The Dark Side of Netflix

Netflix Underground is not affiliated with Netflix, Inc.

3/26/2005

Netflix Exposes User Data

4/4/05 - The issue detailed in the following story has apparently been resolved, and this story should be considered inactive. The original story, update, and comments are here for reference and discussion purposes only.

=================================


The following news tip came from a Netflix Undergounder. Thanks for the tip, Dan.

If you are concerned about online privacy, you might want to read "Netflix SEO Efforts Expose User Data in Google and Yahoo" at http://www.onlinemarketer.com/netflix.

Do you have anything embarrassing in your queue? If so, remove it now before Netflix makes it available to every Web user on the planet.

This Netflix problem is not just a privacy issue. It’s a security issue. Some of the supposedly “private” Netflix user information I have seen exposed on the Web, reveals the Netflix user’s full name along with DVD title listings that suggest the user has small children at home. In one case, using nothing but the DVD titles, I was able to deduce the gender and approximate age of the Netflix user’s small child.

Think about this. How would you like it if Netflix carelessly exposed your personal information and some pedophile was able to figure out a young girl or boy lives in your house? That’s scary. Parents have enough to worry about these days without Netflix giving the perverts of the world another way to intrude into their homes.

If you think Netflix may have violated your privacy, please contact Netflix, demand they thoroughly investigate how your data may have been compromised, and ask them to submit their report to you in writing (Netflix Contact Information). If Netflix does not give you a satifactory response, please contact the California Attorney General (http://caag.state.ca.us/) and your state's Attorney General.

_____________________
UPDATE 4/1/05

Google has removed the cached pages containing private user data. Whatever privacy threat existed before appears to be corrected now. Hopefully, this problem was resolved before anyone was affected. Please direct any further questions about this isuue to Netflix.

9 comments:

Anonymous said...

Interesting that this news isn't covered at hackingnetflix.com -- ironically because it shows a case of "hacking netflix" in truest sense of the phrase.

But then again when your site shills for Netflix, I guess you don't want to go poking a stick at the hornet's nest.

You know the cartoon, "On the internet, no one knows you're a dog" (e.g. http://www.unc.edu/depts/jomc/academics/dri/idog.html)

Well, it's NOT true that "On the internet, no one knows you're a shill"!!!

manuel said...

"Interesting that this news isn't covered at hackingnetflix.com"

Netflix keeps a tight leash on it's dogs.

Anonymous said...

I saw the original post and researched it. It's not a story. If you did your homework before posting a sensationalist headline you'd be taken seriously and people would link to you.

Check the facts before you post. Credibility counts. Think about how Apple is suing bloggers. You have a good lawyer? Think about what you write before you get into trouble.

Now, about the shill stuff. I've posted "bad" stuff about Netflix, including movie availability problems, customer support issues, throttling and even linked to Manuel. What do you want? Banners that say Netflix sucks? I have let Manuel have free reign on my site and yet it would only take one click to delete his posts. C'mon.

Posting only the negative and blowing it out of porportion will get you the attention you crave, but I'm not going to link to sites that suggest you harass and engage a company in a destructive manner. What's next? Illegal activity?

Take Manuel for example. He goes off on Netflix constantly, but Blockbuster is sending him the same # of broken discs. Where's that headline?

Fair and balanced or harassment? Your choice.

At least you allow comments on your site.

- Mike
Mikek@HackingNetflix.com

Editor said...

Mike K,

Who are you addressing? Two people posted before you: Anonynmous and Manuel.

I have not written anything about you or your site. Please clarify who and what you are responding to. Your comment is very confusing.

Anonymous said...

I'm referring to the "Netflix Exposes User Data" story, but I'm also responding to Mr. Anonymous and Manuel who think I'm a shill because I don't run a "I hate Netflix" site.

- Mike

ghlu said...

Well, I did a search when this story first came out (3/27) and I can definitely see some users' data, for sure. When I tried to do a search just now I couldn't find anything, so I guess netflix did act on this issue and request google to remove the cached pages.

Editor said...

Mike K,

The story “Netflix SEO Efforts Expose User Data In Google and Yahoo” (www.onlinemarketer.com/netflix) was true at the time it was written. I know it was true, because I found the data myself. Full names of some Netflix customers and DVD titles from their queue could be viewed by any low-level hacker. This was personal information and should not have been available to the general public.

Some time since the realease of the story, Google took down the cached pages that displayed user data. I imagine when Netflix realized the severity of the issue, they immediately contacted Google and asked them to remove the cached pages. To Netflix’s credit, this was the responsible thing to do.

As for your message, I welcome your input, and you are free to post what you want on this site; however, in the future, please try to keep the confusion to a minimum. If you want to leave angry, threatening messages for people, please at least be clear about your intended targets.

If you have a problem with Anonymous, address your issue with him and make it clear. If, after that, you have a problem with Manuel, clearly address your issue with him. If, after that, you still have a problem with me, address your issue with me and move on.

Your message just lumps everyone together, and it’s not clear who you’re so mad at and why you hate them so much. When I first read the message, I thought some crazy person was impersonating you, or one of your enemies was trying to make you look irrational and unstable.

For the life of me, I still don’t know what possible problem you could have with me. I have never mentioned you or your site. The rare mentions of you and your site have all been left by visitors to this site. I exercise very little control over what visitors post here, and I intend to keep this an open forum for as long as I can.

If I had attacked you, I might understand your rage, but I’ve never done a single thing to you. I’ve never written a negative thing about you. I really don’t understand all of the hostitlity you’ve directed toward me.

Best Wishes,
Warren

Anonymous said...

Warren,

I've been getting hammered by Manuel and a bunch of anonymous folks about being a Netflix shill. I'm sick of it, and I probably over-reacted here a bit. Thought you were part of that crew. My mistake.

Just a tip: be careful about posting stuff without confirming it with a solid source. Stuff like that can hurt a stock, and that brings out lawyers (like Apple suing bloggers). I know quite a bit about the user data story and I declined to post it due to how the data was exposed and the limitations of the exposure. Re-read your post and look at it from the Netflix viewpoint.

Sent me an e-mail (mikek at hackingnetflix dot com). I'd like to chat with you.

- Mike

Editor said...

Dear Mike K,

Thank you for your message. It seemed apologetic. If that was an apology, I accept.

I am glad you realize I have not been attacking you or your site. I also hope you have looked at this site enough to realize that you and your site have never been mentioned except by occasional visitors.

Netflix Underground is about Netflix the company and not the fans and opponents. The purpose of this site is to serve as an education resource for past, present, and prospective Netflix customers. I have chosen to make this an open forum so that people can share their thoughts for and against the company. Obviously, I do not agree with everything that people post on this site, but I think it’s important for people to get a chance to voice their opinions and consider the opinions of others.

I do not wish to bankrupt Netflix, but I do want things to change. Netflix Underground is a way to pressure Netflix into dealing with its customers in a fair and honest manner.

As for the story about Netflix exposing user data in cached pages, I immediately realized the significance of that story, so I was very careful to verify the story personally. When I was doing my research, I saw the full names of Netflix users and children’s DVDs in their queues. In some cases, I was able to estimate the gender and approximate age of the user’s child. I imagine that most parents do not want the general population of Internet users to know that they have young boys or girls at home. Even people without children might not want everyone to know what they are renting. I concede this particular security breech was limited in scope, but Netflix users have the right to know about problems like this. When people trust corporations with their private information, they have a right to know if that corporation is being careless with their data.

I realize that story was not helpful to Netflix’s stock price, but some things are more important than money to me. I guess I am a bit of an idealist. Netflix’s customers had a right to know about Netflix’s data security problems. The effect on the stock price should be the concern of the shareholders. If the shareholders do not like want is happening to their investments, they should urge the management of Netflix, Inc. to be more responsible and not put the company’s reputation in jeopardy.

I thank you for returning and further clarifying your position. I also thank you for your email address. I will be sure to keep it handy in case I need to reach you at some point. For know, I welcome you to come back and post whatever you like in these open forums. If you address me directly, I will do my best to leave a response for you as quickly as possible.

Thank you for your interest in Netflix Underground. I wish you many happy returns.

All the Best,
Warren