15 Worst Internet Privacy Scandals of All Time

In honor of National Data Privacy Day this Saturday, Jan. 28, we've put together a list of the 15 worst Internet privacy scandals of all time.

These high-profile privacy scandals involve many underlying technologies, from search to social media, e-mail to voice mail, mobile phones to Webcams to GPS. But at the heart of all of these privacy scandals are companies collecting personal data without the user's knowledge or consent and then either sharing it with third parties or simply failing to keep it safe.

The latest company to come under the privacy microscope is Google, which revealed a new privacy policy on Tuesday that clarified how it is combining user data across its services.

Meanwhile, on Wednesday the European Union unveiled stiffer penalties and higher fines for U.S. firms that fail to meet their privacy rules for cloud computing and social media applications.

With online privacy expected to remain a high-profile issue in 2012, here's our list of the biggest online privacy breaches of all time:

1. Sony CD Spyware

Sony BMG ran into a major privacy flap in fall 2005 because of the anti-piracy measures called XCP that it added to music CDs. When a customer played one of these CDs on a Windows PC, the CD installed hidden rootkit software onto the PC that communicated the CD being played and the IP address of the PC back to Sony. This so-called spyware also created vulnerabilities on PCs for worms or viruses to exploit. Critics said Sony had created a backdoor onto its customers' machines, leading Sony to recall the CDs and offer a free removal tool for the rootkit software. Class action lawsuits were filed against Sony in Texas, New York and California. The U.S. Federal Trade Commission required Sony to pay $150 to any consumer whose PC was damaged by the software as part of a settlement for violating federal law. (Also see: Sony BMG rootkit scandal - five years later)

2. The Craigslist Experiment

In February 2006, Seattle Web developer Jason Fortuny posed as a woman seeking sex on Craigslist to see how many responses he would get in 24 hours. He received 178 responses, including photos, names, e-mail addresses and telephone numbers of the men who answered the ad. Fortuny then published all of these responses on a Web site called Encyclopedia Dramatica. The incident received a significant amount of mainstream media coverage, including the Associated Press and MSNBC. Fortuny was later sued in Illinois court by an anonymous plaintiff, and in May 2009 Fortuny ended up receiving a $75,000 default judgment.

3. AOL Search Leak

In August 2006, AOL released a file containing 20 million search keywords used by 650,000 of its users over a three-month period. The file was supposed to be anonymous data available for research purposes, but personally identifiable information was available in many of the searches making it possible to identify an individual and their search history. AOL admitted it was a mistake to release the data and removed it from its Web site after three days, but by then the data had been mirrored at sites across the Internet. AOL's CTO Maureen Govern quit two weeks later. In September 2006, a class action lawsuit was filed - that's still lingering in California courts -- against AOL demanding $5,000 per user.

4. Google Street View

In May 2007, Google added its Street View feature to Google Maps, and it has been battling privacy complaints, paying fines and facing audits ever since. Google Street View provides panoramic views of streets gathered by webcams. It prompted privacy worries for showing men leaving strip clubs, people entering adult bookstores, and people picking up prostitutes, among other activities. Google allows users to flag worrisome images for removal and added a blurring feature for faces and license plates. Nonetheless, Street Views has run into privacy battles with Switzerland, France, Belgium, Germany and South Korea, to name a few countries. France fined Google the equivalent of $142,000 in March 2011 related to Street Views, but an August 2011 review by the U.K. government gave Google positive marks for improving the privacy of Street View. Meanwhile, Google must undergo regular privacy audits mandated by the FTC for the next 20 years as the result of a settlement over improper privacy disclosures in its now-defunct Buzz social media service.

5. Hotmail Hot Mess

One of the biggest privacy scandals in terms of scale involved Microsoft's Hotmail free e-mail service. In October 2009, Microsoft urged hundreds of millions of its Hotmail users to change their passwords due to a privacy breach. Microsoft said it discovered that users' details from 10,000 e-mail accounts were posted on the www.pastebin.com Web site as the result of a likely phishing scheme. Microsoft urged users of email accounts ending in @hotmail.com, @msn.com and @live.com to begin changing their passwords every 90 days.

6. Webcamgate

A Pennsylvania school district that used built-in Webcams to monitor the use of several thousand Apple laptops that it provided to students for their use at home ran afoul of online privacy issues and was forced to pay up. The school district admitted it had over 56,000 photos and screen grabs gathered by the Webcams and security software installed on the laptops. These photos were taken without the knowledge or consent of the students, including in their bedrooms and in various stages of undress. In April 2010, high school sophomore Blake Robbins filed a class action lawsuit against the Lower Merion School District for invasion of privacy. In October 2010, the school district agreed to pay $610,000 to settle two lawsuits related to the incident.

7. Facebook Apps

The popular social media site has been plagued by privacy issues over the years. Its highest-profile problem was in October 2010, when Facebook admitted that its top 10 most popular applications including FarmVille and Texas Hold`em shared user data, including names and friends' names, with advertisers. A Wall Street Journal investigation uncovered the Facebook privacy breach and said it affected tens of millions of users, including some that had used Facebook's most stringent privacy settings. Facebook had previously been in trouble for transmitting user ID numbers to advertising companies when users clicked on ads. In November 2011, Facebook settled a case with the U.S. Federal Trade Commission about several incidents and agreed to 20 years of third-party privacy audits (Also see: 10 must-know Facebook privacy/security settings.)

Subscribe to the Security Watch Newsletter

Comments