Someone’s going to get fired, and well they should. Perhaps several ’someones’. Today AOL published ‘for academic research’ the records of 657,426 users who used their search engine over the last several months. For privacy reasons, they replaced the screen name with a numeric code. The download of 487 Megabytes of compressed data was taken down pretty quickly, but already it’s been posted on numerous mirror sites and archived.
Lesson #1 - It’s nigh impossible to put the genie back in the bottle on the internet… so never say anything on the internet you wouldn’t say to your mom or in the court of law.
The search patterns of various users are sometimes easily tracked to a very finite group of people. In one thread on this subject, some people are already using easy search tools to build profiles of interesting or amusing (and often disturbing) search profiles. Of course, it would be impossible to PROVE that a certain individual searched for a specific thing without the screen name (and even then, it would only prove that someone with access to that account did the search), however, it’s certainly enough information that some people are going to be confronted with some very unconfortable information very soon given the propensity for some users to search on their own or their subject’s full name and address. Also, several incidents of people searching for their own credit card # or email address is a sure way of causing some potentially embarrassing moments.
The shocking thing here is not the particular content of the searches. MOST are the usual fare of people looking for websites and information. However it’s the realization that AOL, and is to be assumed other search engines, can collate, store and use this information. AOL *DOES* have the user names, real names, billing information and knows what you search for, when you search for it and how often. It’s also not data that’s purged or well guarded as is evidenced by the fact that some fairly low-level techies at AOL thought that this would be a good bit of data to share for academic research purposes.
You have to wonder, if a small sampling of this search data can turn out such a ‘wealth’ of information about people; what is the risk of this data being used inappropriately and how would you guard against it? Despite their assurances, how do you KNOW that AOL-Time Warner is not using search data and other usage patterns to build up profiles? It would be worth the effort for them to do so, as long as they didn’t get caught in the act.
Likewise, consider that most people use other search engines without User IDs such as Yahoo or Google, except that those search engines also encourage you to install their toolbars and log in to their various customizable services. Rest assured that those sites also use cookies, IP logging and log-in data to track usage and searches.
It’s unlikely that this data would or could be used to cause direct harm, but the expectation of privacy/anonymity is mis-leading. Unless you are willing to go to great lengths technically you have to keep in mind :
Lesson #2: Everything you do on the internet is done in public.
Now, I downloaded the data from one of the mirror sites out of curiousity and I will say that it’s not something the average person on the street will do, or if they do, will know how to manage and search hundreds of megabytes of text, however; there are several thousand that will and are scouring this data for mostly laughs at the expense of those less fortunate than themselves, but also there are those who will get hold of this data and mine it for ‘marketable’ information such as extortion, identity theft and credit fraud. Just think for a moment, if you would let me have access to all of your searches for the last 6 months, even those things you did off-hours or on a lark, what could I infer about you? Would you be off-put or embarrassed by anything you typed or mis-typed?
There have been other cases of mass-information leaks in the past. There have been travel records posted, medical records posted, credit card purchase histories and social security card databases posted. Disasters for all those involved. This is a little different because this data was probably not considered to be stored by the people giving it. It’s also far more personal than you would ever imagine. It was also probably inconceivable to those using AOL that that data would be read and analyzed by thousands of people and even mocked on some message boards.
I have to imagine that there is some kind of liability here for AOL.
Lesson #3: When customers trust you with their data, you have to consider that a sacred trust. Betraying that trust is a fatal mistake and will get you sued.
So, should I post some excerpts of the data here? I considered it because it’s certainly posted elsewhere but didn’t want to compound the offense. You can search for this issue on any search engine, just becarefuly because it might come about that in a few months someone will know that you searched for this and wonder what you were doing searching for that during work hours!
Tweet this Post:
What in the world where they thinking? They being AOL. Now, I know that AOL announced that they were laying off 2000 people recently, and perhaps I might buy a theory that says “somone who as getting ‘made available to industry’ relased this info, and cleaned up some of the data to make it look like an official release..”….but, if I dont hear something like this I am going to simply sit here and be flabbergasted the rest of the day.
Most 10yo’s I encounter would know that releasing anything with Credit Card info, or SSNs, is simply not right.
AOL is posting their official response on the blogs. Go read it here.
Someone’s going to get a PhD (or perhaps a DBA) out of this whole debacle, but it won’t be by using the data in the manner that AOL says drove the original intent of publication.