Posts Tagged 'Privacy'

*You Are What You Querying For: The AOL ‘Data Valdez’ Case of Thelma Arnold

A Short History Lesson: In July 2006 AOL offered a data-bank, containing the data of 20 million search queries by 680.000 AOL-users, for download on its website. Although the data was removed again shortly after, the data had found its way into the net and since then stayed there. This did not only prove as a PR-disaster (the ‘Data Valdez‘ case) but also triggered an interesting legal dispute (Does v. AOL LLC, Case No. C06-5866 SBA (N.D. Cal.; June 22, 2010).

Hendrick Speck already mentioned this case 3 years ago on the Suma e.v. conference but it took me until today (Thank You Links&Law) to get hold of the exactly facts of the case.

Although the AOL-users had been assigned random numbers to protect their identity it took reporters of the New York Times less than a month to identify at least one user (only) on the basis of the search queries of this user:

Continue reading ‘*You Are What You Querying For: The AOL ‘Data Valdez’ Case of Thelma Arnold’

*How Much Information Does A Search Query Reveal About A User?

One search query on its own might actually not reveal too much information about a user. If you however, keep logging the queries from one particular user one might very soon be able to gain interesting insights. At some point early this year Google extended its ‘personalized search’ function onto all users, not matter if they were logged into any Google service or not (explanation found >>here<<).

I was first confronted with this topic at the Suma e.v. conference in Berlin 2007. Hendrik Speck (a indeed humble man who even has a ‘My Quotes’ section on his website) mentioned in his speech search engine log files and talked in detail about how much information search engines could gain out of analysing them. In the example provided by Speck he talked -as far as I remember about an overweight, sick old lady who had some kind of fixation on cats. I didn’t really like the example and labelled the whole idea as ‘Google-Bashing‘.

My next encounter with this topic was when I was playing around with the Google Dashboard and was surprised to see that how precisely Google kept track of what I did and was even kind enough to tell me on which days I had been lazy, not doing much research for my blog or my thesis.


Then, last week I stumbled across a ‘cute’ YouTube-video, on the German Basic Thinking Blog, telling a romantic story, just by showing the queries a user had typed in.


Cute, as I’ve said, right? But… let’s take the idea a bit further:

I have repeatedly reported lengthy a service called TweetPsych which allows users to create kind of an psychological profile of any twitter feed, analysing the language used, the topics covered, the frequency of the posts, etc… The first worrying thing about this service is, that it works quite well. The second worrying thing is the idea of spreading this idea from a person’s twitter feed, which he deliberately had decided to publish freely on the internet, to a users search queries. Doing this we would be able not only to analyse a person’s interests but also its mood and even living habits.


Most of you will now say, yes that’s what Google (Google Insight) does anyway. True. But the difference is that Google, at least that’s what they’ve communicated only do this on a large scale.

Interest in the search term 'Michael Jackson'... not so much apparently until his unexpected death


Doing the same with just a single user takes the whole thing to a completely new level. I am not saying this because I am just another privacy-prayer hoping to get ‘street cred‘ for his words but to rephrase an idea I’ve heard from THE Austrian privacy activist (Hans Gerhard Zeger). [I know this idea isn’t entirely new, but I do think its worth being repeated many, many times…]


If data/information about everybody is available, authorities will start searching the data for unusual patterns to be able to investigate or even predict potentially malicious behaviour. So, the second a user types in ‘uncommon’ queries, he/she thus would be under suspicion. And here comes the point; under such circumstances, the whole principle of “presumption of innocence” (ei incumbit probatio qui dicit, non qui negat) is actually turned over. Then the authority won’t have to proof that the user has done anything wrong, but the user would be under the obligation to prove that he/she hasn’t.


I guess, nobody is feeling comfortable about being tracked/logged. At the same time we all appreciate the benefits of this technique. So as always a compromise has to be found as stubborn search engine bashing will just blur the whole situation and allow competitors to use the confusion and find loopholes to put things into practise, big corporations are still struggling to be allowed. Example? While some 70 year old Austrian even attacked an Google Streeview car last week with a pick-axe, nobody seems to care that an Austrian company (Herold Straßentour) has already recorded most of Vienna’s inner city, using pretty much the same technique. So shall Google be punished for at least openly speaking about their plans while others ‘just do it‘?

*Personalized Search: Google Now Tracks All Searches

Google is now constantly tracking your searches stemming from your browser and thus your current Google searches are, unless you have disabled/removed the respective cookie, are influenced by the previous searches carried out from the same browser. For more information and how to disable all this please visit the Official Google Blog.

To get an insight about the data Google has collected about you, use the Google Dashboard Service. (Google account required; link to previous post: >>here<<) For more information about this topic please refer to The Data Liberation Front. (link to previous post: >>here<<)


Don’t panic. The difference between Google and the rest is; Google at least tells you when they are stalking on you 😉

*Fighting Fire with Fire… Online Reputation Management Tips by Google

Screen shot 2009-11-04 at 09.38.21

The advice by Google on its blog may be compared to the tips for fighting a forest fire:

1: Be careful and think before you publish information about you. (avoid)

2: If there is something you don’t like, go to the source and fight against it there = contact the site’s webmaster. (extinguish)

3: If “2” doesn’t work out, post even more content yourself, pushing the “bad source” out of the screen. Or, open a Google Profile… (fighting fire with fire)

*Sect. 26 Austrian Data Prodection Act – Lex Imperfecta?

A highly controversial, but somehow “heart-warming presentation” was held at the 3rd Austrian IT-Law congress by a representative of a credit-worthiness database-company who explained the audience that their service was absolutely essential to mankind as without an entry in their database people just wouldn’t be able to conclude any contracts (e.g. signing up for a mobile-phone contract or opening a bank account) any more.  Yes, they appear all to be truly altruistic at heart ans I reckon they just have to “sell” the data to cover their fix-costs. To sum it up what the gentleman from the Deltavista GmBH and a representative of the Austrian Kreditschutzverband, sitting in the audience, said: As grown up human being I shall be no longer contractually capable, unless I am registered in a creditworthiness database!


After the presentations I chatted with my colleagues about the reality of Data protection / creditworthiness databases in Austria and I was told that it is pretty pointless to try to get information from your bank and that the last colleague who tried to do so, in the end changed his bank.


As I am a curious person myself I took a look at the central section Section 26 of the Austrian Federal Act concerning the Protection of Personal Data (de/en version) which states:

“Sect. 26 (1) The controller [Auftraggeber]shall provide the data subject [Betroffener] with information about the data being processed and relating to him, if the data subject so requests in writing and proves his identity in an appropriate manner. Subject to the agreement of the controller, the request for information can be made orally. The information shall contain the processed data, the available information about their origin, the recipients or categories of recipients [Empfängerkreise] of transmissions [Übermittlungen], the purpose of the use of data [Datenverwendung] as well as its legal basis in an intelligible form. Upon request of the data subject, the names and addresses of processors [Dienstleister] shall be disclosed in case they are charged with processing data relating to him. With the consent of the data subject, the information may be provided orally alongside with the possibility to inspect and make duplicates or photocopies instead of being provided in writing.”


(3) Upon inquiry, the data subject has to cooperate in the information procedure to a reasonable extent to prevent an unwarranted and disproportionate effort on the part of the controller.

(4) Within eight weeks of the receipt of the request, the information shall be provided or a reason given in writing why the information is not or not completely provided. The information may be refused if the data subject has failed to cooperate in the procedure according to para. 3 or has not reimbursed the cost.

(6) The information shall be given free of charge if it concerns the current data files [Datenbestand] of a use of data and if the data subject has not yet made a request for information to the same controller regarding the same application purpose [Aufgabengebiet] in the current year. In all other cases a flat rate compensation of 18,89 Euro may be charged; deviations are permitted to cover actually incurred higher expenses. A compensation already paid shall be refunded, irrespective of any claims for damages, if data have been used illegally or if the information has otherwise led to a correction.


Taking all these things into account I approached my bank ( 08.06.2009), my mobile-phone provider (11.06.2009) as well as the Deltavista GmbH (letter posted on the 15.06.2009 as I’ve received no answer to my email). So, let’s see what will happen. I’ll keep you informed!

This Satelite Doesn’t Beep But It ‘Tweets’

Please click here if you want to follow this blog on Twitter.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 94 other followers

Author’s Rights - Online reporting hotline for child pornography and nationalsocialist content on the internet
JuraBlogs - Die Welt juristischer Blogs

Previous Posts:

RSS Goldman’s Tech & Marketing Blog

  • An error has occurred; the feed is probably down. Try again later.

RSS Class 46 Blog

  • An error has occurred; the feed is probably down. Try again later.

RSS WIRED Epicenter

  • An error has occurred; the feed is probably down. Try again later.
wordpress stat