And the description from the website where you can view them all:

August 4, 2006, the personal search queries of 650,000 AOL (America Online) users accidentally ended up on the Internet, for all to see. These search queries were entered in AOL’s search engine over a three-month period. After three days AOL realized their blunder and removed the data from their site, but the sensitive private data had already leaked to several other sites.

I love Alaska tells the story of one of those AOL users. We get to know a religious middle-aged woman from Houston, Texas, who spends her days at home behind her TV and computer. Her unique style of phrasing combined with her putting her ideas, convictions and obsessions into AOL’s search engine,  turn her personal story into a disconcerting novel of sorts.

Over a period of three months, a portrait of a woman emerges who is diligently searching for likeminded souls. The list of her search queries read aloud by a voice-over reads like a revealing character study of a somewhat obese middle-aged lady in her menopause, who is looking for a way to rejuvenate her sex life. In the end, when she cheats on her husband with a man she met online, her life seems to crumble around her. She regrets her deceit, admits to her Internet addiction and dreams of a new life in Alaska.

Note, however, that the data release wasn’t “accidental.” AOL released the data to aid research in how people use search engines. Their mistake was insufficient anonymization of the data.

(Another update: I’m pretty sure the “anonymous, Northeastern university” from where this dataset was derived is Harvard College. Details here)

A group of researchers have released a dataset of Facebook profile information from a group of college students for research purposes, which I know a lot of people will find quite valuable. (Thanks to Fred Stutzman for bringing it to my attention.)

Here is the description from the Berkman Center’s announcement:

The dataset comprises machine-readable files of virtually all the information posted on approximately 1,700 FB profiles by an entire cohort of students at an anonymous, northeastern American university. Profiles were sampled at one-year intervals, beginning in 2006. This first wave covers first-year profiles, and three additional waves of data will be added over time, one for each year of the cohort’s college career.

Though friendships outside the cohort are not part of the data, this snapshot of an entire class over its four years in college, including supplementary information about where students lived on campus, makes it possible to pose diverse questions about the relationships between social networks, online and offline.

Access to the dataset requires the submission of a research statement (which I haven’t yet done), but the codebook is publicly-available.

Of course, this sounds like an AOL-search-data-release-style privacy disaster waiting to happen. Recognizing this, the researchers detail some of the steps they’ve taken to try to protect the privacy of the subjects, including:

• All identifying information was deleted or encoded immediately after the data were downloaded.
• The roster of student names and identification numbers is maintained on a secure local server accessible only by the authors of this study. This roster will be destroyed immediately after the last wave of data is processed.
• The complete set of cultural taste labels provides a kind of “cultural fingerprint” for many students, and so these labels will be released only after a substantial delay in order to ensure that students’ identities remain anonymous.
• In order to access any part of the dataset, prospective users must read and electronically sign the user agreement reproduced below.

Let’s consider each one of these in order:

First, as the AOL debacle taught us, one might think “all identifying information” has been deleted, but often random bits of our data trail that alone seem anonymous can be pieced together, possibly exposing clues to our identity. The fact that the dataset includes each subjects’ gender, race, ethnicity, hometown state, and major makes it increasingly possibility that individuals could be identified. For example, if the data reveals that student #746 is a white Bulgarian male from Montana, majoring in East Asian Studies, there probably aren’t that many who fit such a description. Unlikely, but not bullet-proof.

Second, the researchers take good measures by keeping the master roster on a secure server and promising to destroy it once all the datasets have been released, in 2011. One hopes this remains secure until then.

Third, the researchers are right to recognize how a person’s unique set of cultural tastes could easily identifer her. But merely instituting a “substantial delay” before releasing this personal data does little to mitigate the privacy fears…it only delays them. Researchers routinely rely on datasets for years (some search engine studies are still using datasets from 1997!). Do they think that once a person graduates, she no longer might be harmed by her potential identification in such a dataset? Delaying the release of this data to 2011 is not only arbitrary, but much too short. A better tactic would be to gain the consent of the subject before releasing the data, or simply not releasing it at all to provide the fullest privacy protection of the subjects.

Fourth, requiring a user agreement and terms of use is a nice step.  Clearly, the researchers understand the potential harms that the dataset represents, since the agreement is full of requirements to not use the data to try to identify individuals (in fact, there are so many points on this, one fears the possibility might be all too real). Unfortunately, however, we’re all too familiar with clickwrap agreements, and most users won’t bother read the terms (and it is uncertain how they would be enforceable).

All told, good steps are being taken to address the privacy of the subjects in the dataset, but more could be done. We’ll wait to see if anyone does become identified within the data.

But one more thing…

Since I first saw the press release for this dataset, I’ve been bothered by the description of the date as “approximately 1,700 FB profiles by an entire cohort of students at an anonymous, northeastern American university.”

Right off the bat, the source university loses full anonymity since it is identified as being in the northeastern US. Further, according to the codebook, this is a private, co-ed institution, whose class of 2009 initially had 1640 students in it.

A quick search for schools reveals there are only 7 private, co-ed colleges in New England states (CT , ME , MA , NH , RI , VT ) with total undergraduate populations between 5000 and 7500 students (a likely range if there were 1640 in the 2006 freshman class): Tufts University, Suffolk University, Yale University, University of Hartford, Quinnipiac University, Brown University, and Harvard College. (The total bumps up to about 18 if we include NY and NJ)

Is one of these the source?

This might prove easy to discover, given the uniqueness of some of the subjects. Based on the codebook, the dataset includes only one self-identified Albanian, one Iranian, one Malaysian, one Nepali, and other solitary ethnicities. If we can isolate one of these people in the dataset, combined with the subject’s gender, home state, and major, it probably wouldn’t be that hard to discover who it is. (Same with the fact there is only one Folklore major, or one Slavic Studies major, etc.) Keying off these unique data elements will provide a possible path to identifying the school, and potentially many more individuals in the dataset.

This would have been much harder if I didn’t know it was a private school in the northeast us. Or if they took a random sample of the dataset, and didn’t tell me that actual number of students in the cohort.

Again, time will tell if this gets cracked.

I do feel the need to react to some of the arguments made by Kaufman and Halavais. They both seem to suggest that while the data might lead to the identification of some of the subjects, that these Facebook users don’t have an expectation (or a right) to privacy since they made this information public in the first place.

Kaufman remarks:

What might hackers want to do with this information, assuming they could crack the data and ’see’ these people’s Facebook info? Couldn’t they do this just as easily via Facebook itself? Our dataset contains almost no information that isn’t on Facebook. (Privacy filters obviously aren’t much of an obstacle to those who want to get around them.)

And Halavais notes:

The data is already there, this is merely (!) the collection of that data. Or to put it another way, AOL users presumed that no one was watching, but this is very different from Facebook users who are intending to share with someone (if not the researchers).

We see these kinds of arguments all the time: you have no expectation of privacy with public records, or if you’re on the public roads, you can’t expect privacy, or Facebook’s news feed simply made sharing the information you made public more efficient. All such notions are wrong: they ignore the contextual nature of privacy. Just making something known in one context – even a non-secret context – doesn’t mean “anything goes” in terms of the collection, storage, transmission, or use of that information.

So, let’s look at this Facebook dataset and claims made above. I can take issue with (at least) 3 points being articulated by Kaufman and Havalais.

One, Kaufman’s mention of “hackers” and focusing on what they might “do” with this information exposes a focus on “harms” when it comes to privacy concerns. One doesn’t need to be a victim of hacking, or have a tangible harm take place, in order for there to be concerns over the privacy of one’s personal information. Privacy is about dignity as much as about informational harm by some evil agent. As Havalais points out later in his comment, none of the subjects in this dataset consented to having their personal information used in a research study. Don’t they have a right to some control over their information?

This leads to the second point: just because users post information on Facebook doesn’t mean they intend for it to be scraped, aggregated, coded, disected, and distributed. Creating a Facebook account and posting information on the social networking site is a decision made with the intent to engage in a social community, to connect with people, share ideas and thoughts, communicate, be human. Just because some of the profile information is publicly avaiable (either consciously by the user, or due to a failure to adjust the default privacy settings), doesn’t mean there are no expectations of privacy with the data. This is contextual integrity 101.

Thrid, both Kaufman and Havalais seem to suggest that the information was already easily available to anyone who cared to look for it. Examining some of the details in the codebook reveal this isn’t necessarily true, and the researchers certainly had much more efficient ways of gathering the information than an average Facebook user. Frist, the researchers received an official roster of each freshman at the college, along with their university e-mail address. This allowed them to easily and systematically search for each student in the cohort. Second, and more importantly, they appeared to use research assistants from that school in order to access and download the profile information. That means that a Facebook user might have set their privacy settings to be viewable to only to other users within that school. As a result, the RA was able to view and download the data. However, now that same data – originally meant for only those within the college – has been made available to the entire world, perhaps against the expressed wishes of the data subject.

Let me repeat that last point: Some Facebook users might have restricted their accounts to only people from their own school. But since the researchers used RAs from that school to access to account information, that restricted data has been published outside of those boundaries.

The researchers even seem to acknowledge this when they state:

In other words, a given student’s information should not be considered objectively “public” or “private” (or even “not on Facebook”)—it should be considered “public” or “private” (or “not on Facebook”) from the perspective of the particular RA that downloaded the given student’s data.

So, if the student’s information should not be considered “objectively public”, then why is it being treated as such in the dataset?

In total, claims that the data was public in the first place simply do not hold up to scrutiny.

Now, don’t get me wrong. I completely see the research value in having this data. But we must be more careful in how we release such personal information to the world, and we must be certain to understand how privacy is contextual, not just based on whether an RA can download a profile.

AOL, Microsoft, and Yahoo! have visible privacy policies on both their homepages and search results page (which is especially important if you use automatic search toolbars on browsers without visiting the homepage).

Neither Ask nor Google provide direct links to their privacy policy on their homepage or results pages.

[**UPDATE**  On June 18, 2008, Ask.com added a link to its privacy policy. On July 3, 2008, Google added a link to their privacy policy on both its homepage and search results page. Details here]

Details below:

AOL

The main AOL homepage includes a link to its privacy policy. The link is at the very bottom of the page (requires some scrolling) in a standard box with other corporate and legal information. It appears in a font and color that matches the other URLs on the homepage.

AOL’s search homepage, however, does not include any link to a privacy policy. This page closely follows the aesthetics of Google’s homepage, presumably since Google provides AOL’s search results. There is a somewhat prominent link to “About This Page,” which, in turn, provides a link to AOL’s privacy policy. (Presumably most users access AOL search via the main homepage, not this secondary page.)

AOL’s search results page also includes a link to the privacy policy at the very bottom of the page.

Ask

Ask’s homepage does not include a link to a privacy policy. Nor is there a link if you click on “About” to learn more about Ask.com (one would have to click on a light-gray link for “Terms of Service” from there to find a link to Ask’s privacy policy).

Ask’s homepage does include a small, but prominent, link to Ask Eraser in the upper right corner, which opens a small window prompting the user to turn on/off the privacy-enhancing service, and also providing links to the Ask Eraser FAQ. While this provides privacy-enhancing functions, no link to the actual privacy policy is included in these prompts.

Ask’s search results page does not include a link to its privacy policy.

Update: On June 18, 2008, Ask.com added a link to its privacy policy on the homepage, as reflected in this archived version.

Google

Google’s homepage does not include a link to a privacy policy. One must click on “About Google” to find a link to its privacy policy. This link is visible at the bottom of the page (no need to scroll on standard screens), and is in a font and color that matches the other URLs on page.

Google’s search results page does not include a link to its privacy policy.

Updated 7/4/08: Google now includes a link to its privacy policy on both its homepage and search results pages. Details here.

Microsoft

Microsoft’s Live search homepage does include a link to its privacy policy. It is a small, gray link in the bottom left corner, which is visible without scrolling in a standard screen.

Microsoft’s search results page similarly includes a link to the privacy policy.

Yahoo!

The main Yahoo! homepage includes a link to its privacy policy. The link is at the very bottom of the page (requires some scrolling) in a standard box with other corporate and legal information. It appears in a font and color that matches the other URLs on the homepage, although slightly smaller.

Yahoo!’s search homepage also includes a link to its privacy policy. The link is quite small and in a light color, but still prominent.

Yahoo!’s search results page also includes a link to the privacy policy at the very bottom of the page, albeit small and in a light font.

As both a privacy advocate and someone who respects the research information scientists (such as Jim Jansen or Amanda Spink) are able to perform with these datasets, I share Soghoian’s internal dilemma:

As a privacy advocate and end user, I think the shift against sharing anonymized data is probably a good thing. After all, I don’t want some random student browsing through my search history, anonymized or not. However, if I take the end-user hat off, and put on my PhD student hat, then this is a really bad thing. Researchers depend on accurate data in order to do their work. Without the data, we don’t get new exciting research, and thus no new cool technologies. For the research community, this Netflix incident will be the final nail in the coffin of information sharing from the dot-coms.

Soghoian’s final point, that we’ve witnessed the end of the sharing of large data-sets for academic research, is troubling, if true. We need to find a way to properly anonymize data in order to prevent the squelching of valuable academic research, yet protecting the privacy and integrity of people’s online intellectual activities.

To that end, I recently attended an NSF-sponsored workshop on data confidentiality which focused on this very issue:

This workshop comes at a time when governments and organizations are struggling to expand research access to statistical and multimedia databases, while at the sametime as protecting the confidentiality of the individuals whose data are recorded and combating breaches of cyberinfrastructure security, especially those involving unauthorized record linkage and individual identification and harm. There has been a long tradition of confidentiality associated with statistical databases, but the ever-expanding cyberinfrastructure raises new and far more challenging questions about the protection of privacy associated with electronic databases involving individuals, families and other groups, and organizations.

The goal of this workshop is to bring together leading researchers in the area of privacy and confidentiality from diverse intellectual communities to share expertise and map out a broad research agenda to inform funding agencies and organizations responsible for database access and protection. Specific attention will be focused on understanding the tension between privacy/confidentiality and data utility, and understanding the role of auxiliary information (“extra” information known to the adversary) in defeating privacy objectives.

Among those at the workshop working on creating anonymous data-sets where researchers from Web search engine companies themselves, such as Andrew Tompkins and Ravi Kumar from Yahoo! Research, who presented their paper “On Anonymizing Query Logs via Token-based Hashing.” Similar work is being done by members of the PORTIA (Privacy, Obligations and Rights in Technologies of Information Assessment) project, of which I was affiliated.

Despite these efforts, many still maintain that truly anonymized data-sets are an impossibility. Unfortunately, they might be right. The work of Latanya Sweeney, for example, reveals that 87 percent of Americans can be personally identified by presumed-anonymized records listing only their birth date, gender and ZIP code. The researchers from Yahoo! also discussed how they could easily overcome the typical attempts to anonymize search records and server logs.

I am not a computer scientist, so unfortunately there is little concrete I can offer toward a solution to creating truly-anonymous data sets of user activities. And certainly, as a privacy advocate, I will always be quick to point out violations of user privacy even when those releasing the data have the best of intentions (as AOL and Netflix did). But I hope we can work towards a solution that benefits both communities.

UPDATE: Bruce Schneier has a related column in Wired, touching on many of these same issue.

(I’m guessing this will be done via a cookie, so each user’s particular browser will need to be registered. How it deals with erased cookies, I’m not sure. If anyone knows the technical details, please let me know.) Some technical details are discussed here.

Of course, AOL will try to convince users that having their online habits tracked is actually a good thing: “The AOL site will try to persuade people that they should choose to share some personal data in order to get pitches for products they might like”

Therein lies the problem by leaving the fox in charge of providing the hens protection. AOL, like more web services, has a specific interest in collecting user data, and while providing a means for users to opt-out is a very positive move, it is only natural that they would try to convince interested users otherwise. A better solution is to have a easily recognizable and independent site for users to opt-out (not unlike https://www.donotcall.gov/), something that perhaps the FTC will take on themselves.

UPDATE: It was wrong to describe this as an AOL-driven service. A group of privacy advocates are calling for the creating of the “Do-Not-Track” list — AOL merely plans to provide access to the list. More details here.

And what kind of price are they charging for such a violation of user’s privacy? About 40 cents a month per user. Unbelievable.

Erickson: …This transactional information, separated from the personal information of the user, is used by companies to improve their abilities to provide more pertinent results for the user. Don’t you think that companies should have the freedom to innovate by using transactional information to improve their products?

Bankston: Markham, you say that Internet companies don’t match up users’ personal information, yet that’s exactly what AOL stores — search logs tied that can be tied to particular user screen names, which can be matched up with your billing information. Other search engines with account-based services also can tie their search logs to your particular screen name or email address, and then there are IP addresses, cookies and other methods of tracking individual users.

Furthermore, and contrary to your suggestion, these search logs reveal much more information than directory assistance logs; they’re more like a print-out of your brain. A quick spin through the AOL logs via aolsearchdatabase.com, or a browsing of some of the more notable search histories being discussed on the bulletin board at data.aolsearchlogs.com — will demonstrate that. These logs represent the most secret hopes, deepest fears and dirtiest laundry of every user. They provide a snapshot of incredibly intimate events and ideas, often revealing personal problems, financial difficulties, medical ailments, sexual preferences, and more.

I’m all for innovation, but at what cost? Does Google really need a decade of search histories to innovate? I think that rather than innovation, what you’re talking about is monetization: data-mining all of this private information for marketing information, whether to be used internally or sold to business partners.

[via John Battelle]

How can you help prevent damaging privacy invasions like AOL’s data leak? Along with spreading the word about this debacle, you can take steps to protect yourself online. Beneath the fold, we’ve listed some tips and tools that will help keep your search history private.

• Don’t put personally-identifying information in your searches, at least not in a way that can be associated with your other searches. You should take the precautions below to avoid giving away your identity to your search engine anyway, but they’re especially necessary if you want to do a search to see if your personal information has appeared online or want to do a vanity search for your name.
• Don’t use a search engine operated by your ISP. Most ISPs inherently know who their users are, at any given time and over the long run. If you use their default search tool, they know who you are and everything you search for. Use someone else’s search tool instead.
• Don’t log in to a search engine account. If you use a web-based e-mail service or other services provided by your search engine — such as GMail or Yahoo! Mail — see below on cookies.
• Don’t accept cookies from your search engine. If you use a service like web-based e-mail that requires you to accept cookies, don’t let the personally-identifying information in your e-mail get linked with your searches. For Firefox users, the free CustomizeGoogle extension will allow you to anonymize your search cookie without breaking GMail (see the “Privacy” tab in the CustomizeGoogle options). We’re still looking for extensions that provide corresponding functionality for Yahoo!, MSN, and AOL users. You can also use Privoxy, although it’s a bit more difficult to configure.
• Use a separate browser or browser profile for search and for other activities.
• Use an anonymizing proxy, or proxy network like Tor, to prevent search engines from learning your IP address, especially if your ISP gives you the same IP address each time you use the Internet.

AOL’s data leak is a disaster, but there may be some silver lining. By putting the spotlight on the dangers of Internet companies storing massive amounts of private information, the data leak could spur better business practices and Congressional action to protect privacy.

While AOL rightly apologized and began investigation into its practices, Google CEO Eric Schmidt unfortunately appeared to shrug off the issue, essentially saying “trust us.” That’s not an adequate response, as the LA Times and USA Today made clear in editorials this week:

• LA Times: “The companies say they keep their logs private unless forced by a subpoena or court order to share the data with investigators or lawyers. That’s a start, but it would be far more comforting if they had clear data-retention policies limiting how long the information could be linked to individual accounts or Internet addresses.”
• USA Today: “[AOL's] screw-up raises larger questions, however, about whether companies like AOL and Google should be storing search requests…. AOL’s blunder … shows their privacy safeguards fall well short of foolproof.”

Those questions should also be taken up by Congress, as Rep. Ed Markey repeated this week. This issue isn’t just about mistaken public disclosures — the logs can be a dangerous honeypot of information for the government or any individual litigant wielding a subpoena. Congress must consider clarifying privacy protections and limiting data retention.

Take action now and spread the word about this critical issue.

She’s right.