Security News > 2006 > August > SCREWED! the AOL search history DB snafu

SCREWED! the AOL search history DB snafu
2006-08-18 05:39

http://attrition.org/news/content/06-08-16.001.html Wed Aug 16 19:15:24 EDT 2006 martums You kissed your privacy goodbye a long time ago, right? From Wikipedia: On August 4th, 2006, AOL released a compressed text file on one of its websites containing twenty million search keywords for over 650,000 users over a 3-month period, intended for research purposes. AOL pulled the file from public access by the 7th, but not before it had been mirrored, P2P-shared and seeded via BitTorrent. News filtered down to the blogosphere and popular tech sites such as Digg and Wired News. Whilst none of the records on the file are personally identifiable per se, certain keywords contain personally identifiable information [1] by means of the user typing in their own name (ego-searching), as well as their address, social security number or by other means. Each user is identified on this list by a unique sequential key, which enables the compilation of a user's search history. AOL acknowledged it was a mistake and removed the data, although the files can still be downloaded from mirror sites. Additionally, several searchable databases of the report also exist on the internet. [2] Mistake? If betraying the trust of 2/3 of a million subscribers equals a mistake, how do they define catastrophe? Apart from the obvious PR quagmire that AOL now finds itself in, and the painful regret (or torn anus) that AOL users may be feeling (and should have been feeling since they signed up ), the long-term impact is immeasurable. Their stock is falling [3]. They're giving away BYOA accounts, [4] (they'd have to at this point), a move which may cost Time Warner over a billion dollars by 2009. [5] They're facing penalties, fines, not to mention lawsuits. [6] If there's a bottom for any business to hit, they're very close. [7] They should take a cue from ValuJet and change their name (again). [8, 9] AOL states they keep 30 days of user-identifiable search history, and that a research division may keep three months or more of search history, but not associated to specific accounts, (the latter echoes of what was released on 4 August). Google has already stated they will continue to store search queries and related info, and that they won't make the same mistake AOL did. [10, 11] Predictably, Yahoo! Search! will! do! the! same! Considering the staggering amount of infrastructure Google possesses, (Great Caesar's Ghost--Google has an estimated four PB of RAM alone), their data retention capabilities far exceed the 90 days of history AOL retains for research purposes. [12, 13] That search you did recently for Paris' poodle porn may come back to haunt you. Even though you were just doing it for a friend. [...] _________________________________ HITBSecConf2006 - Malaysia The largest network security event in Asia 32 internationally renowned speakers 7 tracks of hands-on technical training sessions. Register now: http://conference.hitb.org/hitbsecconf2006kl/


News URL

http://attrition.org/news/content/06-08-16.001.html