Researchers Release Profile Data on 70,000 OkCupid Users Without Permission (vox.com) 190
An anonymous users shares a Vox report: A group of researchers has released a data set on nearly 70,000 users of the online dating site OkCupid. The data dump breaks the cardinal rule of social science research ethics: It took identifiable personal data without permission. The information -- while publicly available to OkCupid users -- was collected by Danish researchers who never contacted OkCupid or its clientele about using it. The data, collected from November 2014 to March 2015, includes user names, ages, gender, religion, and personality traits, as well as answers to the personal questions the site asks to help match potential mates. The users hail from a few dozen countries around the world. The researchers, Emil Kirkegaard, Oliver Nordbjerg, and Julius Daugbjerg ran software to "scrape" the information off OkCupid's website and then uploaded the data onto the Open Science Framework, an online forum where researchers are encouraged to share raw data to increase transparency and collaboration across social science.
Read Before Posting (Score:5, Insightful)
I'm not going to name any names, but *several* Slashdot users appear not to be able to read summaries with any degree of accuracy - the data is not public, but only AVAILABLE TO OkCupid USERS (yes, that is what the summary actually says).
*Very* important distinction.
Re: (Score:2)
I'm not going to name any names [...]
Well, I am. This is a story about exposing internet users after all. The comment you're referring to (or one of them) is here [slashdot.org], posted by this long time Slashdot user [slashdot.org], who should hang his head in shame.
Re:Read Before Posting (Score:5, Insightful)
When you create an account, you accept their Terms of Service. Hence, this may well have been a criminal act.
Re: Read Before Posting (Score:2, Informative)
Breaking a TOS != Illegal
Re: (Score:2)
When you create an account, you accept their Terms of Service. Hence, this may well have been a criminal act.
The question then becomes whether the ToS are valid and thus binding. And breach of contract is not a criminal act, but a civil wrong. They could sue for breach of contract, but it is still not a crime.
Re: (Score:2)
The data was copied in Europe. Some of the users will be European. Nobody accused OkCupid of anything and hence where the company is based is immaterial. Are you stupid?
Re: (Score:2)
Re: (Score:2)
So what if the data was copied in Europe. It was LEGALLY obtained from a server in Oklahoma. Are YOU stupid?
The data may be legally obtained, but under EU law its what the data is then used for that counts; the users gave consent for a specific use for that data. If the, legally obtained data is then used for other purposes without explicit permission of the users then its illegal and EU law kicks in. Its nothing to do with OK cupid, they are not the infringer, hence the location of the data doesn't matter on this just the location of the infringer and user.
Re: (Score:2)
Indeed, and rather obvious so.
Re: (Score:2)
No it wasn't. I gave OKCupid permission to show my profile to interested people so that they could decide whether or not to contact me with a view to dating me. I didn't give these researchers permission to publish it on another website.
Re: (Score:2)
Re: (Score:2)
The user, according the the OkCupid TOS, explicitly understands that the data is not going to be private, and that OKCupid has no obligations in that respect. The purpose of posting info to OKCupid is to disseminate that information, so the user, even if they haven't read the TOS, has no reasonable expectation of privacy. They are even encouraged, in the TOS,, to not use a real name if they want to try to preserve some semblance of privacy.
There is no privacy claim from anyone in the EU because they agreed
Re: (Score:2)
It was actually not legally published (regardless from where it came) if it is the data of European citizens (and there will be some in there). I am not sure what European law would say if somebody outside of Europe had done this, but the crime was perpetrated by somebody in Europe, so that question does not apply. Seriously. So what if European law does not apply in the US? It most certainly applies to what people do while being in Europe. You seem to have some rather serious problem with the fundamentals
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Are you stupid? The data was copied in Europe and some users will be European. Where the company is based is completely immaterial.
Re: (Score:2)
Re: (Score:2)
Where the company is based is entirely relevant. The server is in the US, so US law applies. If it was hosted in the EU, EU law would apply. Ask any law enforcement agency or the RIAA/MPAA how data access laws vary by country.
Do ask. US courts have repeatedly claimed jurisdiction as long as you do business with US customers or the victims are located in the US, so does the EU with their citizens. Not the ToS, that's under US terms and if OK Cupid wants to sue these guys it'll be in a US court but European citizens have rights under EU law they can't sign away. That said, usually a conviction is useless unless the court has jurisdiction over the assets or people involved which is why it doesn't happen more often. But if you can s
Re: (Score:2)
Re: (Score:2)
Well, the US can claim that US law applies, but the legal bodies of the EU will be pretty unimpressed by that if the actual crime was committed in Europe against European citizens. And it was. It may be different if the servers had actually been hacked. They were not.
Also, what makes you think that US law trumps others? Are you an imperialist?
Re: (Score:2)
Also note this clause: "The exclusive means of resolving any dispute or claim arising out of or relating to these Terms of Use (including any alleged breach thereof), the
Re: (Score:2)
Information you provide about yourself while using our service
We provide areas on our websites where you can post information about yourself and others and communicate with others or upload content such as photographs. Such postings are governed by our Terms & Conditions. In addition, such postings may appear on other websitesor when searches are executed on the subject of your posting. Also, whenever you voluntarily disclose personal information on publicly-viewable web pages, that information will be publicly available and can be collected and used by others
There's no way that you can argue that you expected the information to be private, since YOU agreed to the terms, and then YOU posted the data knowing full well that it wasn't private..
There is no law that says you cannot voluntarily make your private information public, and that's exactly what this is.
Re: (Score:2)
Re: (Score:2)
Why is it that all the good people have left Slashdot, but the backwash is still here?
But you are still here. Oh wait. I get it...
The project's been suspended/hidden (Score:2)
This record has been suspended"
https://osf.io/p9ixw/files/ [osf.io]
Kirkegaard's other work (still available) on Open Science Framework: https://osf.io/a2yfn/ [osf.io]
Interestingly enough, it works out to be great advertising for a really neat science site/service...
Fancy Laugh Instigator (Score:2)
Real names not revealed (Score:4, Interesting)
from TFA: "The data dump did not reveal anyone's real name."
Usernames, etc, were revealed. A clever person might be able to find the true owner of an account if it was really important to him/her. Time will tell if any puppies were injured by this action.
Re: (Score:2)
simple. okcupid doesn't ask for your realname at all. Usernames are pretty bad.
This is why I have trust issues (Score:2)
Gosh I hope I cancelled my account before then.
Kirkegaard's blog - data removed/DMCA request (Score:3)
http://emilkirkegaard.dk/en/ [emilkirkegaard.dk]
OSF has now suspended the entire repository, not just deleted the user datafile. Not sure why this is the case. So for now, the paper PDF will be available here: OKCupid_public_dataset_paper Edited to add: The repository is closed due to a DMCA request sent by OKCupid which is currently being investigated.
A good use of the DMCA in this case IMO. (Though surprised it worked overseas.)
Re:Did you know? (Score:5, Funny)
Why did you post that drivel? The post was about OkCupid, not OkStupid.
Re: (Score:2)
Re: (Score:2)
Re: From the not-a-story dept. (Score:3)
Re: (Score:2)
Also, as those logging in were presumably in the EU at the time of logging in, they would be held to the EU ToS, which *do* trump Fair Use.
Re: (Score:2)
Re: (Score:2)
The Dane in Denmark broke Danish law in Denmark, and you argu
Re: (Score:2)
Not true. Otherwise, why would Microsoft want to move servers with customer data to the EU? Ad the server wasn't hacked, any more than if someone had used a screen reader in place of a screen scraper to access the data. Also,NONE OF THE DATA WAS PROPRIETARY. Not one single piece. Just a collection of facts which were voluntarily made available to the general public. There was no expectation of privacy whatsoever.
Call me back when the EU bans yearbooks or other collections of personal data that have been i
Re: (Score:2)
Just a collection of facts which were voluntarily made available to the general public.
So creative works are "facts" and requiring a login is "public".
You are simply insane. Your reality doesn't match anyone else's reality. It's a form of insanity. You should seek help before you hurt yourself or others. You are insane and dangerous.
Re: (Score:2)
So just read the TOS and the Privacy Policy. And no, the privacy policy makes it clear that the stuff you post may appear on other websites, so much for requiring a login to OKCupid,
TOS
Privacy
You should appreciate that all information submitted on the Website might potentially be publicly accessible.
Privacy Policy
Information you provide about yourself while using our service
We provide areas on our websites where you can post information about yourself and others and communicate with others or upload content such as photographs. Such postings are governed by our Terms & Conditions. In addition,such postings may appear on other websites or when searches are executed on the subject of your posting. Also, whenever you voluntarily disclose personal information on publicly-viewable web pages, that information will be publicly available and can be collected and used by others.
See - they are publicly available, and may appear on other websites.
Where's your expectation of privacy? Where's your login requirement?
Re: (Score:2)
They did not have any test subjects. The data was not proprietary. the server was not hacked. The users wanted the data to be accessible to the general public. And how many people can claim it's their personal information when they haven't even used their real names? None. So in effect, the data is anonymized, and even the few who used their real names, there's no way to know that was the case, unless someone did research to find out, and anyone can do that as well.
In certain parts of the country, your best shot at finding somebody good is to go online. I'm not sure I know anybody locally that found anybody actually in person.
Please, let everyone know where those par
Re: (Score:3)
Making it public IS permission.
No it is not. Perhaps you should read about copyright laws and privacy laws.
Bottom line, the data was not public available anyway: they used a scraping bot, obviously with one or more fake accounts. Which is most certainly against terms of usage.
Re: (Score:2)
Privacy laws? Come off it, on data the person made public? The facts that the individual made public are their information, not OKCupid's. They make it public, tough sh*t. Giving public information to a company doesn't suddenly make it not public when it's willingly posted on a public server with the express purpose of the public seeing it.
And you can't copyright facts [copyright.gov]. F*cking morons ...
Copyright does not protect facts,
Feist Publications, Inc., v. Rural Telephone Service Co. [wikipedia.org]
Sweat-of-the-brow work doesn't give rise to a grant of copyri
Re: (Score:2)
And you can't copyright facts. F*cking morons ...
Perhaps you should make an account and OKCupid and check how the site works?
There are no "facts" about me stored. And again: they are not published, they are only stored there, that is all. Only to be retrieved by logged in users. Not by robots. And yes, figuring my age, gender and sexual preferences by violating TOS of the website: is a attack on my privacy and in Europe likely a crime. Regardless if those informations are "facts". There are not many male wh
Re: (Score:2)
Read the TOS and the separate privacy agreement. From the separate privacy agreement that is integrated into the TOS and that you agreed to:
Also, whenever you voluntarily disclose personal information on publicly-viewable web pages, that information will be publicly available and can be collected and used by others.
Also, you were warned in advance in the main TOS that there is no guarantee whatsoever of keeping anything private, and you as a user accepted that. It might be your information, but you already agreed to make it publicly available. How are you going to bring a privacy claim when you agreed to make it publicly available?
Re: (Score:2)
Public available means: logged on users.
Not general public. Can't be so hard to understand.
Furthermore: collecting private data and/or making it public as in 'public available for everyone' is illegal under european laws. Regardless how you interpret the TOS.
In other words: the danish idiots (Denmark belongs to the EU!) are with one leg in jail now and have a hailstorm of criminal prosecutions incoming.
You should start to comprehend that 'the rest of the world' has not bullshit laws like you in the US. And
Re: (Score:2)
Re:From the not-a-story dept. (Score:5, Insightful)
Making it public IS permission.
1. It was not made public, it was only accessible after you created an account and hence agreed to their TOS.
2. European privacy law says even if made public, it can only be used for the purpose it was made public for (e.g. Phone-Book). Anything else requires explicit agreement by the data owner, and that is the respective person. No such agreement was obtained.
Seriously, understand the facts first. This was a criminal act.
Re: (Score:2)
EU privacy laws don't cover US companies with data stored in the US - that's covered by US laws. And it was most certainly made public, with not even minimal security. Otherwise fake accounts couldn't have scraped the data. You can't argue for privacy when you leave your bedroom windows wide open with a big "look in here" sign.
And nobody using OKCupid enters into an agreement with each individual person.
This is no more a criminal act than if I were to scrape slashdot. Or facebook. Or twitter. Or an online
Re: (Score:2)
As has already been said, under EU law the data belongs to the user not to the company with the servers. The jurisdiction of the user would apply.
Re: (Score:2)
That's under EU law for a server located in the EU. EU law doesn't apply in Oklahoma. Also, the TOS encourages people to not use their real name (you DID read the TOS before commenting, didn't you?) There is no guarantee whatsoever of any information being private, and anyone who agreed to that TOS, well, touch beenies, they agreed to it.
Also, how would user myowntrueself' have standing to claim any violation, since that's not even a legal person, just a phony screen name? So all the info under that name i
Re: (Score:2)
EU privacy laws don't cover US companies with data stored in the US
But EU laws do cover collecting the data. That's what all the hoohaa about safe harbour laws is about.
Under EU law OK cupid could collect the data that they did provided they used it for the purposes it was collected for and required the same terms on anyone else using the data - which I think they did via their TOS.
Re: (Score:2)
which I think they did via their TOS.
No, they didn't. They made it very clear that there was no expectation that their data would be private right in their TOS.
Privacy
You should appreciate that all information submitted on the Website might potentially be publicly accessible.
Pretty straight forward, but it gets even better in the separate Privacy Policy:
Also, whenever you voluntarily disclose personal information on publicly-viewable web pages, that information will be publicly available and can be collected and used by others.
You are told all this in advance if you read the TOS, so you can't whine when someone accesses your publicly-viewable personal information that you disclosed. And if you didn't read the TOS? 2 bad, so sad, sux to b u.
Re: (Score:2)
A criminal act, because European privacy laws are criminal law. They can send you to prison for violating them. Rarely ever happens, but still...
I see one idiot here and that is you.
Re: (Score:2)
Re: (Score:2)
EU privacy laws don't cover servers in the US. That's why some companies are investigating moving their servers to the EU. If it's not hosted in Europe, the laws of the hosting country apply, and ONLY those laws.
Where do you get your info that the Danish court wouldn't touch this case because the servers are in the USA?
The EU is strict enough that I'm pretty sure that if one of the complainants were in, say, Denmark and the 'researchers' were also in Denmark then the fact that the data was on servers in the USA wouldn't matter to a Danish court; the person infringed upon and the alleged infringer were in Denmark therefore Danish law applies.
Re: (Score:2)
Actually it would matter that the servers were in the US. They exported personal data outside of the EU/EEA without the data subjects' permission, which is an additional offence.
Re: (Score:2)
Re: (Score:2)
The first hurdle is that the individual willfully exported their data to another jurisdiction, for the purpose of it (hopefully) being viewed by as many people as possible. There was no expectation of privacy. It would be the same as if they posted it on a billboard and then claimed that anyone reading it was violating their privacy.
The TOS make it very clear that OKCupid has no responsibility to keep any supplied information private. Also, while it refers to a bona fide profile, their definition is a prof
Re: (Score:2)
That is completely immaterial, as this would not be a case against OkCupid and the data does not belong to them anyways according to European law. What matters is where the crime happened and that was in Europe. Seriously, the facts of the matter are not difficult and neither is the geography. An European doing illegal things in Europe with data of other Europeans is clearly subject to European law.
Re: (Score:2)
You obviously haven't read the OKCupid TOS. There is no expectation of privacy, users are informed not to use their real names, and the purpose of the site is to disseminate the data in the user's profile.
Kind of hard to argue that your data has any reasonable expectation of privacy when the contract between the user and OKCupid says otherwise. Or does the EU no longer recognize contracts?
Re: (Score:2)
Why not just read the OKCupid TOS and Privacy Policy, which most people appear not to have done.
From the TOS
Privacy
You should appreciate that all information submitted on the Website might potentially be publicly accessible.
From the privacy policy:
We provide areas on our websites where you can post information about yourself and others and communicate with others or upload content such as photographs. Such postings are governed by our Terms & Conditions. In addition, such postings may appear on other websites or when searches are executed on the subject of your posting. Also, whenever you voluntarily disclose personal information on publicly-viewable web pages, that information will be publicly available and can be collected and used by others.
As a user, you understood all this. There is zero expectation of privacy. This is the governing contract between the parties. Have fun proving you didn't know that your information wasn't going to be kept private..
Re: (Score:2)
Re:Bullshit (Score:5, Insightful)
The data was already public!
Also, only a moron would use their real name to create a profile on OkCupid. I met my wife on Match.com, and she didn't tell me her real name until our 2nd date. Many of these sites specifically recommend that you don't use your real name, and that you don't reuse a photo that is already online, since someone could then use Google Image search to find your Facebook profile.
Re: (Score:2, Interesting)
Actually I met a greek woman living in Germany (via ok cupid). She used her real name and was surprised that I did not. She was absolutely not aware that basically no one is using his real name on a web site, except perhaps Facebook or Linked in.
She was not dumb, the idea to use a nick simply never occurred to her.
On the other hand she was a bit strange ... she is a teacher for greek and ancient greek. While talking about the subjects she emphasized that greek is so complicated for foreigners because it has
Re: (Score:3)
Just to give everyone an example how fucked up genders are in German, and why it's nontrivial to learn for a foreigner: The simple sentence "The girl puts the milk on the table" would be in German, using pronouns, "It puts her on him".
Re: (Score:3, Funny)
Great, now North Carolina will outlaw speaking German.
Re: (Score:3)
Re: (Score:2)
on it's skin...
"on it is skin", "on it has skin", or "on it was skin" ?
Re: (Score:2)
Grammatical genders of most indo-european languages are difficult. But it is true that German is especially difficult in that matter because there are almost no general rules about grammatical genders and they have to be memorised for every single word. In many other languages the grammatical gender is already encoded in the word by the means of the gender specific ending.
Re: (Score:2)
DAS Madchen: IT.
Re: (Score:2)
Biologically, it's a she. Grammatically, it's an it.
Re: Bullshit (Score:2)
Actually, your correction is incorrect. The German word for a young girl is neuter, not feminine. Thus, the previous commenter is correct â" "It put her on him." No need for the hypercorrection.
Yes, I actually took 4 years of German in high school. You really have to wonder about a culture that refers to little girls as "it."
Re: (Score:2)
Yes, I actually took 4 years of German in high school. You really have to wonder about a culture that refers to little girls as "it."
You don't refer to little girls as "it". Only the word "Maedchen" has the gender of neutrum. The person which is a girl is female. So to refer to the person you usually are using the articles fitting to the person.
Hence I corrected his "flaw".
Side note: I'm german. You only say "it" or "das" in german if you actually use the word "Maedchen". If you refer to her otherwise it is
Re: (Score:2)
Side note: I'm german.
We figured. It seems natural if you're used to it.
Same problem with animals: the dog is male "der Hund", the cat is female "die Katze", nevertheless both animals obviously have a female and a male version and when you refer to a particular one you use "er" or "sie" as in "he" or "she" ... and not "it" as in english.
If you know the gender it's the same in English, you say the "The dog [or he/she] must stay in his/her cage". But if you don't, the sex-neutral form is always it - for all intents and purposes you can think of it as unspecified rather than sexless. In German it's not, the dog must stay in his cage, the cat in her cage and the girl - if you go all Fritzl - in its cage according to the gender of the word. And you're obliged to use the word's gender when you're
Re: (Score:2)
It's a double use of gender that drives everyone trying to learn German nuts, it really makes no sense.
A language teacher I once had stated simply, "It doesn't have to make sense. It just IS."
Re: (Score:2)
A language teacher I once had stated simply, "It doesn't have to make sense. It just IS."
And that attitude is how language gets boned in the first place. It's anti-intellectualism. Someone comes up with a crap word, someone smarter says "actually it should be x" and then people throw rocks at them and call them a fag
Re: (Score:2)
It's not anti-intellectualism. It's recognizing that languages are idiosyncratic and have many constructs and usages that don't seem logical. The teacher was essentially saying, "Look, this is how the language is spoken, it may not be logical but you've got to deal with it."
Re: (Score:2)
Apparently, your teacher hasn't explained to you that all german nouns in the diminutive form - marked with the "chen" or "lein" suffix - are neuter. It is that simple.
Re: (Score:2)
"You really have to wonder about a culture that refers to little girls as "it."
Gender (grammatical) has nothing to do with gender (sex), as any fule kno.
Re: (Score:2)
Das Baby, neutrum.
Mission accomplished. But it's still not sitting well with parents when you tell them to "could you please quiet IT down?"
Re: (Score:2)
And to turn this from funny to hilarious, "its" is the same word in German as "his", "sein". Actually, "seine", since skin is feminine, and possessive pronouns change endings according to the gender of the noun possessed.
So, with pronouns again, that looks like "It rubs her on its/his skin".
Head spinning already?
Re: (Score:2)
Oh, forgot to mention: "Lotion" is of course also feminine. What did you expect, something that makes sense?
Re: (Score:2)
Re:Bullshit (Score:5, Insightful)
a) It was not public. Access required an account (with associated agreement to their TOS).
b) European privacy laws says the data belongs to the users, and each one has to explicitly agree to its uses
This was a criminal act. At the very least these people should lose their academic titles or hope of getting one.
Re: Bullshit (Score:2, Informative)
You can't be stripped of an academic title. It isn't like having a license to practice law, or medicine.
Re: Bullshit (Score:3)
You can be fired and unofficially blacklisted. Academia can be more political than D.C.
Re: (Score:2)
Re: (Score:2)
Re: Bullshit (Score:4, Informative)
You are wrong. The university that gave you that title can remove it under certain circumstances, such as when you have damaged the reputation of the field it is in. I know, for example, of a PhD Lawyer that lost his PhD after being caught robbing a bank. It is not a legal procedure, it is an academic procedure. You may seek legal redress, but that usually fails. The same can happen when it turns out you falsified results.
Re: (Score:2)
Perhaps you misunderstood the part where gwehir said "I know, for example, of a PhD Lawyer that lost his PhD". The reason he lost it is not the claim he was refuting. It was whether colleges or universities can and do revoke degrees.
Re: (Score:2)
It is reality. And to somebody not ethically challenged, it will be obvious that an academic does also have the responsibility to represent their chosen field in a positive and honorable way. If they grossly fail to do so, they may be rightfully ejected from that field as unfit to represent it. You may not agree, but most institutions awarding academic grades do, although many only start doing this in practice to people that already have that degree on PhD level. Incidentally, professional organizations lik
Re: (Score:2)
Excellent point.
Re: (Score:2)
No, it is not. A university degree is an achievement. Each university has its own policy, but it's basically unheard of for a university to rescind a degree for a reason other than the requirements of the programme not being met (e.g. academic misconduct, or misrepresentation on the application). If you have unmet financial obligations, universities generally doesn't rescind degrees, but instead prevent you from being able to prove it (e.g. withholding academic transcripts or certificates).
The above does no
Re: (Score:2)
Re: Bullshit (Score:2)
Except you most definately can get stripped of an academic title.
Re: (Score:2)
Re: (Score:2)
Re: Bullshit (Score:2)
But the data in question is NOT publically available. It requires an OKCupid account and agreeing to their TOS.
Re: (Score:2)
You can stop Google from indexing parts of your site by putting it in a password protected area, or by using robots.txt. OKCupid has done this, so their profiles don't appear in Google.