AOL can finally close the chapter on one of the worst privacy breaches of the last decade: the company's decision to publicly release users' search queries.
U.S. District Court Judge Claude
Hilton in Alexandria, Va. late last month approved a deal that calls for the company to pay around $5 million to settle a class-action lawsuit over the data breach. The decision to accept the
settlement marks an end to litigation over the 2006 “Data Valdez” -- which occurred when employees at AOL posted three months' worth of search queries from 650,000 members.
The AOL
employees posted the data for research purposes, and took steps to "anonymize" the members. But those measures weren't enough to keep people's identities private. On the contrary, some researchers and
reporters were able to identify specific AOL members based on the patterns in their search queries. Most famously, within days of the data dump, The New York Timesidentified and profiled AOL user Thelma Arnold.
The data was available for several
weeks on research.aol.com before the company realized the privacy implications and pulled the material. But by then, it had been downloaded by others and made available on mirror sites.
The
decision to release the data didn't just cast a bad light on AOL. It demonstrated that supposedly "anonymous" information isn't always anonymous after all.
It also highlighted the dangers in
preserving detailed data about individuals. Any company that keeps that kind of data can suffer a breach. In this case, the breach was intentional -- the result of a decision by overzealous
researchers who were so eager to glean insights from data that they didn't consider the potential privacy consequences. But there's no reason why this type of breach can't happen accidentally, even
when companies have policies aimed at preventing it.
That's one reason why consumer advocates would like to see companies adopt fair information principles, including ones that would stop
companies from retaining data for longer than needed.
The specifics of the settlement require AOL to pay up to $100 to people who were members between March and May
of 2006, and who believe they were identified based on their search queries. If people who were identified think they should receive more than $100 in compensation, they can seek a higher award from
an arbitrator. The company also will pay up to $50 to members who believe in good faith that their queries were included in the public release.
It's not known how many AOL members will submit
claims, given that many users have no idea whether their search queries were publicly released. The settlement notice itself states there is no way for people to determine whether their data was
published, based on their usernames.