These high-profile privacy scandals involve many underlying
technologies, from search to social media, e-mail to voice mail, mobile
phones to Webcams to GPS. But at the heart of all of these privacy
scandals are companies collecting personal data without the user's
knowledge or consent and then either sharing it with third parties or
simply failing to keep it safe.
The latest company to come under
the privacy microscope is Google, which revealed a new privacy policy on
Tuesday that clarified how it is combining user data across its
services.
Meanwhile, on Wednesday the European Union unveiled
stiffer penalties and higher fines for U.S. firms that fail to meet
their privacy rules for cloud computing and social media applications.
With
online privacy expected to remain a high-profile issue in 2012, here's
our list of the biggest online privacy breaches of all time:
1. Sony CD Spyware
Sony
BMG ran into a major privacy flap in fall 2005 because of the
anti-piracy measures called XCP that it added to music CDs. When a
customer played one of these CDs on a Windows PC, the CD installed
hidden rootkit software onto the PC that communicated the CD being
played and the IP address of the PC back to Sony. This so-called
spyware also created vulnerabilities on PCs for worms or viruses to
exploit. Critics said Sony had created a backdoor onto its customers'
machines, leading Sony to recall the CDs and offer a free removal tool
for the rootkit software. Class action lawsuits were filed against Sony
in Texas, New York and California. The U.S. Federal Trade Commission
required Sony to pay $150 to any consumer whose PC was damaged by the
software as part of a settlement for violating federal law.
2. The Craigslist Experiment
In
February 2006, Seattle Web developer Jason Fortuny posed as a woman
seeking sex on Craigslist to see how many responses he would get in 24
hours. He received 178 responses, including photos, names, e-mail
addresses and telephone numbers of the men who answered the ad. Fortuny
then published all of these responses on a Web site called
Encyclopedia Dramatica. The incident received a significant amount of
mainstream media coverage, including the Associated Press and MSNBC.
Fortuny was later sued in Illinois court by an anonymous plaintiff, and
in May 2009 Fortuny ended up receiving a $75,000 default judgment.
3. AOL Search Leak
In
August 2006, AOL released a file containing 20 million search keywords
used by 650,000 of its users over a three-month period. The file was
supposed to be anonymous data available for research purposes, but
personally identifiable information was available in many of the
searches making it possible to identify an individual and their search
history. AOL admitted it was a mistake to release the data and removed
it from its Web site after three days, but by then the data had been
mirrored at sites across the Internet. AOL's CTO Maureen Govern quit
two weeks later. In September 2006, a class action lawsuit was filed -
that's still lingering in California courts -- against AOL demanding
$5,000 per user.
4. Google Street View
In
May 2007, Google added its Street View feature to Google Maps, and it
has been battling privacy complaints, paying fines and facing audits
ever since. Google Street View provides panoramic views of streets
gathered by webcams. It prompted privacy worries for showing men
leaving strip clubs, people entering adult bookstores, and people
picking up prostitutes, among other activities. Google allows users to
flag worrisome images for removal and added a blurring feature for
faces and license plates. Nonetheless, Street Views has run into
privacy battles with Switzerland, France, Belgium, Germany and South
Korea, to name a few countries. France fined Google the equivalent of
$142,000 in March 2011 related to Street Views, but an August 2011
review by the U.K. government gave Google positive marks for improving
the privacy of Street View. Meanwhile, Google must undergo regular
privacy audits mandated by the FTC for the next 20 years as the result
of a settlement over improper privacy disclosures in its now-defunct
Buzz social media service.
5. Hotmail Hot Mess
One
of the biggest privacy scandals in terms of scale involved Microsoft's
Hotmail free e-mail service. In October 2009, Microsoft urged hundreds
of millions of its Hotmail users to change their passwords due to a
privacy breach. Microsoft said it discovered that users' details from
10,000 e-mail accounts were posted on the www.pastebin.com Web site as
the result of a likely phishing scheme. Microsoft urged users of email
accounts ending in @hotmail.com, @msn.com and @live.com to begin
changing their passwords every 90 days.
6. Webcamgate
A
Pennsylvania school district that used built-in Webcams to monitor the
use of several thousand Apple laptops that it provided to students for
their use at home ran afoul of online privacy issues and was forced to
pay up. The school district admitted it had over 56,000 photos and
screen grabs gathered by the Webcams and security software installed on
the laptops. These photos were taken without the knowledge or consent
of the students, including in their bedrooms and in various stages of
undress. In April 2010, high school sophomore Blake Robbins filed a
class action lawsuit against the Lower Merion School District for
invasion of privacy. In October 2010, the school district agreed to pay
$610,000 to settle two lawsuits related to the incident.
7. Facebook Apps
The
popular social media site has been plagued by privacy issues over the
years. Its highest-profile problem was in October 2010, when Facebook
admitted that its top 10 most popular applications including FarmVille
and Texas Hold`em shared user data, including names and friends' names,
with advertisers. A Wall Street Journal investigation uncovered the
Facebook privacy breach and said it affected tens of millions of users,
including some that had used Facebook's most stringent privacy
settings. Facebook had previously been in trouble for transmitting user
ID numbers to advertising companies when users clicked on ads. In
November 2011, Facebook settled a case with the U.S. Federal Trade
Commission about several incidents and agreed to 20 years of third-party
privacy audits (
8. Patient Data Exposed
In
March 2011, California-based insurer HealthNet announced a privacy
breach for nearly 2 million of its customers, exposing their names,
addresses, Social Security numbers, health and financial data. The data
were unencrypted and stored on hard drives that have gone missing from
contractor IBM's data center. A nationwide class action suit was
filed against HealthNet and IBM as a result of this incident. It was
HealthNet's second big data breach in two years, having lost the Social
Security numbers of 1.5 million policyholders stored on a hard drive
in 2009. HealthNet isn't the only healthcare provider to lose private
medical data or inadvertently post it online. The U.S. Department of
Health and Human Services says personal medical data for more than 11
million people have been exposed online in the last two years.
9. Behavior Targeting is Targeted
A
new area of concern for privacy advocates is behavioral targeting by
online advertising services. These services create behavioral profiles
based on anonymous data of how computer users surf the web and then
serve up targeted ads based on these profiles. The FTC ruled in 2009
that these services must provide consumers with notice about the
collecting of behavioral data and provide them with the ability to opt
out. In March 2011, the FTC reached its first behavioral profiling
settlement with advertising network Chitika for deceptive opt-out
practices. Chitika said it mistakenly programmed the opt-out setting
for 10 days, instead of the intended 10 years.
10. iPhone Tracking
Apple
received so much criticism about how its iPhones and iPads were
collecting and storing user location data that then-CEO Steve Jobs made a
rare apology in April 2011. Jobs conceded Apple's mistakes in dealing
with the location data after security researchers discovered an
unencrypted file inside the devices contained a cache of locations
visited over the last 12 months. Jobs emphasized that Apple was not
tracking its customers: "Never have. Never will," he said, in response
to the criticism from Congress and others. Apple provided a free
software update to users to fix the glitch. But that wasn't the last
time that location data gathered by mobile devices from Wi-Fi hotspots
has come under fire. Google and Microsoft later admitted that they
store the same kind of user location data on their mobile operating
systems, too. (
11. PlayStation Network Hacked
Also
in April 2011, Sony announced that hackers had stolen personal data
from 77 million PlayStation subscribers. Although this was a security
breach of Sony's PlayStation Network, the privacy implications were
significant given that the intruder had stolen names, addresses, email
addresses and birthdates for so many customers. Sony said it was unclear
whether credit card data was stolen, and it warned customers to be on
the lookout for identity theft. Security experts said the Sony privacy
breach was one of the largest on record. Sony estimated that the
incident cost the company $171 million to rebuild its computers and
purchase credit protection services for its customers.
12. Disney Violates Kid Data Rule
U.S.
Web sites that target children for subscriptions or sales must comply
with special rules aimed at gathering permission from parents under the
Children's Online Privacy Protection Act (COPPA). In May, 2011,
Disney's Playdom, Inc. had the dubious honor of paying the largest-ever
COPPA fine, which was a $3 million civil penalty from the FTC for
gathering and sharing personal information about hundreds of thousands
of children without parental consent. Playdom, which runs the popular
Pony Stars site, collected kids' ages and email addresses and allowed
them to post their full names and locations. Other sites that have run
afoul of COPPA rules include blogging outlet Xanga.com and mobile app
developer Broken Thumbs.
13. Carrier IQ
The
year 2011 closed out with another privacy-oriented brouhaha, this time
surrounding Carrier IQ, which sells analytics software for mobile
devices. The software is used in an estimated 142 million smartphones. A
systems analyst/amateur security researcher discovered this software on
his smartphone, and found that it was capturing battery life,
connections, text messages, emails and other actions. A slew of
accusations followed, with Carrier IQ and its carrier customers being
taken to task for allegedly keylogging, spying and tracking. But more
detailed analysis by other professional security researchers found that
the systems analyst who originally raised the issue was confusing
Carrier IQ's actions with those of debug statements mistakenly left in
the Android code by phone maker HTC's programmers. As it turns out,
Carrier IQ was simply collecting performance data for optimizing the
end users' experience. Nevertheless, the original discovery prompted
Sprint and HTC to reportedly no longer include the Carrier IQ software
on their devices.
14. GM to Sell Vehicle Data
General
Motors has run into privacy issues with its OnStar GPS-based system,
which may continue to track vehicles even after a customer cancels the
service. General Motors changed its OnStar privacy policy in December
2011, indicating that it reserves the right to share data it has
collected - such as a vehicle's speed, location, odometer reading, seat
belt usage and airbag deployment - with other companies. This is true
even for customers who have cancelled the OnStar service unless they
explicitly ask for the two-way communications link to be disabled.
General Motors says the data would be anonymous and aggregated before
being sold. Vehicle-based telematics systems like OnStar are an
emerging area for privacy concerns, with new worries about the
possibility of misuse of data.
15. Voicemail Hacking
One
of the biggest stories of 2011 was the shuttering of News Corps'
weekly U.K. publication, News of the World, as the result of widespread
hacking of the mobile voicemail accounts of politicians, celebrities
and crime victims in the pursuit of stories by the tabloid publication.
Investigations of this illegal behavior are ongoing, but have already
led to several high-profile arrests and resignations of News Corps
executives. Reporters apparently hacked into the voicemail accounts by
using the default PINs that shipped with the phones.
