AOL's Massive Data Leak

Take Action: Were You Exposed By AOL's Data Leak?

Spread the word: Get buttons for your blog and email friends

In August 2006, AOL publicly released three months of search queries by 650,000 AOL users. Though AOL has removed the data from its site and rightly apologized, the grave damage is already done. The data quickly became available all over the Net, and AOL may have violated its own privacy policy as well as existing federal law. Both companies like AOL and Congress should heed the lessons of this Data Valdez and enhance protections for your privacy. On August 14, EFF asked [PDF] the Federal Trade Commission (FTC) to investigate AOL and require changes in its privacy practices.

AOL's actions demonstrate a shocking disregard for user privacy. Search terms can expose the most intimate details of a person's life. These details can be embarrassing and even cause great harm. Would you want strangers to know where you or your child work or go to school? How about everyone seeing search queries that reference your financial information, medical history, sexual orientation, or religious affiliation?"

Though the data was associated with random ID numbers, that information could still be connected back to an individual given enough clues, as this NY Times article clearly demonstrates. Whether it's because of vanity searches for your name or MySpace profile or searches related to your city and neighborhood, your search history could create a trail of breadcrumbs that ultimately leads to your doorstep.

This incident highlights the dangers of allowing search companies to store this kind of personal data. While AOL has rightly apologized, its customers deserve more than that -- AOL must take steps to rectify the damage done and to improve its privacy-protections in the future. Congress should also take note of this latest Data Valdez by creating stronger, crystal clear legal protections for user information and by limiting data retention.

In its complaint [PDF] to the FTC, EFF argues that the release of this data violated AOL's privacy policy and the Federal Trade Commission Act and should be investigated. EFF further requests that the FTC require AOL to notify customers affected by the disclosure and to stop logging search data except where absolutely necessary.

FTC Complaint

Exhibits to Complaint

DeepLinks blog posts about the AOL data snafu