In the summer of 2006, AOL publicly released three months worth of search data for 650,000 users. The incident, now known as "Data Valdez," was seen as one of the biggest online privacy breaches to
date. It was also one of the most shocking in that it was intentional; an employee thought it would be a good idea to make the data available to researchers.
As it turns out, however, Data
Valdez might have had a silver lining for privacy advocates. It provided a vivid example of how easily people could be identified based solely on their online behavior. Even though the users' actual
IP addresses had been "anonymized," simply examining all of the queries tied to particular users yielded clues to their identities. The most famous example is Thelma Arnold, who was profiled in The New York Times within days of the data breach.
The Federal Trade
Commission certainly hasn't forgotten about it. "Many consumers reacted strongly to the AOL incident," the FTC said in its new report about behavioral targeting. "Upon learning that the data had been posted online, these consumers expressed surprise and concern
that the company stored data about their online activities -- and stored it in a way that allowed the data to be associated, at least in some cases, with particular individuals."
The FTC
went on to cite the incident as a reason why it doesn't necessarily make sense to have different privacy standards for "personally identifiable information," like names and addresses, and supposedly
anonymous information, like clickstream data. "In the context of online behavioral advertising," the report stated, "the traditional notion of what constitutes PII versus non-PII is becoming less and
less meaningful and should not, by itself, determine the protections provided for consumer data."