AOL Miscue Could Reinvigorate Privacy Legislation

With privacy advocates preparing FTC claims against AOL in response to its publishing of customers' Internet search data, at least one Washington lawmaker is using the opportunity to push forward existing privacy legislation.

AOLs internal mistake that led it to release detailed keyword search data for roughly 658,000 of its users is being highlighted by at least one Washington legislator as a chance to inject new interest into a consumer privacy bill before Congress.

Massachusetts Rep. Edward J. Markey, the senior Democrat on the Telecommunications and Internet Subcommittee of the House Energy and Commerce Committee, is using the AOL incident to renew his call for Congress to pass legislation that aims to limit the amount of personal data that can be retained by companies Web sites.

Markey is the author of the Eliminate Warehousing of Consumer Internet Data Act of 2006, which hopes to bolster consumers Internet privacy by preventing online businesses from storing personal information for indefinite periods of time. The congressman, who also wrote the Social Security Number Protection Act pending before the House, contends that the AOL miscue serves as further proof of the inherent dangers of companies allowed to retain large amounts of sensitive information about their customers.

"In this digital information age, the personal data we hand over to dozens of Web sites are the keys which unlock the personal lives and valuable possessions of millions of Americans," Markey said in a statement. "Internet companies are often able to glean personal information through a computer users surfing and searching of Internet sites; this stored-up data about consumers Internet use should not be needlessly kept in perpetuity, inviting data thieves or fraudsters, or disclosure through judicial fishing expeditions."

During the last week in July, AOL published information from roughly 20 million search queries on its research site, before abruptly pulling the information down after privacy watchdogs criticized the maneuver. The company has said that it only issued the data for academic reasons, without realizing how easy it might be for someone to match the search information with the names of specific users, a feat that has already been achieved.

The data, which has been mirrored on multiple Web sites, represented a random selection of searches conducted over a three-month period (March to May 2006) and includes a numbered user ID, the actual query, the time of the search and the destination domain visited. In some cases the data included personal names, addresses and Social Security numbers.

First submitted to Congress by Markey in February after search giant Google was subpoenaed by the U.S. Department of Justice and ordered to share its own search records, a request that was ultimately curtailed by a federal court. Since that time, the Eliminate Warehousing of Consumer Internet Data Act has been stuck in deliberations before a House subcommittee, but Markey said he hopes the AOL scenario can help move the bill forward.

Click here to read more about a recent AOL data spill. If passed, the legislation would require Web site operators to destroy any stored information that is "obsolete and no longer necessary for a legitimate business purpose" or requested via court order. Personally identifiable data including credit card numbers, home addresses and Social Security numbers would have to be destroyed under the bill, which would rely on the FTC (Federal Trade Commission) for enforcement.

Markey has likened the measure to standards Congress has adopted governing the handling of information gathered by cable companies about individual viewing and subscription habits.

"We must stop companies from unnecessarily storing the building blocks of American citizens private lives," Markey said. "If 2005 was the year of the data breach, I want to make sure that 2006 is the year of safeguarding the privacy of American citizens by introducing legislation to prevent the stockpiling of private citizens personal data."

Privacy experts said that the AOL incident should encourage legislators to move faster to protect consumer information security, but remain unconvinced that Congress will move to pass Eliminate Warehousing of Consumer Internet Data Act or other bills with similar implications any time soon.

Pam Dixon, executive director of the San Diego-based World Privacy Forum, a nonprofit consumer watchdog organization, cited the AOL breach as the exact type of scenario that her group and others have worried about for years. As the World Privacy Forum prepares its own complaint over the incident to be filed with the FTC, the group is aware that a struggle between legislators who seek to protect consumer information and those who seek greater government power to access records such as AOLs, is brewing.

"Theres an interesting dichotomy, as certain aspects of the U.S. government push for long-term data retention of material like this while other aspects of the government are pushing for security of personal information," Dixon said. "These two ideas are colliding, and there has been no adequate discussion of the way they relate to each other; something has to give here, there must at least be an appropriate realization of the sensitivity of this type of data if those in security are allowed to push for retention."

From the perspective of the World Privacy Forum, none of the personally identifiable information should have been retained by AOL in the first place. Dixon called media reports that have appeared to link specific users to their search habits a "worst nightmare" scenario for people who have been warning that search data breaches would occur.

"This is exactly what you dont want to have happen with user data, to have it put in the public in some way and then clearly identified," she said. "There is a real data retention push in the U.S., largely driven by the Department of Justice, who wants companies to retain a lot of data in the Internet space; were seeing here that when you live online, this is not just any data the search engines have, its like a diary, and thats why its such a problem."

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.