In separate filings, the Electronic Frontier Foundation and the World Privacy Forum have asked the Federal Trade Commission to investigate AOL’s release earlier this month of search term queries that had been made by 650,000 of its users over a three-month period. “This release was a violation of section 5 of The FTC Act,” Pam Dixon, president of the World Privacy Forum, told the E-Commerce Times.
AOL has apologized for the release of this data on its public research page, explaining that the data had been posted unintentionally. While the search terms were not correlated to specific names or user IDs, many of them did reveal enough personal data to make identification easy. Also, AOL organized the search terms using the same numeric ID for each request a particular user made.
The organizations have also asked that AOL notify users of the query release who can be identified through their search requests, and provide them with credit monitoring insurance for a year.
Andrew Weinstein, a spokesperson for AOL, told the E-Commerce Times that AOL is unable to contact the users who may have been impacted by this issue. “We have no way of telling which accounts were included in the data,” he said in an e-mail statement. “We cannot unscramble, or decode, which identifier is attached to which account, and thus we have no way of knowing which accounts were involved.”
The World Privacy Forum maintains in its filing to the FTC that AOL has released users’ search data before, when similar data was provided to the Illinois Institute of Technology in 2004.
It is not surprising to find a research organization in possession of such data. Indeed, AOL and other search engine providers have disclosed their practices of providing search query data to research organizations like the Illinois Institute of Technology in their privacy policies. However, the World Privacy Forum’s filing indicates that this data is available simply upon request.
It is unclear from the IIT’s Web page what guidance or controls have been established to ensure that its data is released only to researchers, and not the general public.
According to the IIT’s Web page, the data at the heart of the World Privacy Forum suit consists of 20,000 Web queries randomly sampled from AOL Search data. The WPF’s Dixon said the group has not requested this information and is unsure whether it is organized the same way it was in AOL’s more recent query data release.
AOL declined to comment on this aspect of the filing to the FTC.
The IIT did not respond to a request for comment in time for publication, and an e-mail sent to an address included in the World Privacy Forum’s court filing also went unanswered.