Helping people with computers... one answer at a time.

AOL's recent intentional, yet mistaken, release of search data shows how tenuous our privacy really is.

Download the mp3


Hi everyone, this is Leo Notenboom with news, commentary and answers to some of the many questions I get at

As most of you have heard by now, AOL recently released three months of search data, apparently for academic research. The release was intentional, but AOL later admitted their mistake in doing so. They even went so far as to say that they were sorry.

Now, one of the really common themes across questions I get at Ask Leo! is that of privacy. And I mean that in both directions. I get a lot of questions from people who are concerned about maintaining their privacy, people concerned about IP address tracing, cookies, key loggers, spyware and the like. I also get a lot of questions from folks trying to invade someone else's privacy - perhaps hack an account, or view someone's message history.

What the AOL release has done is shown us how seemingly innocuous data - something as simple as the things we search for on the internet, can create a trail of information that can lead right back to us. It shows us how tenuous our privacy really is.

The AOL data did not include any user names or IDs. All it included was a token that indicated which searches were preformed by the same persons - without identifying that person. Or to put it in privacy statement terms: without any personally identifiable information.

Nope, the users did that themselves.

And the personally identifiable information that the AOL users happened to provide? The terms they entered into the search engine.

The New York Times has already tracked down one individual based solely on the terms that she entered into AOL search. Without knowing anything other than those terms, and that they all came from the same person, they were able to identify exactly who that person was.

Individual searches, by themselves, are pretty meaningless. But the aggregate - your search history - tells a lot about you, what you do, what you care about, and ultimately who you are.

The lesson here is not that we need to be afraid of the search engines for fear of someone spying on us. The lesson here is one of awareness: know what privacy you can reasonably expect, and know that it doesn't always take a hacked account, an IP address or other directly obvious way to compromise it.

I foresee a day when this type of analysis of otherwise innocuous data may find its way into a court case and contribute to a conviction or acquittal. In fact, it's already been tried.

The other individual in the AOL data who was searching for terms related to "extramarital on-line affair" might be concerned.

Perhaps we all should be.

I'd love to hear what you think. Visit ask leo dot info, and enter 10603 in the go to article number box. Leave me a comment, I love hearing from you.

This is a presentation of, a free on-line technical question and answer service. Hundreds of questions and answers are online and ready to help solve your computer problems.


Article C2751 - August 10, 2006 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

August 11, 2006 12:04 PM

Several years ago Scott Mcnealy, former CEO of Sun Systems said that our privacy was gone and we should get over it. I wish it were not so, but I think that the world depicted in Orwell's 1984 and Huxley's Brave New World, where everbody is watched 24/7, is already here. Not too much we can do about it except speak up and speak out whenever and wherever we encounter violations of our privacy. I've always been careful online & in print. If I don't feel comfortable about my remarks appearing in a court case some day, I don't hit that "Send" button.

August 12, 2006 11:55 AM

AOL`s actions are despicable, in my opinion. They should be hauled over the coals on this one! Personally, I try and remain as anonymous as possible (hence first name only!), but with folk like AOL around, that seems well nigh impossible.

Paul Higgins
August 12, 2006 9:47 PM

Hi, Leo. Interesting article. I am pretty paranoid about my online privacy, to the extent that I use a bat file to delete all my temp files and online histories about every 5 or 10 minutes while online. I donít want a site I visit to be able to see where else Iíve been. Thatís my business. I use Mailwasher to pre-view my emails and Roboform to protect my personal information. Even so, and Roboform uses a very good encryption to protect my information, I still do not save any credit card or banking information with Roboform. I prefer to fill this information each time, rather than have it saved on my machine, no matter how secure it is. One thing I have considered for some time now that I havenít heard or read anywhere else. We are told that Ďcookiesí are required to facilitate easy and faster access to web pages we visit frequently. Most sites insist on them being enabled. But in these days of high speed internet connection, do we still really need this? Personally, I do not find accessing web pages significantly faster by keeping Ďcookiesí on my machine (even in my dial up days). This may be a perceptual thing, but even so I prefer privacy to speed. One cannot be too careful these days. I also notice the things people find acceptable online they would not tolerate in everyday life. For example, we are happy to allow websites we visit to load files onto our computers. But how would we react if we walked into a store and were asked for personal details, name and address for example, to check as to whether we have shopped there before? And would we want to be followed around town by a store employee to see where else we shop and what else we bought? Even if we were told it was to improve our experience next time we visited their store, I do not think most of us would find this acceptable. The problem, I think is that internet users do not relate being online to physically visiting a store. Itís ok because it is new. And many laws (I live in the UK) related to protecting us in our everyday life do not afford us similar protection online. While efforts are being made to address these and other related issues, big business with the financial clout is currently successfully thwarting these efforts.
The other thing, I think, that makes people more vulnerable online is this. When walking down the street, we are aware of our surroundings. If we see a suspicious character, we will attempt to avoid eye contact, possibly turning a corner to avoid physical interaction. We do not walk down dark alleys at night, etc, etc. Online, we find it acceptable to click on links, email people and otherwise interact in a way we would never do in a face to face situation. The internet affords criminals an anonymity they would not have in the Ďrealí world. The fault, I agree lies with the individuals who are more reckless online than they would ever be in a physical situation. But we have laws to protect us from being defrauded or physically attacked in real life. These laws should be equally enforceable where cyber crime is committed. I may be wrong, but my perception is that this is not the case.

August 23, 2006 7:39 AM

Do I keep my yahoo adress or do I get a hot mail adress?

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.