AOL Watch: Leaks and Leverage

David Cassel (
Thu, 16 Jul 1998 12:27:41 -0400

	  	     L e a k s   a n d   L e v e r a g e


C|Net broke the news:  "A database containing sensitive account
information about AOL community leaders was hacked and the data circulated
via e-mail.",4,23726,00.html

1363 Community Leaders -- more than 10% of AOL's remote staff -- found
that the real-life names behind their screen names were stolen by
malicious attackers.  More critical information leaked out, too.  Their
account numbers -- unique digits assigned to every AOL account -- were
also taken.  (One former Guide reports AOL's phone operators historically
used that information as a super-password.  "If you have your account
number handy, you can kind of bypass all the questioning," they
remembered.  "I guess they assume if you have that, you are who you say
you are.") 

A C|Net columnist dragged more information from the perpetrator last
Thursday.  His story?  An AOL employee DELIBERATELY granted access to an
account with the sensitive information.  ("I had an AOL in-house employee
re-set the password," the attacker explained.)

Even AOL managers suspect as much, the former Guide pointed out.  "Certain
'Team Leaders' within the Community Leader program have privately
confirmed that this stuff has to be happening due to an inside leak." 

A breach involving AOL employees?  It wouldn't be the first.  In 1996 a
password-fishing criminal who changed the address on an AOL subscriber's
checking account and ordered several credit cards in her name was
identified:  an employee at AOL's customer service building in
Jacksonville.  ( ) Florida Assistant 
State Attorney Andrew Kantor told AOL Watch the employee was prosecuted
after a multi-state investigation.  Subcontractors at AOL's previous
customer service facility in Texas have also come forward, acknowledging
that they re-opened cancelled accounts for "joy rides" -- and even
accessed accounts belonging to celebrities! 

The manager of the Community Leaders program sent a re-assuring message
about AOL's security, but some remained skeptical -- especially since that
same manager's account was compromised by hackers in November.  The
incident contradicts AOL's careful public statements.  In a special letter
on telemarketing last July, Steve Case told members "you can be assured
that your privacy is being protected."  (Just months later, a customer
service rep named 'Owen' divulged the real-life name of a Navy sailor... ) 

The latest breach comes just weeks after AOL's new "privacy policy" was
unveiled.  Boardwatch's Wallace Wang remains skeptical of the new-found
commitment.  "While this sounds nice," he wrote, "it's mostly a knee-jerk
reaction to AOL's incompetence when they freely provided personal
information about a gay sailor to Navy representatives."  AOL's latest
statements leave the columnist unimpressed.  "Until the next major public
relations crisis strikes AOL, don't expect the online service to improve
any until disaster threatens to topple them once again.  
( )

One cynical AOL user has already crafted their response.  "AOL's Terms of
Service forbids a member to: 'Harass, threaten, embarrass, or do anything
else to another member that is unwanted'," they wrote in their member
profile.  "Does this include outing their sexual preference to the Navy?" 

Incidents like these may ultimately affect AOL's phone support.  A former
customer service staffer reports a rumor that AOL plans to replace phone
representatives with "a computer phone system that you call to get
standard answers to your problems..."

But users are already furious about AOL's handling of their information. 
Several who had indicated their desire not to receive pop-up
advertisements from AOL received them anyways.  "If you were so damned
serious about 'protecting privacy,' why in the hell did you
*automatically* expire my marketing preferences and give my name, phone
number, address, and e-mail address to marketing organizations and
telephone solicitors??" one Community Leader asks in a letter to their
supervisors.  ( ) 

AOL had aggravated the situation by requiring all Community Leaders to
sign a privacy policy just weeks earlier.  ("We are going the extra mile
to ensure that this focus on protecting member privacy becomes an
important part of the ongoing mindset across the company," they had
claimed.") "I'll sign *YOUR* Privacy Policy when you agree to STOP
releasing *MY* private information," the Community Leader's letter
concluded.  "Otherwise, go tell your little 'privacy fairy tale' to
somebody who might believe it." 

Unwanted ads may foreshadow things to come -- since AOL's new Marketing
Preferences allow them to disregard customer requests not to receive ads
after a fixed period of time, unless subscribers re-affirm their
preference. But is the keyword just for show?  Twelve AOL Watch readers
reported they couldn't submit "marketing preferences" blocking AOL's ads.
"I get a screen that says Sorry, we can't process your request right
now..."  one complained.  "No matter what time of day or night I try to do

"Funny how things work at AOL," another added suspiciously.  A third noted
that "I've been trying for two days, and can not get past the wait cursor.
I've let it run for more than 10 minutes on two occasions..."  Sometimes
it's even worse.  Another user reported the process actually froze their
AOL software, and they had to restart their computer -- twice!

Their conclusion?  "AOL won't take no for an answer...!"

It's not the first time.  "AOL subscribers trying to request that their
telephone numbers not be used for marketing purposes encountered
overloaded computers at the online service,"  the Washington Post reported
-- one year ago.  Two users say the problems have lasted at least a month. 
"Your keyword MARKETING PREFERENCES has CONSISTENTLY been returning the
following message for at LEAST one SOLID MONTH NOW," a user wrote in a
letter to Steve Case Friday.  " 'We're sorry, but our host computer cannot
process your request - there are too many requests pending."

"Please continue, and try again in a few minutes," it advised.  Their
question to Steve Case?  "WHEN, exactly, is this thing going to be FIXED?" 

AOL may be selling ads, but financial analysts have some questions about
who's buying. "It's interesting to see the small fry that America Online
has sometimes partnered with,"  AOL's Motley Fool wrote, citing a recent
deal with Digital Courier.  "The company was short on working capital even
before committing to the new AOL agreement," they wrote.  Others are even
more concerned.  In November, Salon wrote on reports that AOL had
"strained relations with the ad community."

Recent statistics suggest AOL is delivering over 100 million ads EACH DAY
( ) -- and one of the
net's most notorious spammers -- Sanford Wallace -- shared his conclusion
with MSNBC.  "I don't have a problem publicly stating that I think America
Online is a huge hypocrite,"  he announces. "They deluge their members in
pop-up ads, they send their disks to every known address in America, yet
they are taking the public position that they are fighting unsolicited
advertising.  It just doesn't make sense."

Users who were able to indicate that they didn't want to receive the
advertisements were surprised when they reviewed their choices.  "I found
that all spam areas indicated that *Yes* I did want these offers via
phone, Mail, USPostal Mail and whatever else I went to great lengths to
tell AOL *no* I do not want your SPAM!!!" one member told Steve Case.
"What part of *NO* does AOL not understand?"

AOL claimed they had recorded the preferences, and simply didn't leave
them on-line for users to review.  But this created more ill-will.  "I am
forced to look at ads in profiles, I am forced to wait for ads to load
each and every time I download..." the user's e-mail continued. "How can
you force me to accept EMail, USMail and phone calls from these folks?" 

AOL is allowed to send subscribers junk mail, as well as to phone them at
home, or send them junk e-mail, unless users pro-actively request
otherwise -- a policy that troubles privacy experts.  "It can't be a case
that if a customer doesn't object, you can do anything," one privacy
advocate told Wired News.

There's growing concern -- and AOL's new policy drew skepticism from David
Sobel, an attorney for the Electronic Privacy Information Center. "This is
all about marketing," he told Interactive Week, "and privacy does well in
the polls right now."  Noting that AOL does collect information about how
their subscribers are using the service, Sobel commented that "AOL may be
trying to create a niche that they may not be entitled to based on the
real workings of this policy." Currently AOL combines information about
subscribers with other "publicly-available" information, which they then
sell at a premium -- and they have more tactics.  On the web site for ABC
News, Chris Stamper adds AOL "will, for example, keep track of how many
Beanie Babies you bought from AOL Shoppers Advantage and use that
information to try to sell you more."

"The industry's strategy has been plain," a privacy advocate told Wired
News.  "They forestall laws being passed that would give consumers
effective rights of redress."  Self-regulation may seem benevolent, but
"by self-regulating, they can keep the enforcement mechanisms
non-existent, or under their own control, so they don't have the
inconvenience of legal sanctions."

Sometimes the ads even follow you home.  AOL recently mailed a "Spring
Shopping Survey" to many members, offering them a free electronic
"databank" if they'd "simply complete the enclosed Spring Shopping Survey" 
and mail it back to AOL.  Buried seven paragraphs into the letter -- on
its back -- a surprising caveat lurked.  Filling out the survey would
enroll them in an on-line shopping service, and three months later,
subscribers who fail to cancel the service would be charged $59.95 -- one
year in advance -- "billed automatically to your credit card account on
file with America Online." 

Unfortunately, AOL's advertising could be steering users to worse deals. 
( ) A bottle of perfume available
for $25.88 from FragranceNet would be sold to AOL customers for $55,
according to Jason Apfel, Vice President of FragranceNet, because of AOL's
exclusive deal with the higher-priced vendor.

"If the AOL press release is accurate, then America Online members will
pay higher prices for fragrances in the AOL Marketplace," he announced in
a press release -- adding that "a serious epidemic is developing in the
world of e-commerce when competition is eliminated by exclusive deals
which are not in the customer's best interest." 

AOL's reputation precedes them.  Many ICQ users are abandoning the
instant-messaging software, fearing its new owner -- AOL -- will use it as
an advertising vehicle.  "I'm un-installing it this moment due to this
merger," one ICQ user told Wired News -- and another told Ziff-Davis News,
"I will erase it from my drive at the first AOL-backed ad I see, and will
encourage my friends to do the same.",3440,2110788,00.html

Their fears are well-founded.  Four months after AOL acquired CompuServe,
a multi-year marketing deal with Tel-Save was signed to bring
phone-service advertising to CompuServe's customers. 
(,4,18916,00.html ) Subscribers didn't
take the encroachment lying down.  According to published reports, 28% of
CompuServe's users left the service in that same fourth-month period.

AOL's downplaying their presence.  "We don't tell people AOL owns
CompuServe,"  an executive told Wired News, "and we don't want people to
know."  But Ziff-Davis News reports CompuServe's latest software is
"plainly 'more AOL-like'..." and one reporter notes CompuServe subscribers
now hear the phrase "You've got Mail!",3441,2116078,00.html

ICQ may face even larger defections.  Last month one web site conducted a
poll of nearly 25,000 ICQ users -- and its results were striking.  "If AOL
forces you to view their advertisements while using ICQ," they asked,
"will you continue to use it?" 

		          No: 19161
		          Yes: 4257
		          No opinion: 1454

But AOL may not even care about the number of users.  Describing the
acquisition, one analyst told C|Net, "It's basically acquiring their
largest competitor,"  (,4,22947,00.html ) 
Another source told The Standard that it would only be worth AOL's money
if "it helps [AOL] fence in the open range of the Internet." 
(,1151,605,00.html ) 

Ironically, privacy concerns that plagued AOL users may soon affect ICQ's
users.  Its user agreement currently states that "Information provided or
related to by you may serve for the purpose of target advertising by
Mirabilis or other parties," one web page reports.

But ICQ users face even more serious privacy concerns.  "With all the
security flaws in ICQ," another web page suggests, "it looks like it's
*everybody's* portal to your desktop."

AOL's subscribers are at a breaking point.  "The price was just raised," 
one complained to AOL Watch, "but the service has worsened and the ads
have increased."  Another saw a connection.  "It's BECAUSE of AOL's
unbelievably terrible service that they raise their rates," they told AOL
Watch.  "So many people quit, they'd go broke if they didn't!"  Steve Case
argued AOL needed additional money "so that we can continue to provide AOL
on an unlimited use basis" -- but others predict disaster.  A financial
analyst told C|Net "it is a dreadful mistake to raise the monthly price
point beyond the consensus price [$19.95]..."
(,4,23011,00.html ) 

Other changes have outraged AOL subscribers, too.  Wednesday AOL's new
Terms of Service went into effect -- which warns users that "we prohibit
the use of tools that defeat AOL's automatic log-off feature."  AOL's
spokeswoman defended the "idle-timers" to the Boston Globe, saying "You're
not supposed to disable them."

AOL Watch sent an e-mail to Steve Case's office, but only received a
response -- a form letter -- eleven days later.  Its dubious explanation? 
"Members who are on the hourly pricing plan certainly appreciate that if
they are called away from their computer, the system logs them off so they
are not charged for time they aren't using."  The e-mail also claimed this
was nothing new, stating "we have simply clarified our long-standing
position on this issue..."  But subscribers aren't buying it.  In the
past, customers who phoned to cancel their accounts were advised to
download the "timer-zappers" at 
one former customer service staffer remembers. 

But there was also a more sinister strategy.  The staffer described a
policy of red-lining accounts which belonged to heavy users, and even
people who phoned customer service too often.  "These accounts get killed
as soon as possible for ANY infraction in billing or TOS," the former rep
explained.  "It's the unknown method of weeding out high users of time and
technical support..." 

It's not clear whether that practice is still in effect.  (When contacted
in April, a representative for the New York Attorney General's office said
they would investigate...)  But the policy of logging off "idle" accounts
infuriates users.  "Rather than AOL purchasing the adequate number of
modems to accommodate the consumer, they are asking us to bear the
burden," an AOL user told the Boston Globe.  They also resent AOL's ban on
the software to thwart timers.  One web page notes that "many handicapped,
elderly, and severely arthritic, people MUST rely on these programs."

They're taking action.  "The AOL protesters are in the process of
compiling a list of advertisers on AOL," one subscriber told AOL Watch,
"so that we can recommend that citizen/consumers of AOL write to and
boycott these corporations, in an attempt to get AOL to hear and respond
to our grievance. 

"With something other than a form letter!" 


Days before information about 1363 AOL staffers had been compromised,
Steve Case announced that "To build a global interactive medium that is as
central to people's lives as the television or telephone, we will first
have to win the full trust and confidence of consumers that their private
information will stay private."

Consumers are becoming distrustful instead.  One subscriber visiting AOL's
booth at the MacWorld show in New York found them offering T-shirts for
opening AOL/Visa accounts.  "How's this for a slogan?" he suggested.  'We
don't want you to lose your shirt when someone steals your credit card
info from our database'." 

 David Cassel
 More Information:


    Please forward with subscription information.   To subscribe to this
    list, type your correct e-mail address in the form at the bottom
    of the page at -- or send e-mail to

    To unsubscribe from the list, send a message to MAJORDOMO@AOLWATCH.ORG
    containing the phrase UNSUBSCRIBE AOLWATCH.