21st: AOL's insecurity complex

AOL's insecurity complex: By David Cassel. The online service can't even keep its own staff bulletin boards private.

Published February 6, 1998 8:00PM (EST)

You've probably heard about the "other" Timothy McVeigh -- the sailor who found himself the target of Navy discharge proceedings for violating its "don't ask, don't tell" policy, after America Online divulged the real-life name behind his online profile.

At this point, only a district judge has prevented the Navy from completing the discharge. After a firestorm of press coverage, AOL CEO Steve Case issued a special "Community Update" to try to mollify anger. "We have always recognized that privacy was an absolutely central building block for this medium," Case argued, "so from day one we've taken steps to build a secure environment that our members can trust."

But Case's words rang hollow. The McVeigh affair wasn't an isolated incident. In the ensuing coverage, other subscribers also came forward with stories about AOL's loose lips. And only days after that controversy arose came the latest in a long sequence of disturbing AOL security breaches, undermining AOL's claim that it provides a "secure environment."

Around midnight Jan. 26, I received a mysterious e-mail message: "Before you miss the whole thing, you should really try and check out keyword: TA."

Since I edit a mailing list about AOL, I sometimes receive tips about hacked content. So I dutifully visited AOL's "Traveler's Advantage" area, which normally promotes innocuous travel-related services. ("Win a romantic Getaway for Two OR $5,000 CASH!")

It was different that Monday. As with many previous acts of high-tech vandalism, the title of the window had been changed in the middle of the night. Instead of "Welcome to AOL Travelers Advantage!" the page read, "Lithium Node was here." (This wasn't the first time AOL had heard from "Lithium Node": Last June, the same group converted AOL's "Academic Assistance Center" into a kind of hacker resource center, complete with manifesto.)

But this attack offered a new twist: Below the substitute title lay a menu linked to dozens of AOL staff bulletin boards. Following the links led to private boards reserved for conversations among AOL's online staff -- including staffers of "The Rosie O'Donnell Show" and AOL's own army of volunteers. Ironically, one area included an essay on the word "confidentiality," saying users should observe confidentiality policies, and "we should take pride in our ability to do so, and set an example for other staffs."

Though the material was apparently meant to be off-limits to the public, it wasn't. A week later, one of the boards sported an announcement outlining a pending policy change. Staffers were told that "Beginning February 4, 1998, Keyword TCB will be viewruled." In other words, AOL was going to restrict access to "The Community Building," a gathering place for AOL's online staff. This tactic was "becoming increasingly important," the memo stated, to assure that an area "is limited to its intended audience, and not available for viewing by others."

The bulletin boards linked from the giant index that had appeared the week before were soon to be roped off. But the obvious question -- why this no-brainer protection wasn't already in place -- went unaddressed. The announcement stated hopes that the board "remains a safe and secure area."

I can't say I was surprised by any of this; AOL has a long history of security and privacy problems. In 1995 hackers accessed the e-mail of CEO Case and other executives. One message -- describing AOL's meeting with the FBI to crack down on hackers -- was even posted to Usenet newsgroups. The hacks continued over the years, and grew more sophisticated. Last April my mailing list uncovered a trick that allowed access to any subscriber's credit card number if they'd revealed their password. AOL had stated this wasn't possible.

While there's no information on how many subscribers were affected, an omnipresent population of ill-wishers compounds any AOL security breach. In September 1996 the Washington Post reported that AOL canceled 370,000 accounts in one three-month period for "credit card fraud, hacking, etc." I once counted over 300 troublemakers massing in chat rooms for an en masse demonstration of dissatisfaction.

What's making users uneasy is the realization that hackers aren't the only threat to privacy. Last August a parody of AOL's CEO appeared in Mad magazine, addressing concerns about high-tech burglar Kevin Mitnick: "My subscribers' card numbers are accessible to someone far more dangerous than him!" Case's parody doppelgänger commented. "ME!!"

In a scramble for profits, AOL itself has resorted to varying degrees of invasiveness. In July, for instance, AOL faced controversy over plans to sell subscribers' home phone numbers to telemarketers. AOL's compromise solution wasn't as well publicized: Users will still receive unsolicited calls, but only from AOL's own stable of telemarketers. In addition, when customers now phone for technical support, staffers try to transfer them to outside telemarketing firms at the end of the call.

AOL has faced questions about its privacy policies since 1994, when Rep. Ed Markey, D-Mass., expressed concerns about AOL's plan to sell information about customers to marketers. Three years later, privacy advocates at the Electronic Privacy Information Center remain concerned. AOL recently acknowledged that its current marketing plan includes gathering aggregate information about customers' movement through the service, and then using the information to sell more targeted advertisements. The existence of such a database troubles privacy advocates, whether or not the information is attached to a user's identity. And since a recent industry report calculates that nearly 60 percent of the time Americans spend online is spent on AOL, the company is in a unique position to compile records on how that time is spent.

In the McVeigh incident, AOL originally stated it was confident that its policies had been followed. Later, Case's "Community Update" conceded that "this should not have happened, and we deeply regret it." He closed by telling members that "AOL's commitment to protecting the privacy of our members is stronger than ever." Ironically, Case's apology appeared above an icon reading "Click Here to Keep Your Resolutions." It often seems that AOL is more interested in appearing to honor privacy and security than in actually providing it.

In the last 10 months, at least 28 areas of AOL have been altered by hackers. Most fell to human error -- someone with "publishing rights" divulged their password. But AOL's performance in the face of these problems hasn't inspired confidence. Content partners say a memo distributed in October acknowledged that one of AOL's own employees had lost control of a privileged account. Seven areas were modified that night, including Reebok, AOL's Jewish Community Area and even Case's Community Update. (Its second page was retitled "Hey there, Sexy.")

The attacks are getting more sophisticated. After vandals left a manifesto criticizing AOL's NetNoir area, its producer dispensed a carefully crafted response to reporters. But the graffiti artists got a second chance -- weeks later they returned on another purloined account and posted a rebuttal.

AOL has a ways to go before it regains my trust. By the morning after I received that mysterious e-mail message, keyword "TA" had been restored to its original travel pitches. But for nine days afterward, most of the staff areas remained accessible to anyone who'd added them to their bookmark file.

Case needs to work a little harder on his resolutions.

By David Cassel

David Cassel is an Oakland, Calif.-based freelance writer covering the Internet and popular culture.

MORE FROM David Cassel

Related Topics ------------------------------------------