X

Three workers depart AOL after privacy uproar

Net giant fires two, CTO resigns after disclosure of members' search data prompts widespread criticism.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
See full bio
Elinor Mills
4 min read
Two AOL employees have been fired, and its chief technology officer is resigning, after the release of Web search data from thousands of AOL members prompted widespread criticism of the company.

CTO Maureen Govern "has decided to leave AOL effective immediately," AOL Chief Executive Jon Miller wrote in an e-mail to employees dated Monday.

Govern could not be reached to comment.

Maureen Govern Maureen Govern

The researcher responsible for the data being posted online and the researcher's supervisor, who reports to Govern, were fired, according a source close to the matter who asked not to be identified.

Meanwhile, John McKinley, who is president of AOL Digital Services and served as chief technology officer from 2003 to 2005, will step in as interim CTO until a permanent replacement is found, AOL said.

In a separate e-mail to AOL employees, Miller said the company would create a task force to develop new best practices on privacy and will look at how long search and other data should be saved.

The company also is considering tightening restrictions on access to databases containing search data and other sensitive member data, looking into ways to ensure that such information is not included in research databases and adopting education programs for employees on how to protect sensitive information, the e-mail shows.

"After the great lengths we've taken to build our members' trust and be an industry leader on privacy, it was disheartening to see so much good work destroyed by a single act," Miller wrote. "This incident took place because some employees did not exercise good judgment or review their proposal with our privacy team. We are taking appropriate action with the employees who were responsible."

AOL researchers posted the data on the user Web searches to a new AOL research Web site last month. It then pulled it and apologized for the security breach shortly thereafter, but not before other sites got ahold of the data and made it searchable. AOL has been widely criticized for releasing the data.

Last week, the Electronic Frontier Foundation, a digital-rights group in San Francisco, filed a complaint against AOL with the Federal Trade Commission. The complaint (click here for PDF) asked the FTC to look into AOL's possible violation of its privacy policy and federal law. The EFF also asked regulators to require AOL to notify all users affected by the leak and to stop logging searches except in extraordinary cases.

The World Privacy Forum also filed an FTC complaint (click here for PDF) against AOL last week, including an allegation that AOL released user search data in 2004.

While the members were kept anonymous, the data was so thorough and extensive that privacy advocates warned that it would be possible to trace searches back to specific searchers, which several newspapers and other organizations were able to do.

"Whatever staff changes AOL chooses to make does not reduce the need for Congress and the FTC to step in," Kevin Bankston, staff attorney for the EFF, said in a telephone interview.

"To the extent the CTO's departure does have to do with this, I hope that it indicates AOL recognizes this isn't an issue of fixing a unique incident but rather reconsidering their approach to how they handle search logs," he added.

Pam Dixon, executive director of the World Privacy Forum, said the FTC should investigate whether AOL partners and others have received sensitive user data from AOL over the years.

"I don't think firing employees is going to be a solution to the problem. It appears that these data disclosures were a symptom of a more systemic problem at AOL regarding data handling policies and practices," she said. "The 'tip of the iceberg' may well apply here; it will be up to the FTC to find this out, though."

It is unclear whether AOL's release of the user search data was illegal, but if AOL broke the law, the FTC should take action, said Ari Schwartz, deputy director of the Washington, D.C.-based Center for Democracy and Technology, which receives a small fraction of its funding from AOL.

Schwartz said he was not convinced of the need for new action by Congress--specifically, a bill offered by Rep. Edward Markey (D-Mass.) that would restrict how long all Web site operators can "warehouse" consumer data. It would be preferable for the industry to come to an agreement on uniform, voluntary standards, he said.

The notion that search companies are retaining information about users' personal searches, which "should be routinely deleted," is a lingering concern, said Marc Rotenberg, executive director of the Electronic Privacy Information Center.

"AOL could do a real service to the online community," Rotenberg said in an e-mail interview, "if it would commit to permanently (deleting) all personal search details and challenge other search companies to do the same."