From: Brad Malin
Date: August 9, 2006 1:05:55 PM EDT
To: David Farber
Subject: AOL Case and the EU Data Directive?
Hey Dave - I was wondering... As the AOL fiasco unfolds, the company finds
itself in a bit of a pickle. In its current state, AOL is potentially in
violation of the FTC's deceptive practices policy. This puts them in hot
water in the USA, and apparently a class action lawsuit is about to be
brought to the table.
But there exists the potential for even more concern. Specifically, I'm
wondering if AOL's published data concerns only US citizens? As you know,
several years ago AOL branched out and went international, e.g.,
http://www.aol.co.uk/. And if the published records contain information
gathered via its European branches, then AOL is in violation of the EU Data
Directive in many ways. First, it's in violation of the safe harbor
provision of the directive. Second, it's in violation of the directive
itself for protection mechanisms that must be in place for the secondary
sharing of person-specific data.
So, a question and a challenge:
1) Has AOL stated which population the data corresponds to?
2) If not, I don't have the time to do the re-identification study, but I
propose a challenge to any students or professionals with extra time on
their hands. First, try to categorize the users in the dataset into
countries and/or regions. Second, try to pinpoint individuals from
countries outside of the US.
I'm not trying to take down AOL - but make a point.
-brad