Commentary

FTC Remembers The Data Valdez

In the summer of 2006, AOL publicly released three months worth of search data for 650,000 users. The incident, now known as "Data Valdez," was seen as one of the biggest online privacy breaches to date. It was also one of the most shocking in that it was intentional; an employee thought it would be a good idea to make the data available to researchers.

As it turns out, however, Data Valdez might have had a silver lining for privacy advocates. It provided a vivid example of how easily people could be identified based solely on their online behavior. Even though the users' actual IP addresses had been "anonymized," simply examining all of the queries tied to particular users yielded clues to their identities. The most famous example is Thelma Arnold, who was profiled in The New York Times within days of the data breach.

The Federal Trade Commission certainly hasn't forgotten about it. "Many consumers reacted strongly to the AOL incident," the FTC said in its new report about behavioral targeting. "Upon learning that the data had been posted online, these consumers expressed surprise and concern that the company stored data about their online activities -- and stored it in a way that allowed the data to be associated, at least in some cases, with particular individuals."

The FTC went on to cite the incident as a reason why it doesn't necessarily make sense to have different privacy standards for "personally identifiable information," like names and addresses, and supposedly anonymous information, like clickstream data. "In the context of online behavioral advertising," the report stated, "the traditional notion of what constitutes PII versus non-PII is becoming less and less meaningful and should not, by itself, determine the protections provided for consumer data."

2 comments about "FTC Remembers The Data Valdez".
Check to receive email when comments are posted.
  1. Brian LoCicero from Kantar, February 13, 2009 at 5 p.m.

    ..and here we sit 2.5 years later and more people are posting personally identifiable information, regrettable pictures and comments in droves on social networks such as Facebook, MySpace, LinkedIn and Twitter.

    Are we REALLY concerned with personal information tracking of our searches when one can get more "sensitive" info about someone via many other means?

    I'm not saying we SHOULDN'T be concerned, but isn't it time for a reality check on all of this since Web 2.0/Mobile Apps/life are moving _much_ faster than the FTC can think?

  2. Donna Zelzer from Midwifery Today, February 13, 2009 at 5:25 p.m.

    There's a difference between tracking searches and posting something online.

    When I post something to Facebook, my blog, or where ever, I know it will be seen (and I don't post anything I don't want the world to see).

    Making a search, however, is private. What I type into that search box is no-one's business but mine and I don't expect to have someone put together a profile of me based on the searches I did.

Next story loading loading..