Just a week after announcing it will give away free e-mail addresses and online storage space, AOL admitted yesterday it had mistakenly given away something far more valuable. In a move originally intended to help academics using its research site, the company (which, like Time.com, is owned by Time Warner) released information about Web searches conducted by 658,000 of its members between March and May. The data linked together millions of searches done by unnamed individuals over that three-month period, for example linking a Kentucky-based poker aficionado's searches for poker lessons with his or her requests for help planning a suicide. Rather than providing portions of the data to accredited academics working on specific research, the information was released freely on the Web, enabling anyone and everyone online a peek at the private search patterns of AOL members. "This was a screw-up," AOL spokesperson Andrew Weinstein said, in explaining that 20 million search records were compromised. "We're absolutely not defending this. We apologize."
Searchers who typed in their names in one search, and then later searched the Web using private financial numbers or sensitive search terms think medical conditions or bizarre fantasies could find that searches they thought would go no further than their browser are now available to curious onlookers. Although AOL removed the database from its research site when bloggers drew attention to the privacy breach, the data had already been copied and posted elsewhere. Several sites have been set up to allow general access to the search records.
The breach was not an isolated incident. "Data security is in shambles," says Beth Givens, director of the Privacy Rights Clearinghouse (PRC), which has posted a list of more than 150 serious data compromises so far in 2006. The breaches include lost bank backup tapes, hacking losses, stolen laptops, and releases of private information like AOL's. "This latest leak gives us a window into the sensitivity of search strings," Givens says. "We all use search engines and don't think about what someone could learn about the most sensitive aspects of our lives by studying what we search for over time."
"If companies can't protect this information, they shouldn't collect it," says Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC). Earlier this year, Google refused a Department of Justice request for collections of search terms, for which EPIC applauded the search giant. But Rotenberg argues that companies shouldn't store search strings at all, to avoid future subpoenas or data breaches. Ultimately, federal legislation may help bolster Internet security. "We need some new privacy laws," Rotenberg says, "because Net users shouldn't be left with the choice of giving up their privacy or turning off their computer, which is where they are today if they use an Internet search engine."