Wednesday, August 30, 2006

AT&T Loses Customer Credit Card Info to Hackers


AT&T has been targeted by hackers hitting the DSL products store looking for customer credit card data. The hackers successfully accessed the store database for 19,000 customer credit card numbers and card owner information. The standard line, issued by most victims of hacking attacks, was also offered by AT&T when they offered the limp statement,
"The company is notifying customers by e-mail, phone and letter. So far, there is no indication that the hackers have used the financial information fraudulently... We deeply regret this incident and we intend to pay for credit monitoring services for customers whose accounts have been impacted."
Paying for credit monitoring services is far from sufficient if anything is discovered while monitoring. It's the actual financial damage done by bad guy identity thieves that matters and all companies that hold customer financial data should pay for restitution - in ADDITION to credit monitoring.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 8:00 AM 0 comments

Saturday, August 26, 2006

AOL Employees Fired, CTO Resigns Over Privacy Leak


The following is from the August 25, 2006 Electronic Privacy Information Center "EPIC Alert" -

AOL's Chief Technology Officer has resigned and two staff have been fired two weeks after researchers released the search terms used by 650,000 users of AOL's search engine over a three month period. The data includes a unique identifier for each user, the terms searched for, the time and date of the search, and the result the user clicked on. It was intended to be a tool for researchers trying to design better search engines.

While AOL initially claimed the search data had been anonymized, since the users' names had been replaced with numeric identifiers, many of the search terms included personally identifiably information such as names, addresses, and even e-mail messages. This often makes the correlation of a user's search results with the user's real identity possible. For instance, the New York Times was able to identify user 4417749 as Thelma Arnold of Lilburn, Georgia. Her searches included queries about medical conditions of some of her friends. She also searched for landscapers in her area and other interests like traveling. Other users in the disclosed data searched for a wide range of topics, including relationship advice, escort services, and other personal queries.

Because a user is consistently identified by an identifying number, the user's searches can be seen over time covering a variety of subjects, and connections can be drawn between queries. As the New York Times found, multiple queries can be used to narrow down the identity of a searcher even without directly personally identifiable information being given. However, many users apparently entered personally identifiable information into their searches, including credit card and Social Security numbers.

AOL quickly took the data off its web site and later apologized, but other people who had downloaded the data have made it available. AOL has said it will review its privacy policies to prevent future disclosures like this one, but it and other major search engines plan to continue recording users' search terms.

The breach has led to calls for the Federal Trade Commission to investigate AOL for unfair and deceptive trade practices, since AOL's privacy policy states that personal information and search queries would not be disclosed without user consent. AOL's breach of information would also likely trigger the security breach laws of many states, requiring AOL to notify those customers whose information has been published.

World Privacy Forum's FTC Complaint (pdf)
Electronic Frontier Foundation's FTC Complaint (pdf)
World Privacy Forum Search Privacy Tips

END OF EPIC Alert

Few are interested in this story in the blogosphere. It is very limited and very shortlived after each privacy gaffe. The press cares, comedians care. This Stephen Colbert Video went viral after the leak episode was discussed by the comedian. Yet there are no cries of outrage to politicians and few laws enacted to prevent further leaks and "Ooops!" moments by careless corporations.

Technorati: AOL Leak


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:36 AM 0 comments

Wednesday, August 23, 2006

Search Engine Privacy Dilemmas - Paths Toward Solutions


This NYT story neatly encapsulates the overall state of search engine query data retention issues.

The observant reader will note that despite the rising tide of concerns regarding search query privacy, the industry as a whole is still pretty much in a state of denial, made all the more confusing by various signals from the U.S. Department of Justice.

This is turning into such a mess that it's becoming difficult to even keep the various participants and their positions completely clear. There is every reason to believe that without heroic action by the players involved, we may be heading toward a privacy, legislative, and judicial nightmare. But maybe there's a way out.

Let's review:

AOL's release of search query data made obvious to everyone what many of us knew all along -- that such data contains all manner of personal information, even when the identity of the party making the query is not immediately known directly from usage logs. In the AOL case, the individual query entries were linked by "anonymized" user IDs, but even without such linkages the query items alone can be highly privacy-invasive. The AOL release triggered (as did DOJ vs. Google) broad calls for mandated search query data destruction policies.

The personal nature of the AOL query data serves nicely to liquidate the DOJ's arguments (again, as in DOJ vs. Google) that such data is not privacy-invasive so long as the query source is unidentified. The expressed DOJ reasoning is this regard is obviously faulty.

Search engine companies have been reluctant to voluntarily dispose of query data on a regular basis. This data has considerable R&D, marketing, and other value. Since the incremental cost of keeping all queries archived forever is so low, there is little incentive within the normal business structure to dispose of this resource, absent overriding considerations.

Even while laudably expressing concerns about the potential for third-party misuse of query data, search engine firms (e.g. Google) have proclaimed their intention to keep collecting and saving this data indefinitely. If AOL actually sets in place an aggressive data destruction schedule, it will be something of a watershed event that may (or may not) have broad impacts across the search engine industry. Fears of being placed at a competitive disadvantage will tend to make unilateral moves toward query data destruction difficult to propose or implement.

Meanwhile, DOJ is moving in exactly the opposite direction, apparently preparing to propose long-term (perhaps measured in years) mandated data retention schedules, requiring the saving of the very data for which destruction demands are being made in other quarters. DOJ is using child abuse (and as of late anti-terrorism efforts) as their hooks to justify such legislation.

This situation has all the elements of a painful and wasteful deadlock, potentially triggering years of litigation while the overall search engine issues continue to fester and become even bigger privacy, business, and political problems.

If we wish to avoid this scenario -- or at least have a good shot of avoiding it -- we need to act now, and we need to do so cooperatively. There are policy and technological approaches to the search query dilemma that can be applied in ways that will serve the interests of all stakeholders. Cooperation and compromise mean that nobody is likely to get everything that they'd ideally want, but to paraphrase the great philosopher Mick Jagger, perhaps we can all get much of what we need.

Therefore, I propose the formation of a high-level Internet working group/consortium dedicated specifically to the cooperative discussion of these issues and the formulation of possible policy and technology constructs that can be applied toward their amelioration. Such a working group would be as open as possible, though proprietary concerns would likely necessitate some closed aspects if progress is to be accelerated as much as possible.

Participation by all stakeholders would be invited. Representatives of the major search engine firms and concerned government agencies, outside technologists and other persons involved in privacy and search issues, and other entities as appropriate would all play important roles.

Of course, it's easy -- especially for large corporate enterprises -- to simply ignore such efforts and just plow ahead independently. Obviously, without the participation of the key players, the effort that I'm proposing would be useless, and I will not continue to promote it if that situation ensues.

However, I suggest that it will be in the long-term best interests, both financially and in terms of corporate and organizational responsibility, for major stakeholders to actively join such a project, since the alternative seems ever more likely to be somewhere between highly disruptive and extremely draconian.

Interested? Please let me know. All responses will be treated as confidential unless the sender indicates otherwise.

Thank you for your consideration.

--Lauren-

Lauren Weinstein lauren@vortex.com or lauren@pfir.org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR - People For Internet Responsibility
Co-Founder, IOIC - International Open Internet Coalition
Moderator, PRIVACY Forum
Member, ACM Committee on Computers and Public Policy
Lauren's Blog
DayThink

Please Contact Lauren Directly at the above numbers if you'd like to participate or comment on the above proposal.


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:05 AM 1 comments

Thursday, August 17, 2006

Stop Search Engines Tracking Search Data


AOL, the fourth most popular search engine, recently released search queries of 650,000 AOL subscribers on the Internet. Though AOL now says that it was a mistake and quickly removed the search data from their website, mirror copies of AOL search terms continue to be available across the web.

It is a universal truth that all search engines, including Yahoo, Google and MSN, retain search data of their users which can easily give a clue about the person's identity and a glimpse into his mind and online activity.

Though it is highly unlikely that Google users will ever come across this "AOL Data Spill" like embarrassing situation, the possibility cannot be ruled out completely especially after Eric Schmidt's remark that ".. this sort of thing would not happen at Google although you can never say never."

If you are worried that some day Google, by mistake, might disclose your private search terms into public internet domain, try some of the following suggestion that may fool the search engine or give it a hard time recognizing you.

The background is that when you perform a search on Google, the site search logs keep a record of your computer IP address, cookie ID and the search query terms. Google may also track your clicks on the search results by rewriting the destination URL. So we will look at possible ways to manipulate each of this information:

1. Disallow Google to Store Cookies - The important thing is that it doesn't suffice blocking cookies from just google.com domain, you must also block cookies from google site in your country.

For example, in India, one would block google.com and google.co.in - This is because Google redirects you to your local country page when you type in google.com in the browser address bar.

To block cookies, open the Cookie blocking dialog in your browser, type the site url and click disallow or block.

IE: Click Tools->Internet Options->Privacy->Sites
Firefox: Click Tool->Options->Privacy->Cookies->Exceptions

Remember that Google Personalized Search History won't work after you disable cookies from Google.com. Also, you may have to type the user name and password of other Google services like each time you have to login since cookies are disabled and you won't be automatically logged in.

2. Use Scandoo - Scandoo is a wonderful wrapper written around search engines that warns you of malicious websites in search results. Now the good part is that Scandoo can help you search Google, Yahoo or MSN without disclosing your actual geographic location (or IP Address) to the search engine.

Scandoo interace remains invisible to the end user and one would feel that he is searching via Google itself. [Scandoo Google, Scandoo IE Toolbar]

3. Download HideMyIp software - Your IP address is one big link between your search queries. You would be lucky if your ISP provides you a dynamic IP address that changes frequently but if you are stuck with a static IP, you can still hide it with Hide MyIP address software.

HideMyIP conceals your real IP address and shows a fake IP with a hostname to the sites that you visit. You can set Hide-My-IP to change your IP address every minute. [Download Hide-My-IP.com]

4. Download CustomizeGoogle for Firefox - If you Google using Firefox, this is a highly recommended extension that completely enhances your Googling experience. It can help remove Googel Ads, anonymize your Google userid, remove click tracking or filter google search results. [Install CutomizeGoogle]

5. Block cookies from Yahoo, Google and MSN. Then use Dogpile.com for searching these three search engines simultaneously. [Dogpile Search]

6. Block Google from Tracking Your Clicks

7. Don't use Google or Yahoo to search the web as they will store your entire trail of activity on their servers. Try Clusty.com or Ixquick.com which do not save users search data. Clusty is a meta search engine based on Vivisimo clustered search - It queries several top search engines, combines the results, and generates an ordered list based on comparative ranking.

8. Finally, you can try Scroogle Google Scraper, a search wrapper around Google (and yahoo) search that lets you anonymously search Google and promises not maintaining your search query terms. [Google Scroogle]


Amit Agarwal is a technology writer and professional blogger. He writes for Digital Inspiration and also runs a business weblog consulting company. Some of his writings are quoted in The Wall Street Journal, MSNBC, CNN Money.com, CNet, MSN, Yahoo News, IDGNews, Computer World, Motley Fool, InformIt and Slashdot. Amit provides one-to-one professional consulting to both companies and professionals and specializes on technical writing, e-learning, blog publishing, reviewing new software and web services, search technologies, and on online monetization opportunities for small and large content publishers.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:55 AM 2 comments

Monday, August 14, 2006

AOL Privacy Breach of Search Queries Exposes Users


* EFF Demands FTC Investigation and Privacy Reform After AOL Data Release

Internet Company's Publication of Search Logs Exposes Customers' Private Lives

San Francisco - The Electronic Frontier Foundation (EFF) will ask the Federal Trade Commission (FTC) today to investigate America Online (AOL) and require changes in its privacy practices, after the company recently released search history logs that exposed the private lives of more than a half-million of its customers.

Last week, news reports revealed that AOL published to the Internet three months of search queries from about 650,000 users. In its complaint, EFF argues that the release of this data violated AOL's privacy policy and the Federal Trade Commission Act and should be investigated. EFF further requests that the FTC require AOL to notify customers affected by the disclosure and to stop logging search data except when absolutely necessary.

"Search terms can expose the most intimate details of a person's life -- private information about your family problems, your medical history, your financial situation, your political and religious beliefs, your sexual preferences, and much more," said EFF Staff Attorney Marcia Hofmann. "At the very least, AOL should notify every customer whose privacy has been jeopardized by the company's careless handling of this incredibly private information, and AOL should not store this kind of data in the future when it doesn't have to."

While AOL has removed the data from its own web site, the data is still freely available from other sites on the Internet. And although specific AOL screen names were not released, the data is associated with unique ID numbers, allowing each user's search terms to be grouped together. Whether because of users' searches for their own names or MySpace profiles, or searches related to their cities and neighborhoods, these search histories can expose -- and in some cases, already have exposed -- particular users' private searches to the world. In support of its complaint, EFF will confidentially submit examples of search queries containing personally identifiable information and search histories that could likely be tied to particular AOL subscribers.

"We're asking the FTC to make sure that AOL rectifies the damage that's been done and improve its privacy protections for the future," said EFF Staff Attorney Kevin Bankston. "But this problem isn't limited to AOL -- every search company stores this kind of data. Hopefully, AOL's shocking violationof its users' privacy will spur Congress to clarify that the same law that prevents these companies from disclosing our personal emails also applies to our search logs."

The FTC complaint will be made available here

Technorati , , ,


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 10:22 AM 0 comments

Friday, August 11, 2006

AOL Leaks User Search Data


New AOL Privacy Leak

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 4:15 PM 0 comments