It really wasn't that long ago that Google, AOL, Yahoo! and MSN were in the privacy crosshairs over the potential release of user search records to the US Federal Government. (See: The Canadian Privacy Law Blog: US DOJ has subpoenaed Google's search records.) In that saga, the US Department of Justice subpoenaed Google's search records as part of a lawsuit to which Google was not a party. The search giant resisted and privacy advocates were upset to learn that MSN, Yahoo! and AOL handed over reams of supposedely anonymized customer information.
Now, Wired and others are reporting that AOL has handed over three months of search activity of 350,000 AOL users to researchers. The 400MB of data has been pulled off the web, but is already out there. Wired's 27B Stroke 6 blog quotes an EFF lawyer who believes this is a violation of the US Electronic Communications Privacy Act, the statutory damages for which probably add up to $658,000,000. Read more about it at 27B Stroke 6: AOL 's $658 Million Privacy Breach?
It appears that though the information isn't linked to IP addresses or user names, the data does show the sequence of searches from individual users and, in some cases, the user can be identified by searching for themselves.
Update: AP has a good report on this that features how this sort of release can disclose very intimate personal information even if user names are replaced with numeric identifiers:
AOL: Searches by 650K people got out - Yahoo! News:
"Although AOL had substituted numeric IDs for the subscribers' real user names, the company acknowledged the search queries themselves may contain personally identifiable data.
For example, many users type their names to find out whether sites have dirt on them and then separately search for online mentions of their phone, credit card or Social Security numbers. A few days later, they may search for pizzerias in their neighborhoods, revealing their locations, or for prescription drug prices, revealing their medical conditions. All those separate searches would be linked to the same numeric ID.
'Search query data can contain the sum total of our work, interests, associations, desires, dreams, fantasies and even darkest fears,' said Lauren Weinstein, a privacy advocate.
The company apologized for the disclosure.
'This was a screw up, and we're angry and upset about it,' AOL spokesman Andrew Weinstein said. 'It was an innocent enough attempt to reach out to the academic community with new research tools, but it was obviously not appropriately vetted, and if it had been, it would have been stopped in an instant.'"