The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Monday, August 07, 2006
It really wasn't that long ago that Google, AOL, Yahoo! and MSN were in the privacy crosshairs over the potential release of user search records to the US Federal Government. (See: The Canadian Privacy Law Blog: US DOJ has subpoenaed Google's search records.) In that saga, the US Department of Justice subpoenaed Google's search records as part of a lawsuit to which Google was not a party. The search giant resisted and privacy advocates were upset to learn that MSN, Yahoo! and AOL handed over reams of supposedely anonymized customer information.
Now, Wired and others are reporting that AOL has handed over three months of search activity of 350,000 AOL users to researchers. The 400MB of data has been pulled off the web, but is already out there. Wired's 27B Stroke 6 blog quotes an EFF lawyer who believes this is a violation of the US Electronic Communications Privacy Act, the statutory damages for which probably add up to $658,000,000. Read more about it at 27B Stroke 6: AOL 's $658 Million Privacy Breach?
It appears that though the information isn't linked to IP addresses or user names, the data does show the sequence of searches from individual users and, in some cases, the user can be identified by searching for themselves.
Update: AP has a good report on this that features how this sort of release can disclose very intimate personal information even if user names are replaced with numeric identifiers:
AOL: Searches by 650K people got out - Yahoo! News:
"Although AOL had substituted numeric IDs for the subscribers' real user names, the company acknowledged the search queries themselves may contain personally identifiable data.
For example, many users type their names to find out whether sites have dirt on them and then separately search for online mentions of their phone, credit card or Social Security numbers. A few days later, they may search for pizzerias in their neighborhoods, revealing their locations, or for prescription drug prices, revealing their medical conditions. All those separate searches would be linked to the same numeric ID.
'Search query data can contain the sum total of our work, interests, associations, desires, dreams, fantasies and even darkest fears,' said Lauren Weinstein, a privacy advocate.
The company apologized for the disclosure.
'This was a screw up, and we're angry and upset about it,' AOL spokesman Andrew Weinstein said. 'It was an innocent enough attempt to reach out to the academic community with new research tools, but it was obviously not appropriately vetted, and if it had been, it would have been stopped in an instant.'"
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.