Fallout From AOL's Data Leak Just Beginning

The fallout from AOL's unintended release of personal search data of 658,000 subscribers could include fines, lawsuits, and changes in law and policy regarding search queries.

K.C. Jones, Contributor

August 9, 2006

6 Min Read
InformationWeek logo in a gray background | InformationWeek

AOL's release of subscribers' search data is an unprecedented event that could spark a change in Internet privacy rules or it could spark a series of lawsuits, according to experts.

Parry Aftab, executive director of wiredsafety.org, which claims to be the world's largest Internet safety and help group, said that if AOL violated its own privacy policy: "A lot of lawyers are going to be looking at the damages here. What were they thinking?"

Andrew Weinstein, AOL spokesperson, said during an interview Wednesday that the company's research team ignored internal policies by deciding to publish search terms on an open Web site designed to help academics. They did not vet their plan through AOL's privacy team, he said. They attached the information to user identification numbers intended to protect subscribers' anonymity.

Some users had searched their own names, telephone numbers and other information that, when combined, can be used to identify them.

Though Weinstein said that AOL did not violate its own privacy policy or federal laws prohibiting disclosure of private information to third parties, lawyers and privacy advocates disagreed.

During an interview Wednesday, Aftab described the people at AOL as being among the most trustworthy in the industry and said the release of information was uncharacteristic for a company that helped draft best practices. Still, she said that, if the Federal Trade Commission (FTC) finds that AOL violated its privacy agreement, it could fine the company.

"There could be really serious consequences," she said. "The lawyers and regulators will be all over this. The FTC has given fines in the millions of dollars for breaching privacy, but the real cost is going to be the brand."

Aftab said the very actions she takes to protect her privacy could have resulted in the publication of previously undisclosed facts. She said she searches her name, social security number, cell phone number and other data to make sure it has not been published on the Web.

In addition to searches that centered on health, financial and other carefully guarded topics, the data included taboo subjects like incest, masturbation and bestiality. Though AOL removed the information, mirror sites copied the data, which includes searches for anonymous help groups like Alcoholics Anonymous, as well as queries on issues like surviving rape, how to tell family members about incest and where people with HIV can find help.

Aftab said she believed that lawyers would be looking to sue under consumer fraud laws for violating customer agreements. Aftab noted, however, that she is not suggesting that AOL violated its privacy policies and has not reviewed them in connection with this disclosure. Others said they believe the company may have violated the Electronic Consumer Privacy Act of 1986.

Sherwin Siy, a lawyer for the Electronic Privacy Information Center said that any lawsuits resulting from the disclosure are likely to come from individuals and play out differently in each state, depending on tort laws in those states.

"It will affect individual people and will affect those people a great deal," he said during an interview. "It won't show up as a dollar amount for the FTC to take action against. It's not as quantifiable a harm, which creates a problem for people who are affected by this and it makes it much more difficult to make things right."

Siy said AOL didn't "just lose some money and have credit reports to fix."

"It's a more emotional and traditional sense of privacy," he said. "There are some things that other people shouldn't know about me. What I think, what I read, is something that I should be able to keep to myself. People should be able to determine how they hold themselves out to the public and AOL has removed some of that power."

Derek Slater, an activist with the Electronic Frontier Foundation, said during an interview that the release shows why Internet companies should not be collecting and storing such information in the first place.

"The hope is that out of this horrible disaster with AOL, we can get better policies," he said. "AOL did a great disservice to their customers here. They don't have to keep these logs. There's nothing forcing them to keep these logs."

He also said the company has downplayed how easily identities can be linked to the search information and "needs to be held to account."

Kevin Bankston, a lawyer for EFF, said the group is looking into taking action.

"This is the first time we've seen a huge release of search data," he said. "There's never been any disclosure of search terms of this scale. No court has ruled on whether search is protected by statute. When the laws were written, search terms didn't exist."

Though Weinstein points to statements in AOL's privacy policy warning that information could be used for research, Bankston said there is nothing indicating they would ever publish search logs.

"If you look through the data, you see that people searched for their own names, their family history, resources in their local neighborhood. If taken together, it's patently false that this data cannot identify individuals. I found one myself, where I think if I gave it five minutes on the phone I could confirm who it was."

Weinstein said AOL is very upset about the release and the company has repeatedly apologized to subscribers. He said the size of the data pool makes it unlikely that AOL can determine which users' information was revealed and, for that reason, it is unlikely individual subscribers would receive notices. He said the published material only represents .3 percent of the total data from three months of 2006 and affected about 1.5 percent of users.

He declined to comment on an employee's blog entry stating that the company should not maintain that type of information in the first place.

"I would note, however, that AOL only retains personal, linked search terms for 30 days now," he said.

Weinstein added that the company was leading an internal investigation, to make appropriate changes and make sure nothing similar ever happens again.

Jonathan Zittrain, a professor of Internet governance and regulations at Oxford University and co-founder of Harvard Law School's Berkman Center for Internet & Society, said during an interview that he did not think AOL violated its privacy agreement. He said the search data is valuable to researchers trying to figure out what goes on in people's minds at a given time. He added that it would be hard for victims to show harm but the release could still have a major impact.

"It may just be one of those watershed privacy events that capture public attention," Zittrain said.

About the Author

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights