AOL gaffe draws Capitol Hill rebuke

AOL's recent privacy gaffe that exposed user search histories may breathe new life into a proposal to slap strict rules on what data Internet companies may collect.

Rep. Ed Markey, a Massachusetts Democrat, said Wednesday that AOL's disclosure of the search habits of more than 650,000 of its users demonstrates that new laws are necessary. AOL has apologized for the disclosure.

"We must stop companies from unnecessarily storing the building blocks of American citizens' private lives," Markey said.

Markey's proposal, called the Eliminate Warehousing of Consumer Internet Data Act (EWOCID), was introduced in February after Google's courtroom tussle over search records with the U.S. Department of Justice.

Republicans have kept it bottled up in a House of Representatives subcommittee ever since, but a Markey representative said Wednesday that he hoped "this most recent breach will light a fire under the GOP leadership."

EWOCID is intended to cover far more than search engines. It seeks to import European-style privacy regulations by requiring all Web site operators to delete from their logs personal information, defined as everything from a name and e-mail address to--in some cases--an Internet Protocol address. Violations would be punished by the Federal Trade Commission.

Technology lobby groups including the NetCoalition, which represents companies such as Google, Yahoo and CNET Networks (publisher of News.com), have expressed skepticism toward EWOCID. So have free-market advocate groups, such as the Pacific Research Institute in San Francisco.

"Rep. Markey's bill seeks to micromanage technology firms, which would be an enormous step in the wrong direction," said Sonia Arrison, the institute's director of technology policy. "Why on Earth would anyone think the FTC would do a better job at managing data than Google or Yahoo?"

Discussion of AOL's misstep, which exposed anonymized yet intimate details of its users' personal lives, also surfaced at the Search Engine Strategies conference in San Jose, Calif., on Wednesday.

Danny Sullivan, editor of Search Engine Watch, which hosts the event, asked Google Chief Executive Eric Schmidt whether Google would consider limiting the amount of time it retains user data in light of the AOL breach.

"We have actually had that debate," Schmidt said in response. "We are reasonably satisfied...that this kind of thing could not happen at Google," he added, before saying, "Never say never."

Later, Sullivan told CNET News.com that the outcry over AOL's action "will definitely elevate the debate" over user privacy on the Internet. Unless anonymized data can be made "bullet proof" to attempts to tie it back to the individual, it should be deleted, he said.

"I think you have to delete it over time or separate out the data that lets you build a profile," Sullivan said.

At the federal level, privacy laws tend to be created erratically, spurred by one well-publicized emotional anecdote after another. Congress approved the Video Privacy Protection Act in 1988 after a newspaper published Supreme Court nominee Robert Bork's video rental records. The murder of actress Rebecca Schaeffer, whose killer found her address through California Department of Motor Vehicles records, led to the federal Drivers Privacy Protection Act.

Even though a Republican-dominated Congress is unlikely to adopt Markey's bill verbatim, especially in the face of opposition from Internet companies, the AOL disclosure could give the data-deletion idea more visibility when privacy legislation is being considered. Texas Republican Joe Barton, chairman of the House Energy and Commerce Committee, has said that he wants to enact a broad privacy bill by the end of the year--but he has not disclosed details of what it will include.

CNET News.com's Elinor Mills contributed to this report.

[pencoyd]

Terrible acronym, but interesting idea

EWOCID? I'm not fan of the Patriot Act, but perhaps Markey
should learn a PR lesson from how it was presented and "sold" to
legislators and the American public.

As to regulation... rather than "European-style privacy
regulations" -- why not start with the _exact_ European data
rules? I don't know them well enough to be sure that's a great
idea. However, if companies could count on consistency across
jurisdictions, that would save a lot of complexity and headaches.
It also recognizes that the Internet (and many, many businesses)
span borders today.

Please keep teasing at this thread as it spins out.

[talledega500]

Search proxies are the only way

Just use one and forget all this stuff.
the govt wont bail you out.

try this for a start. http://www.blackboxsearch.com

[R Me]

Delete Congress

The government wants to tell us what to keep and what to delete. What it looks like to me is that government wants to be the only entity with any data. Its time to delete congress and come up with a better system of rule making.

I propose that each citizen of voting age be required to vote. All laws proposed by congress shall be voted on each november. If a congressman or comittee draws up three laws that are defeated they are removed from office and a voting citizen is picked at random to take their place. Attorneys would be drawn at random to act a proxy drafters for citizen congressmen. All "enlistees" would be paid the same salery present congressmen make sans the everlasting health care bennies. Each year new "enlistees" would replace the present ones. All from their respective districts of course. A random selection of people to congress would give a better cross section of the average citizen than we now have.

It's time to delete congress as we now know it as its a broken corrupt process. This would also allow us to eliminate the job of commander in chief, second in command and other useless positions and people such as lobbyists. All matters of foreign relations and policy would also be voted upon by the new congress and with no one there to veto the vote the will of the people would stand as it should.

One person, one vote, one political party, one UNITED AMERICA! A NEW WORLD ORDER!!

[rcrusoe]

Re: DELETE CONGRESS

"I propose that each citizen of voting age be required to vote. All
laws proposed by congress shall be voted on each november."

What? Have all laws voted on by each citizen? That form of
government is called a Democracy. And that's never going to
happen. We've been moving from a Republic to Socialism for too
many years.

We definitely need a change, but what we need is term limits to
get rid of the deadwood and dumbas*es in Washington, and
MORE political parties.

The Democrats and Republicans are just two sides of the same
coin. Both will sell out the American public at the drop of a
campaign donation.

Delete Congress? No. But roll it back to something close to that
designed by our founding fathers? Yes.

Or we could just have the Senate's Internet experts shut off
AOL's Internet "tubes".

[The user with no name]

ummm no...

While I am no fan of the current congress, or how politicians in general operate I REALLY wouldn't not feel too great about the average American being in charge of creating the rule book!

First off these are people who don't care enough to get out to vote once in a while to the point the Arizona is contemplating making a $1 MILLION LOTTERY out of the election process!

I'm not as much worried about any Tom, Dick or Harry taking there turn as I am about ending up with a majority of Larry, Moe and Curly's!

[CPCcurmudgeon]

deleting the data makes fraud detection harder

In some cases, to determine whether click, impression, etc. fraud may have occurred, it is necessary to look at clickstreams over long periods of time and/or from several months back. Deleting the user data makes it harder to make these determinations.

[The user with no name]

certain info and after certain time frame

No one is saying that the companies cannot retain data for certain periods of times, in fact there are currently laws being devised to FORCE companies to retain data for certain (lengthy) periods to enable law enforcement to retrieve data on suspected criminals (as well as divorce lawyers, angry teachers and job supervisors etc).

However after a certain point in time that data needs to be scrubbed, unless you LIKE the idea of being able to profiled based upon YOUR internet activites. This profiling not only makes Google et al money but can also result in unexpected situations for you.

In a divorce hearing a spouse forces Google/Yahoo/MSN to hand over your 'profile' to help prove that you were a bad person...Google et al reveals you searched out dating sites or clicked on Ads for such... helps 'prove' you were intent on cheating

Google's profiling gets so fine tuned that companies are better able to place ads on your browser based upon your habits, everyone eventually KNOWS this... while surfing with friends or family ads for HIV, Drug Addiction Services, Gonnorhea start popping up....

You like to surf the news sites and frequently these sites link to foreign news media. The FBI comes knocking on your door because your profile shows a higher 'percentage' of visits to anti-american sites that are suspected terrorism issues...The Search Engines building a profile on you not only helped you get the info you wanted but also helped make you a suspect (remember IT catered your experience to what IT learned about you!)

Certain links for certain sites begin to pop up more than other links based on your 'habits' pretty soon you are being directed to sites almost as if on auto pilot, and amazingly enough these very sites are also paying Google for sending you there based upon the profile it has created on you.

Data retention is solely for the benefit of the companies who are collecting it. The only possible 'benefit' it has for you is that you get served ads that you are more interested in as opposed to random ones being displayed.

Is this REALLY ENOUGH OF A 'BENEFIT' for you to allow your 100% COMPLETE INTERNET PRIVACY to be sold to the highest bidder for GOOGLE'S financial benefit?

I mean sure, if YOU were given a share of the money that Google makes off of your profile MAYBE people would opt-in and sign releases and this issue would be moot. Or if people could opt-in/opt-out of the data retention/collection process so that they could receive personally tailored adverts, links, etc etc this issue would be moot as well.

But by having NO CHOICE whatsoever except the choice of NOT to use the internet and/or search engines really isn't much of a choice at all.. is it?

[perfectblue97]

Double standards

Hang on, isn't this the very same data that the Feds are demanding that ISPs keep in order to battle against terrorists and pornographers?

[JohnnyL]

Double Standard...Of course

But for the government that's par for the course. I love the way the Feds want to justify the continuing chipping away of our privacy by trying to says its either to battle terrorists or child pornographers. As far as they are concerned these are the only criminal acts currently being perpetrated in the US. they are used to justify everything the Justice Department wants to do to us.

[cswor]

Keep It Simple

It all comes down to money. Simply impose a penalty, say $10K, payable to each account whose info was handled carelessly, and let AOL decide how hard they should work to safeguard it and how valuable it is to them to collect. The amount would go up if the info was actually used for something that harmed the customer.

These could be handled automatically. Even written into the AOL's agreement. Save a lot of arguments, court time, etc.

[The user with no name]

nice soltion

of course the penalties would have to be significant enough to create the 'desire' to not have these 'leaks' occur.

I like the idea with other companies as well. Oh you didn't safe guard you customers data well enough and 100,000 people's info has been 'stolen'... (nods to Bill Engvall)

... Here's Your Fine (lol)

Of course we still need to have policy in place to protect OUR data (the fact that it was collected/stored from/on Company A's servers is of no consequence!) to insure that it is not used in nefarious ways!

Collecting people's internet usuage is no different that monitoring which books I read/buy, who I talk to, what I talk about, and what I think! All of these things are easily obtained by monitoring someone's internet use. What you think is what you search, click on and sites you visit! Your communications are revealed in your forums (even if listed as anonymous or screen names) etc

The net has the biggest opportunity to truly create an Orwellian society than anything to date. The question is DO YOU WANT TO BE MONITORED AND PROFILED or do you want to retain as much priovacy rights as possible?

[sandkicker]

lawmakers worried about public - a laugh

This from the people who expose CIA operatives.

This from the people who give us telecom
initiatives - sprint/embarq, now our cost is
higer.

This from the people that want to monitor
internet traffic secretly without court order.

This from the people who cant respond to
disasters.

This from the people who have given us
a national debt thats the highest in history.

And now one of our esteemed leaders wants
to create another law. GIVE ME A BREAK.

They cant control themselves, let alone anything
else. These are the last people i want protecting my privacy.