Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
    Digg this story   Add to  
AOL search data identified individuals
Published: 2006-08-09

After AOL mistakenly posted 20 million search queries, it has become evident that search data alone is enough to easily identify certain individuals.

The mistake, which AOL apologized for, revealed the three month search histories of 658,000 users -- a tiny subset of all AOL searches during that period. While an AOL spokesperson was quoted as saying, "there was no personally-identifiable data linked to these accounts," the reality of this invasion of privacy is in fact much more telling.

The New York Times combed through some of the search results to discover user 4417749, whose search terms included, "homes sold in shadow lake subdivision gwinnett county georgia" along with several people with the last name of Arnold. This was enough to reveal the identity of user 4417749 as Thelma Arnold, a 62-year-old woman living in Georgia. Of the 20 million search histories posted, it is believed there are many more such cases where individuals can be identified.

While AOL quickly removed the posting, which contains 36,389,567 lines of data, at the time of this writing the information was still readily available -- mirrored through numerous websites and file sharing networks including BitTorrent.

Contrary to AOL's statements about no personally-identifiable information, the real data reveals some shocking search queries. Some researchers combing through the data have claimed to have discovered over 100 social security numbers, dozens or hundreds of credit card numbers, and the full names, addresses and dates of birth of various users who entered these terms as search queries.

The incident brings to light the major privacy and security issues at stake with public search engine histories. But in fact a public posting of a tiny fraction of search histories by AOL only scratches the surface of the privacy issues. Renowned legal expert Mark Rasch has previously written about the dangers of search histories available to government and law enforcement officials by subpoena, as well as the subpoena of access logs from ISPs and search engine companies.

Following the AOL leak, the World Privacy Forum filed a complaint with the FTC (PDF), raising major privacy issues and alleging that AOL violated its own privacy policy.

The extent to which search engine queries alone can reveal one's identity should be an eye-opener to individuals and privacy advocates alike.

Posted by: Kelly Martin
    Digg this story   Add to  
Comments Mode:


Privacy Statement
Copyright 2009, SecurityFocus