[ISN] SCREWED! the AOL search history DB snafu

From: InfoSec News (alerts@private)
Date: Thu Aug 17 2006 - 22:39:48 PDT


http://attrition.org/news/content/06-08-16.001.html

Wed Aug 16 19:15:24 EDT 2006
martums

You kissed your privacy goodbye a long time ago, right?

 From Wikipedia:

     On August 4th, 2006, AOL released a compressed text file on one
of its websites containing twenty million search keywords for over
650,000 users over a 3-month period, intended for research purposes.
AOL pulled the file from public access by the 7th, but not before it
had been mirrored, P2P-shared and seeded via BitTorrent. News filtered
down to the blogosphere and popular tech sites such as Digg and Wired
News.

     Whilst none of the records on the file are personally
identifiable per se, certain keywords contain personally identifiable
information [1] by means of the user typing in their own name
(ego-searching), as well as their address, social security number or
by other means. Each user is identified on this list by a unique
sequential key, which enables the compilation of a user's search
history.

     AOL acknowledged it was a mistake and removed the data, although
the files can still be downloaded from mirror sites. Additionally,
several searchable databases of the report also exist on the internet.
[2]

Mistake? If betraying the trust of 2/3 of a million subscribers equals
a mistake, how do they define catastrophe?

Apart from the obvious PR quagmire that AOL now finds itself in, and
the painful regret (or torn anus) that AOL users may be feeling (and
should have been feeling since they signed up </rant>), the long-term
impact is immeasurable. Their stock is falling [3]. They're giving
away BYOA accounts, [4] (they'd have to at this point), a move which
may cost Time Warner over a billion dollars by 2009. [5] They're
facing penalties, fines, not to mention lawsuits. [6] If there's a
bottom for any business to hit, they're very close.  [7]

They should take a cue from ValuJet and change their name (again). 
[8, 9]

AOL states they keep 30 days of user-identifiable search history, and
that a research division may keep three months or more of search
history, but not associated to specific accounts, (the latter echoes
of what was released on 4 August). Google has already stated they will
continue to store search queries and related info, and that they won't
make the same mistake AOL did. [10, 11] Predictably, Yahoo! Search!
will! do! the! same! Considering the staggering amount of
infrastructure Google possesses, (Great Caesar's Ghost--Google has an
estimated four PB of RAM alone), their data retention capabilities far
exceed the 90 days of history AOL retains for research purposes. 
[12, 13]

That search you did recently for Paris' poodle porn may come back to
haunt you.  Even though you were just doing it for a friend.

[...]


_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Thu Aug 17 2006 - 23:01:23 PDT