AOL can finally close the chapter on one of the worst privacy breaches of the last decade: the company's decision to publicly release users' search queries.
U.S. District Court Judge Claude Hilton in Alexandria, Va. late last month approved a deal that calls for the company to pay around $5 million to settle a class-action lawsuit over the data breach. The decision to accept the settlement marks an end to litigation over the 2006 “Data Valdez” -- which occurred when employees at AOL posted three months' worth of search queries from 650,000 members.
The AOL employees posted the data for research purposes, and took steps to "anonymize" the members. But those measures weren't enough to keep people's identities private. On the contrary, some researchers and reporters were able to identify specific AOL members based on the patterns in their search queries. Most famously, within days of the data dump, The New York Timesidentified and profiled AOL user Thelma Arnold.
The data was available for several weeks on research.aol.com before the company realized the privacy implications and pulled the material. But by then, it had been downloaded by others and made available on mirror sites.
The decision to release the data didn't just cast a bad light on AOL. It demonstrated that supposedly "anonymous" information isn't always anonymous after all.
It also highlighted the dangers in preserving detailed data about individuals. Any company that keeps that kind of data can suffer a breach. In this case, the breach was intentional -- the result of a decision by overzealous researchers who were so eager to glean insights from data that they didn't consider the potential privacy consequences. But there's no reason why this type of breach can't happen accidentally, even when companies have policies aimed at preventing it.
That's one reason why consumer advocates would like to see companies adopt fair information principles, including ones that would stop companies from retaining data for longer than needed.
The specifics of the settlement require AOL to pay up to $100 to people who were members between March and May of 2006, and who believe they were identified based on their search queries. If people who were identified think they should receive more than $100 in compensation, they can seek a higher award from an arbitrator. The company also will pay up to $50 to members who believe in good faith that their queries were included in the public release.
It's not known how many AOL members will submit claims, given that many users have no idea whether their search queries were publicly released. The settlement notice itself states there is no way for people to determine whether their data was published, based on their usernames.
This is shocking but sadly unsurprising. $5M is an insignificant payment for this serious disregard of consumer privacy and sets a terrible precedent. Companies will never take privacy seriously until their casual disregard for people's lives and data significantly hits the company's bottom line.