honoluluadvertiser.com

Sponsored by:

Comment, blog & share photos

Log in | Become a member
The Honolulu Advertiser
Posted on: Tuesday, August 8, 2006

AOL apologizes, yanks data on users' searches

By Ellen Nakashima
Washington Post

WASHINGTON — AOL issued an apology yesterday for posting on a public Web site 20 million keyword searches conducted by hundreds of thousands of its subscribers from March to May. But the company's admission that it made a mistake did little to quell a barrage of criticism from bloggers and privacy advocates who questioned the company's security practices and said the data breach raised the risk of identity theft.

"This was a screw-up and we're angry and upset about it," the company said in a statement. "Although there was no personally-identifiable data linked to these accounts, we're absolutely not defending this. It was a mistake, and we apologize."

The posted data were similar to what the U.S. Justice Department had been seeking when it subpoenaed Internet companies, including AOL, last year. AOL complied and handed over search terms that were not linked to individuals. Google Inc., by contrast, fought the subpoena in court and won.

The AOL data were posted at the end of last month on a special AOL Web site designed by the company so researchers could learn more about how people look for information on the Internet. The company removed the data over the weekend when bloggers discovered it.

The Washington Post did not review the full 439-megabyte data set but contacted bloggers who had accessed it.

For the posted data, each person using AOL's search engine was assigned a unique number to maintain anonymity, the company said. But some privacy experts said scrutinizing a user's searches could reveal information to help deduce the person's identity.

Michael Arrington, editor of the blog TechCrunch, said some of the data contained credit card numbers, Social Security numbers, addresses and names.

"People put anything they can think of into the search boxes," he said.

Based on his analysis so far, out of 20 million queries, the number that contained sensitive personal financial information such as credit cards and Social Security numbers is probably "in the hundreds," he said.

"Most people aren't stupid enough to type their Social Security numbers in a search engine, but it's definitely enough to make AOL look stupid," he said.

Some bloggers said some of the information available was scary, noting queries on how to kill one's spouse and on child pornography.

Experts said people search for all sorts of personal data — including their own names — with the assumption that it will remain private.

"All of a sudden there's a correlation between my name and something very private that I don't expect to have dumped all over the Internet," said David Holtzman, president of GlobalPOV, a blog and consulting firm on privacy and security and author of the forthcoming book "Privacy Lost."

Kevin Bankston, an attorney with the San Francisco-based Electronic Frontier Foundation, said AOL's apology was appreciated but the damage has been done.

"The horse is out of the barn," he said. "The data's out there and been copied. This incident highlights the dangers of these companies storing so much intimate data about their users."

AOL was trying to design a Web site aimed at helping researchers do their job better by including AOL open-source data tools, company spokesman Andrew Weinstein said.

A technician posted the data to the site without running them past an in-house privacy department, not realizing the implications, Weinstein said. An internal investigation is under way to determine what happened and prevent future occurrences, he said.