Net Watchdog: The Elusive Search for Privacy

AOL's accidental release of the search queries of 650,000 subscribers underscores the growing stakes when it comes to digital privacy. AOL's disastrous mistake is exactly the reason you should be asking yourself whether privacy even can exist in this digital age.

AOL's Research team mistakenly posted a file containing three months of search histories online. Once AOL realized what had happened, the company removed the 2GB of data from its site--but not before the file was copied and posted on servers around the Internet. Intimate searches for medical, financial, and personal information were made public.

The data identified users only by a unique ID, not by name. But in many instances that have been documented online--and, in one case, in a New York Times story, the individuals behind the searches were identified. These individuals were identified based on their queries: Some searched for their own names and social security numbers, and then later searched for local information. Those who analyzed this data were able to identify and contact these AOL users--users who had conducted these searches assuming they were anonymous.

AOL has apologized for the releasing the information. But I fear all too soon AOL's mistake will become another blur in our memory banks alongside the growing number of apocalyptic security snafus.

Fighting Back

On August 14, the Electronic Frontier Foundation filed a complaint against AOL (Acrobat file) with the Federal Trade Commission. The complaint alleges that AOL violated federal laws prohibiting "deceptive trade practices" when it released the search data. The EFF says AOL's privacy policy promises that no such disclosure would take place. The EFF hopes the FTC will launch an investigation into the AOL incident, and force the company to notify customers affected by the disclosure and to stop logging search data except where absolutely necessary.

Privacy activists aren't the only ones making noise: The folks in Washington also have been rattling their privacy sabers.

Representative Ed Markey (D-Massachusetts) was quick to react to AOL's blunder. He issued a statement calling for Congress to pass previously proposed legislation intended to prevent the perpetual amassing of private information by Web site owners.

Markey had originally proposed the legislation in reaction to the news that Google was resisting the Department of Justice's subpoena of its search records as part of the DOJ's investigation of pornography searches on the Internet.

Markey's bill, called the Eliminate Warehousing of Consumer Internet Data (EWOCID) Act, would require Internet companies to delete "obsolete" data containing personal information. It also would put the FTC in charge of making sure all Web sites do not keep any visitors' identifying information in their logs. The bill has been introduced to the House or Representatives and is waiting for a hearing.

Earlier this year, House Energy and Commerce Committee Chairman Joe Barton (R-Texas) reacted to the revelation of Web sites offering to obtain cell phone records on just about anyone for a small fee. He introduced a bill that bans the sale, lease, or rental of confidential telephone records. In March a House panel approved the legislation.

Wake up Call?

The EFF says AOL's mistake should serve as a privacy wake-up call. But I fear that American consumers have heard so many wake-up calls by now that they've broken the snooze button and have their heads buried deep between two pillows.

The most recent wake-up call came last year, when AOL and other major search companies received subpoenas from the Justice Department for their search data. AOL, Microsoft, and Yahoo handed over the search records. Google challenged the request. A federal judge ruled in March that Google didn't have to provide the data.

There have been earlier wake up calls. Remember ChoicePoint? Or LexisNexis? What about Microsoft Passport, or DoubleClick?

Trust Earned, Trust Broken

AOL swears such a mistake won't happen again. Should we believe the company?

Google CEO Eric Schmidt said earlier this month that his company has security precautions in place to prevent an incident like the one that occurred at AOL. Feel better now?

Meanwhile Google keeps right on recording your every search. And so do Yahoo and Microsoft.

Internet companies have plenty of good, legitimate reasons to track search histories. The data can help firms improve their search technology. Studying search histories also helps companies prevent click fraud, by making sure computers aren't repeatedly auto-clicking on Web ads to drive up costs.

All of the major search engines, including AOL, Google, MSN, and Yahoo post their privacy policies online. They explain how they each use a combination of cookies and so-called Web beacons to profile visitors anonymously. Yahoo is unique in that it allows you to opt-out of participating.

Privacy Is Worth Fighting For

People care about privacy. We know that when we enter sleazy online lotteries in hopes of winning plasma TVs or we install the latest free peer-to-peer software we invite the worst elements of the online advertising industry to come knocking. But search engines seem benign, and in today's world many of us can't avoid using them.

Hosts of privacy workarounds and digital software tools will cloak and protect your online identity when you're using search engines. But to me, using them feels about as natural and convenient as putting on a disguise every time I go grocery shopping.

Government and consumers can make a difference. It was only after complaints to the FTC that Microsoft changed its Passport sign-on service and DoubleClick changed its privacy policy.

Consumers can fight for privacy protection. We all just need to be reminded that it is worth fighting for.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon