In case you missed it, AOL has been under the gun this week for releasing search data onto the Web that many thought could result in a serious privacy violation. Well, the thinking is over and the privacy violation has officially happened (probably with more to come). According to the New York Times, the identity of one of the 650,000 supposedly anonymous users that used AOL to conduct 21 million Internet searches has been gleaned from those searches. She's 62 year-old Thelma Arnold from Lilburn, GA. According to reporters Michael Barbaro and Tom Zeller (registration may be required):
Buried in a list of 20 million Web search queries collected by AOL and recently released on the Internet is user No. 4417749. The number was assigned by the company to protect the searcher’s anonymity, but it was not much of a shield.....Thelma Arnold’s identity was betrayed by AOL records of her Web searches...search by search, click by click, the identity of AOL user No. 4417749 became easier to discern....It did not take much investigating to follow that data trail to Thelma Arnold...she was shocked to hear that AOL had saved and published three months’ worth of them. "My goodness, it’s my whole personal life," she said. "I had no idea somebody was looking over my shoulder."....Asked about Ms. Arnold, an AOL spokesman, Andrew Weinstein, reiterated the company’s position that the data release was a mistake. “We apologize specifically to her,” he said. "There is not a whole lot we can do."
By now, members of the "plaintiffs' bar" are probably hounding Ms. Arnold while they furiously dig through the rest of AOL's data (which is still on the loose) to identify other members of "the class" which could land a large and substantive class action suit in AOL's lap. In case you don't know what the plaintiffs' bar is, I first learned of it when I asked in 2001 whether Microsoft can be held liable in any way for the many security transgressions against its customers (answer? No). The plaintiffs' bar is an informal group of lawyers that build entire practices out of finding people and businesses that have been wronged, and filing class action lawsuits on behalf of those plaintiffs. The targets of these suits typically have deep pockets. So, in response to Weinstein's comment that there isn't a whole lot that AOL can do, my guess is that some of the lawyers that have probably already called Ms. Arnold since the New York Times story came out have some ideas.
As a side note, the sort of data mining that allowed Ms. Arnold's identity to be discerned from supposedly anonymous data is exactly the outcome that privacy advocates were worried about when the Feds subpoenaed the major search companies for such data in the name of protecting children from pornography. The outcome in this case also directly contradicts what AOL officials said at the time of the Federal subpoena. In a post headlined Phone calls, e-mails, and now search data: Where will Bush stop? here's what I wrote back in January 2006:
....the Bush Administration has subpoenaed search giants AOL, Google, Microsoft, and Yahoo for a "random sampling" of the search data they keep as a result of the usage of their search engines....Google is digging in its heels and is the only one of the four to stand up to the US Department of Justice (DOJ) by refusing to comply altogether. Meanwhile, in the course of complying, the other search giants are claiming that they have not compromised the privacy of their users. An AOL official disputed the ACLU's account saying "We did not and would not comply with such a subpoena. We gave (the DOJ) a generic list of aggregate and anonymous search terms, and not results, from a roughly one day period."....
....Most US-based Internet users, for example, use the Internet on the assumption that a record of their behavior (whether it includes personally identifiable information or not) won't fall into government hands. Perhaps the most obvious question is "where does it end?" Does compliance with the DOJ's request set an ugly precedent that paves the way for the Feds to come back for a mile once they've taken an inch? Even if the data that Yahoo, Microsoft, and AOL turned over to the Feds was uncompromising in terms of privacy, with no particular criminal investigation taking place, what happens when the Feds see something they don't like? Can they just come back for more and take it?
In that post, I have some great quotes from Harvard Law School visiting professor (also a co-founder of Harvard's Berkman Center on Internet & Society and the Chairperson in Internet Governance and Regulation at Oxford University) Jonathan Zittrain. He talks about the precedents being set when handing such data over to the government, particular during a time when laws like the Patriot Act have significantly lowered the barrier to obtaining such data. Zittrain talks about those precedents in context of the Fourth Amendment which he says is the closest thing we have to a "privacy amendment."
The bottom line? It looks like the critics were right about how the identities of Internet users can be "calculated" from supposedly anonymous data. At the very least, hopefully, the AOL incident will give lawyers for companies like Google (which successfully resisted that subpoena), Yahoo, Microsoft, and AOL as well as the American Civil Liberties Union more firepower to interfere with any Federal requests for such data in the future.