By now, many people have heard about AOL's unintentional disclosure of member search history data. At first, I didn't think the incident was as damaging as some suggested. I failed to recognize that given enough data, patterns may emerge that reveal clues to your identity. This got me thinking about questions people should ask about their data and the sites they visit.

I’m not going to go into detail of the AOL incident. The New York Times article, A Face Is Exposed for AOL Searcher No. 4417749 did a good job. Instead, I want you to think about what you do on the web. Do you ever think about the web sites where you intentionally leave or request information? Or, have you been more concerned about masking your IP address with anonymizers and proxies?

Thinking Beyond Search Engines

While people have been fixated on search engines, I think we need to look beyond them. More websites and tools are appearing that offer greater convenience such as putting more types of information online (photos, resumes, family trees, scrap books, invitation lists, project plans …)

In some cases, the convenience is worth the risk, but you need to make that call. I don’t leave my credit card number on any shopping site. It means I need to re-enter the information on a future purchase, but that’s acceptable to me.

You also need to think about how accessible is your data and who else might be able to benefit. Information is currency and its value varies based on the user. For example, I might not care about your birth date, but that data bit is critical for someone trying to steal your identity or to secure a credit card in your name. And it may be nice to get a Happy Birthday wish from some site we frequent or to know our horoscope, but does that mean you should give them the precise date?

Due Diligence Questions

These days, you need to do your research and make choices. This may mean reading a lot of End User License Agreements, privacy policies and security policies. I use a free tool called EULAlyzer that flags items and allows me to save a copy of the agreement.

The list below isn’t exhaustive by any means. Consider it a starting point to assist you in evaluating whether you want to store data on a site or use their services.

1. Does this site have a Privacy Policy? I would be hesitant to store any personal data on a website that doesn’t have a policy. This even applies to beta sites. I would also make sure you understand the policy.

2. Who else has access to the information? I’m not just talking about site employees, but other users. For example, who will see the resume you post online?

3. Does this site or tool (e.g. browser toolbar) indicate how your data will be used? For example, does that nifty toolbar you added collect data that might be used by 3^rd parties?

4. Is the site public? If you’re posting information on a public website or forum, make sure you’re comfortable with others reading it for a very long time. Even if the site goes away or changes, people may still see content from places like the Wayback Machine.

5. What if your data became public? Many people are starting to use web services that allow you to create and store all sorts of data such as documents and spreadsheets. Are you keeping your firm’s next product launch on a cool new beta site?

6. What if the website provider closed? Are you storing any information on a site that is irreplaceable or would cause major inconvenience if you weren’t able to access it?

7. How does the vendor protect your data? Does the site require you to use a password? Do they use other services such as Hacker Safe (now called McAfee Secure) or abide by some code of ethics?

8. How do you protect your data? Yes, you have a role too. If a site password is required, when was the last time you changed it? How easy would it be for someone to guess it?

Could people guess the answers to common security questions we see about “pet names”, “high schools”, “first car” or “maiden name” from info or photos you’ve publicly posted?

9. Can you get your data out? If you decided not to use a site where you’ve stored data, can you get it out? Is there a way to export your information or delete it?

10. Do sites need all this information? Sometimes, we provide more than what is necessary. Carnegie Mellon’s Data Privacy Lab has a program underway called Identity Angel that advise resume posters when they they’ve provided confidential information such as social security numbers or birth dates.

And if you have a website, consider whether you are capturing information you don’t need. As we discussed with one site owner, she didn’t need people to give her birth dates on an online registration form. Instead she needed a way for the user to indicate their age bracket for a road race. In one case, the user might provide 12/02/1950 and in another “Over 55”. Which answer would you prefer to give?

Related Articles

• Understanding What is in a Data Server Log
• TimeAtlas.COM Privacy Policy