u500k.erinye.com - the AOL data analyzed

Looking for Specific Data

While "anonymized search data" might not sound too threatening, it has been pointed out that, while users' screen names are not part of the information released by AOL, many users still search for things that can be linked to them. Many users search for their own name to see if their home pages show up in the results. Because the same screen name translates to the same ID number in the log file, as soon as one search is linked to a real person, all other searches of that person during the period the data was captured in can be linked to that person, too.

Social Security Numbers

Names aren't the biggest issue, however. Most searches for names appear to be (thanks to AOL, I can actually find out) for celebrities or idols. Furthermore, it isn't easy to tell searches for your own name from searches for any other name. However, it turns out Americans also search for social security numbers. I made my computer look through the log files and print out all numbers that look like US American social security numbers, that is, nine digits and one of the valid prefixes. This resulted in some 2000 numbers, of which many were no social security numbers, but numbers of similar structure. However, there are five occurances of a number that looks like a SSN, together with the search string "ssn". Unlike AOL, I've anonymized the results for posting on the web:

Censored User ID	Censored Search Query	Date
15***	ssn 38*******	2006-03-24 20:17:56
18***	taxreturn ssn 57*	2006-05-18 07:50:11
24***	(full name removed) ssn 22******* navy record	2006-04-13 14:17:34
64***	ssno.34*******	2006-03-03 10:45:41
64***	ssno.34*******	2006-03-03 10:45:52

So the internet now knows the identities of persons (the last two searches are from the same user, probably hit the "next page" button) from Wisconsin, DC, Virginia and respectively, Illinois. I could now use their ID numbers to look at their other searches. For example, about person 24*** from the above table I know, besides the interest for someone's (possibly her own or a relation's) Navy record, that she's also interested in the following:

the Walnut Ridge High School in Columbus, Ohio
crossword puzzles
nude pictures of celebrities
spare parts for an old car
baseball
and many other things

About 15***, I know that:

she needs more friends
she can't spell friend
she likes wooden stoves
she likes chess
she's interested in playing the lottery

Telephone Numbers

Just like SSNs, people also search for telephone numbers. However, they're comparatively hard to validate, so I'll skip them for now.

Credit Card Numbers

Having your identity logged and made publicly available might not be the worst to fear, though. While we now know that 24*** likes baseball and nude celebrities, that's pretty normal. I guess there are lots of people around who like baseball and more who like nude celebrities. No big deal. But people search for more than their SSNs. You have probably heard of insecure shop sites being broken into and credit card numbers being stolen and put on the internet before. Possibly, you've even used AOL search to see if your own credit card number is on the internet. Again, I made my computer sift through the log files and print out numbers that look like valid credit card numbers. Those are easier to validate because, unlike SSNs, they have a checksum and not as many valid prefixes as SSNs. Searching the internet to see if your credit card number is public knowledge, then having AOL put it on the internet - Priceless.

In the log files, I found 30 valid VISA numbers, 4 valid MasterCard numbers, 3 valid American Express numbers and 2 valid Discover numbers. Some of them immediately turned out to be unrelated to credit cards with the number being part of an URL or text that was searched for, however the majority of the searches that contained those numbers only contained those numbers and nothing else. Only less than 10 unique credit card numbers are contained in these searches, though. This means that out of 658.000 people logged, at most 10 entered a credit card number. If you did enter your credit card number into AOL search between March and May 2006, get a new card. Everybody else: It's not as bad as initially suspected.

The credit card number searches included one person, I'll call her 39*** for now, who regularily searched for the same VISA number - several times per month. This is some of what I now, thanks to AOL, know about person 39*** - again, anonymized:

she is a very frequent user of AOL search
she wants to start an intimate relationship with her sister
she wants to eat dolphin meat
she wants to bild a high performance engine
she wants to spent her vacation in the Florida Keys

Another person I found this way also searched for several different names of persons that apparently are parts of the same family or otherwise closely related.