Searchers who typed in their names in one search, and then later searched the Web using private financial numbers or sensitive search terms think medical conditions or bizarre fantasies could find that searches they thought would go no further than their browser are now available to curious onlookers. Although AOL removed the database from its research site when bloggers drew attention to the privacy breach, the data had already been copied and posted elsewhere. Several sites have been set up to allow general access to the search records.
The breach was not an isolated incident. "Data security is in shambles," says Beth Givens, director of the Privacy Rights Clearinghouse (PRC), which has posted a list of more than 150 serious data compromises so far in 2006. The breaches include lost bank backup tapes, hacking losses, stolen laptops, and releases of private information like AOL's. "This latest leak gives us a window into the sensitivity of search strings," Givens says. "We all use search engines and don't think about what someone could learn about the most sensitive aspects of our lives by studying what we search for over time."
"If companies can't protect this information, they shouldn't collect it," says Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC). Earlier this year, Google refused a Department of Justice request for collections of search terms, for which EPIC applauded the search giant. But Rotenberg argues that companies shouldn't store search strings at all, to avoid future subpoenas or data breaches. Ultimately, federal legislation may help bolster Internet security. "We need some new privacy laws," Rotenberg says, "because Net users shouldn't be left with the choice of giving up their privacy or turning off their computer, which is where they are today if they use an Internet search engine."