)

Even if this *doesn't* get through court, could an AOL customer ask AOL for their export ID number?

Is the ID number we have all grown to know an integral part of every AOL account?
Does AOL even know who user 17556639 actually is or was it generated automatically and then lost in the data export?

Re:I wonder (1)

Ponga (934481) | more than 7 years ago | (#15914023)

Ha. You can be sure that user 17556639 is correlated to an IP address somewhere. Discovering the real users' identity at that point is a trivial matter.

Re:I wonder (1)

merreborn (853723) | more than 7 years ago | (#15914069)

From the .txt file that comes with the data:

"The data is sorted by anonymous user ID and sequentially arranged."

AOL probably doesn't have a direct maping of anonymous ID -> AOL user ID. Of course, they have the original data, and as such, could work it out trivially.

Free credit monitoring? (0)

Anonymous Coward | more than 7 years ago | (#15913388)

Uh... To punish them for releasing a database of search results (that are pretty much anonymous, though some detective work can put names to some) the offended customers should give them access to MORE confidential information (SSN, mother's maiden name, credit history...?)

Why credit monitoring? (-1)

grylnsmn (460178) | more than 7 years ago | (#15913414)

Among other things, the complaint asks AOL to notify all users affected by the data disclosure via certified mail and provide free credit monitoring for a year.

Why should AOL have to provide free credit monitoring? Did the search information include Social Secuirity Numbers, home addresses, mother's maiden name (and identifiable as such), PINs, or some other sort of data that could be used to affect someone's credit report? If not, then what reason is there to ask for credit monitoring?

Re:Why credit monitoring? (0)

Anonymous Coward | more than 7 years ago | (#15913460)

Yes..yes it did

Re:Why credit monitoring? (2, Informative)

GoRK (10018) | more than 7 years ago | (#15913483)

Why should AOL have to provide free credit monitoring? Did the search information include Social Secuirity Numbers, home addresses, mother's maiden name (and identifiable as such), PINs, or some other sort of data that could be used to affect someone's credit report? If not, then what reason is there to ask for credit monitoring?


Really have you not heard about this? The data absolutely did contain exactly this sort of data.

Re:Why credit monitoring? (2, Interesting)

Neil Blender (555885) | more than 7 years ago | (#15913617)

Heh, yeah. I searched it last night with some crude perl regexes. There were a bunch of full names and SSNs in the same search. One funny thing I kept finding was a search like:

"locate John L. Smith last address 123 Main Street, Houston, Texas social security number 123-45-6789"

Like AOL was some magic person finding machine. I kept thinking Star Trek, "Computer: Locate ..."

Re:Why credit monitoring? (0)

Anonymous Coward | more than 7 years ago | (#15913704)

Even without searching for other people, some can be searching for themselves. I'll admit it, back during the spate of stupid e-commerce sites putting files of all of their transactions including creditcard numbers up for google to index, I searched for my own credit card number on google. I figured that if it was already out there, it couldn't do any more damage by putting it out there again.

Incidentially it got no hits at the time, though it's been a couple of years now.

Re:Why credit monitoring? (0)

Anonymous Coward | more than 7 years ago | (#15914743)

locate John O'Connor and Sarah O'Connor

Re:Why credit monitoring? (1)

Richard_at_work (517087) | more than 7 years ago | (#15913774)

If the data contained all of this, then so do the referrer logs of millions of webservers that get redirects from Google, AOL, Yahoo, you name it. This case highlights the sheer idiotic stupidity of users in the first place, typing their own personal information into a BOX on a SCREEN they *know* is connected to the internet, and expecting the data to remain 'secret'. Idiots, the lot of them. Im not saying AOL should be exonerated from all wrongdoing, but users have to take some blame for this themselves.

Re:Why credit monitoring? (2, Insightful)

joshier (957448) | more than 7 years ago | (#15914132)

Right, as if anyones to know that AOL would do this. Yes, AOL is a complete pile of shit for a company, but this was unexpected. You cannot blaim these people, I feel for each one of them.

Re:Why credit monitoring? (1)

Richard_at_work (517087) | more than 7 years ago | (#15914446)

I can blame these people, they blindly put private and confidential information into a search box on a webpage. If they did it with AOL, who else did they do it with? These people have no understanding of the web, and yet they still submitted personal information to other peoples hands - how can they have any expectation that that information would have continued to be privileged? Im quite right in saying that the search engine string is now in the referrer logs of any website they visited from the results, so the information was already well beyond AOL. There is a level of personal responsability with your data.

Re:Why credit monitoring? (1)

merreborn (853723) | more than 7 years ago | (#15914191)

bash$ egrep '[0-7][0-9]{2,2}-[0-9]{2,2}-[0-9]{4,4}' user-ct-test-collection-*.txt | wc -l
183
bash$

183 search queries contain well formed SSNs (I'm sure there are hundreds more w/o dashes, etc) (I threw the [0-7] at the begining because wikipedia indicates that no SSNs with the first 3 digits over 772 have been issued). I looked at a handful and a lot of those searches contain a lot more than just SSNs, at that.

For example, the below (which I've actually removed the sensitive data from -- it's public, but I refuse to repost it):
4186504 locate keith ivan thompson born * *** ** social security ***-**-**** last address was *** street apt *** ****** colorado

Re:Why credit monitoring? (1)

gorbachev (512743) | more than 7 years ago | (#15914273)

Yes, but if that SSN doesn't belong to the AOL user who performed the search, AOL is not LEGALLY required to do anything about it, as AOL's customer data was not leaked.

Tough nookies for Ivan Thompson, though.

Re:Why credit monitoring? (1)

merreborn (853723) | more than 7 years ago | (#15914333)

True; kieth ivan thompson *probably* wasn't the one who issued that query. However, I'm willing to bet at least one of the 183 SSNs I found belonged to the searcher. And again -- I only found well-formed SSNs; I completely ignored those without dashes, which almost certainly number somewhere around 100, if not more.

Re:Why credit monitoring? (3, Informative)

budgenator (254554) | more than 7 years ago | (#15913610)

Did the search information include Social Secuirity Numbers, home addresses, mother's maiden name (and identifiable as such), PINs, or some other sort of data that could be used to affect someone's credit report?
YES, many people run their personaly identifiable information through a search engine; don't you think that if google indexed a text file that was a dump of some perloined database on eveilhacker.com you'd want to know about it? For me for a search engine to turn over search queries is serious breach of confidence; I could never use Yahoo, MSN, or AOL for anything beyond trivial searches now, and I only use yahoo for yellowpages skimming at work.

Re:Why credit monitoring? (1)

morcheeba (260908) | more than 7 years ago | (#15914083)

I ran a quick check:

The term "SSN" was used by only 68 searches - and one referred to a ship.
Numbers of the format "111-11-1111" were searched 191 times. 22 of these searches had names attached. I didn't look in adjacent matches, so some more names might be inferred.
Nine-digit numbers were searched 246 times. I did a quick look-over, and none of these appeared to be SSN's.

Better question: Why only 1 year of monitoring? (1)

The_REAL_DZA (731082) | more than 7 years ago | (#15913918)

Some possibilities I can think of are:
  1. They think all AOL users will change their SSN's (or will have time to change them) within that time.
  2. They think the spammers and identity thieves will forget all those juicy tidbits within that time.
  3. They figure anyone lame enough to use AOL in the first place would probably give away their identity anyway within a calendar year, so there's no need setting a precedent.
My money's on #3.

This should... (1)

kingsean (980135) | more than 7 years ago | (#15913433)

really be from the "little-tighter-with-those-tubes-please" department.

EFF Can't Do It Alone!!! (3, Interesting)

pfz (965654) | more than 7 years ago | (#15913525)

They need your help!

Watch EFF attorney Jason Schultz tear the roof off in the new documentary, ALTERNATIVE FREEDOM. Maybe you will learn something or be able to show your friends and then we can all make sure digital rights are always kept in mind...

http://alternativefreedom.org/ [alternativefreedom.org]

Why oh why oh why??? (1)

atomic_toaster (840941) | more than 7 years ago | (#15913535)

I'm not saying that in any way AOL users "deserved" this -- nobody does. No matter what or how much information you a company has about you, whether it be your net searches or how filthy your carpets are, you expect the company that holds this information to keep it private.

However, why in the world would you go with a company like AOL that has so many recorded existing problems that could be discovered with a modicum of research? Unfortunately, it seems much like U-Haul being one of/the biggest moving van rental companies despite all [dontuseuhaul.com] the [wral.com] bad [toronto.ctv.ca] press [whnt.com] ... It's a household name, so it has to be good, right?

Re:Why oh why oh why??? (1)

mroonie (995579) | more than 7 years ago | (#15913742)

Well said.... That database that AOL put up cost the company what little credibility it had left. We all know that AOL's going down the drain but that had to be the last straw. I mean, do you know how many people out there have searched their name just to see what they can find about themselves on the internet? That's all it takes for that person to become a victim of ID theft! AOL is already the breeding ground for spammers, scammers and hackers http://www.essentialsecurity.com/Documents/article 22.htm [essentialsecurity.com] ...and now they have just welcomed more of them in with open arms.

Re:Why oh why oh why??? (1)

Overzeetop (214511) | more than 7 years ago | (#15916155)

Yeah, it's a good thing that "good" companies like Google don't do this sort of loggin... ...aw, shit.

Relief doesn't match mistake (4, Informative)

dysk (621566) | more than 7 years ago | (#15913779)

Yes, AOL made a mistake by releasing that information. They've admitted to the mistake, apologized, and I doubt anyone will try to do this again.

On the other hand, one needs to recognize that they didn't release the information for the purposes of making money, or defrauding the customers, or anything else. They collected the data in order to help a researcher write an extremely informative paper[pdf] [iit.edu] about human behavior as it relates to searches. That researcher decided that other's might benefit from the information, and convinced AOL to make it publically available. It turns out that that was a huge lapse in judgement, but nonetheless, intentions are also important and while criticizing AOL, we should also complement them for their effort to interface with the academic community.

AOL has been punished enough in the press. Given the circumstances I don't think that any legal action is necessary.

Re:Relief doesn't match mistake (2, Insightful)

fishbowl (7759) | more than 7 years ago | (#15913967)


>AOL has been punished enough in the press. Given the circumstances I don't think that any legal action is necessary.

Others are of the opinion that the people responsible should spend decades in prision, and that the company should pay fines and restitution at the kinds of levels that would reduce them from a multi-billion-dollar-corporation to a startup looking for venture capital.

Somehwere in between that extreme and yours, there will be some appropriate consequences.

Re:Relief doesn't match mistake (2, Insightful)

Anonymous Coward | more than 7 years ago | (#15914475)

This is more than a "huge lapse in judgment", it's criminal negligence and legal action should be taken (IANAL). It's hard to imagine a researcher or company could be so collosally brain-damaged as to freely give away this data to the public. I would actually be more understanding if it was stolen. If anything, the data should be available only to qualified researchers, and then only under an NDA that would only permit summarized forms of the data to be published.

There is more than enough information in here for identity theft and blackmail. In less than one day of casual inspection, I've identified a number of individuals, of which a half-dozen or so could be blackmail targets (affairs, sexual fetishes, pedophilia, drug abuse and alcoholism, etc.) The number who could be targets of identity theft is higher.

Re:Relief doesn't match mistake (0)

Anonymous Coward | more than 7 years ago | (#15915428)

Who cares if they made some informative paper? The fact is the information should have never been available to this researcher in the first place. Privacy > Research.

The question is , why did AOL release info at all? (1)

rufusdufus (450462) | more than 7 years ago | (#15913788)

It was a very strange thing for AOL to release that search history. Out of the blue, they suddenly announce they are giving away some of their data. Why did they do this? They must have had a reason. The only thing I can think of off hand is they needed a way to make the information public so it could be used legally by law enforcement?

Re:The question is , why did AOL release info at a (1)

The_REAL_DZA (731082) | more than 7 years ago | (#15914130)

Out of the blue, they suddenly announce they are giving away some of their data.

It's probably somewhere in their TOS (I haven't read it and don't care to/have time to) that they don't have to ask anyone's permission to "share" their "non-personally-identifiable information" with their "partners" (just to coin a few phrases from various TOS's and EULA's and CYA's I have bothered to read over the years...) but it would've been nice if they had announced they were planning to release a subset of their logs, to whom, and exactly when (and even offered an "opt-out" avenue to their users who so wished...) and then gathered some feedback before doing something so cosmically STUPID. That way, they would have had the benefit of all the regex advice and the pattern-matching advice (not to mention the most excellently very sound advice of all: "JUST DON'T DO IT"...)

Re:The question is , why did AOL release info at a (1)

AlgorithMan (937244) | more than 7 years ago | (#15915976)

well they say now that it didn't happen on purpose... but then I don't know why the names are replaced by IDs...

who says they CAN notify the users? (1)

SuperBanana (662181) | more than 7 years ago | (#15913842)

Among other things, the complaint asks AOL to notify all users affected by the data disclosure via certified mail and provide free credit monitoring for a year."

AOL probably -CAN'T- notify the users, because they probably didn't keep the username->ID# mapping.

Re:who says they CAN notify the users? (1)

Overzeetop (214511) | more than 7 years ago | (#15916169)

Well, they certianly kept them long enough to generate lengthy trails of queries. I don't see why they wouldn't keep the mapping, if for no other reason than continued logging.

I don't want certified mail (2, Interesting)

dysk (621566) | more than 7 years ago | (#15913925)

the complaint asks AOL to notify all users affected by the data disclosure via certified mail
Unless I'm being sued or in immediate legal danger, I don't want to get any certified mail. When I do, I have to interrupt my work day and drive 10 miles over questionable roads to the post office. The fact that some of my searches may have been leaked without my name on them is not a reason to send a certified letter, however an insert in my next bill would be completely reasonable.

The EFF has good intentions, but in this case they are going overboard.

Re:I don't want certified mail (0)

Anonymous Coward | more than 7 years ago | (#15914940)

I could not agree more. Also, why on earth would any of these anonymous "victims" need credit monitoring?

Memo to EFF: Stop that! You're embarassing us!

Some weird people in the world, that's for sure (3, Funny)

Anonymous Coward | more than 7 years ago | (#15913945)

For example:

select * from aolsearches where anonid = 3620882;

yields a very strange individual... some brief examples (shortened for brevity... it's MUCH longer than this):

| 3620882 | bank robber hide-outs                       | 2006-03-01 22:22:04 |
| 3620882 | male sissy panty stories                    | 2006-03-01 22:35:41 |
| 3620882 | big bosom mothers                           | 2006-03-01 22:47:58 |
| 3620882 | sissy nightgown training                    | 2006-03-02 11:46:49 |
| 3620882 | special female training of sissy men        | 2006-03-02 17:16:24 |
| 3620882 | tight laced girdles                         | 2006-03-05 12:33:09 |
| 3620882 | baptist church directory                    | 2006-03-07 18:56:13 |
| 3620882 | pink panty discipline                       | 2006-03-07 19:41:53 |
| 3620882 | old curvy women                             | 2006-03-10 12:38:47 |
| 3620882 | independent baptist church directory        | 2006-03-12 11:45:44 |
| 3620882 | westboro baptist church                     | 2006-03-23 13:51:49 |
| 3620882 | baptist college directory                   | 2006-03-25 19:44:22 |
| 3620882 | adult diaper parties                        | 2006-04-04 13:51:30 |
| 3620882 | colorado mining claims for sale             | 2006-04-16 13:00:25 |
| 3620882 | husbands that are sissy                     | 2006-04-28 20:13:11 |
| 3620882 | very large bosoms                           | 2006-05-18 21:38:57 |
| 3620882 | how to make gun silencers                   | 2006-05-20 12:45:00 |
| 3620882 | male maid training                          | 2006-05-30 12:15:49 |

Really, I think of myself as a pretty tolerant person, but this seriously makes me wonder what kind of weird individuals roam this planet.

Re:Some weird people in the world, that's for sure (1)

kinglink (195330) | more than 7 years ago | (#15914030)

This is the greatest search example yet. Upmod the parent!

In the very least it makes everyone feel better about all the perverted crap they have searched for.... Not that I have ever searched for anything perverted.

Re:Some weird people in the world, that's for sure (1)

Maserati (8679) | more than 7 years ago | (#15914711)

No, the article on Something Awful [somethingawful.com] has some that top that. It's been posted before under this article, but another link can't hurt. Mind you, some of them are kinda disturbing.

Re:Some weird people in the world, that's for sure (1, Funny)

Anonymous Coward | more than 7 years ago | (#15914416)

Please remove this post.
    Sincerely,
    Jerry Falwell

Re:Some weird people in the world, that's for sure (1)

Castar (67188) | more than 7 years ago | (#15915656)

I think that if the world could see everyone's search data, we would come to realize that this isn't that strange after all. Just the internet in general quickly makes me realize, at least, that there are a lot of people out there with non-mainstream tastes. Perhaps more than there are people with strictly mainstream tastes (the long tail of sex?).

Don't be so quick to judge. Would we find anything strange in *your* porn collection?

The people in the AOL search thing who really bother me are the ones searching for murders and ways to commit them. SomethingAwful had one log that made it look like the guy was trying to figure out if he'd been fingered for serial killings. (Although, that's potentially a biased view based on a small view of his search history - illustrating another danger in the release of this information).

Personally, I'm somewhat glad this information is out. It's akin to the Kinsey studies of an earlier age... It might make you realize that your neighbors are not as "normal" as you assume them to be. And might make you more comfortable in your abnormality.

Re:Some weird people in the world, that's for sure (1)

Eil (82413) | more than 7 years ago | (#15916024)

Jesus, how did you get that thing through the lameness filter?

bad data = no profiling (1, Insightful)

Anonymous Coward | more than 7 years ago | (#15914384)

Someone needs to come up with a quick-and-dirty resident app that issues random search queries to Google and other engines at random intervals. You poison the value of the data and make it relatively useless.

Re:bad data = no profiling (1)

AlgorithMan (937244) | more than 7 years ago | (#15915942)

too late...

start finding identities (1)

AlgorithMan (937244) | more than 7 years ago | (#15916022)

someone should start trying to find out the identities of the people whose search queries were published... I don't think you need too many queries by one person to pin him down...

maybe THIS would silence the guys that understate how horrible this is for privacy...

sounds like another job for the EFF ;)
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>