Researchers Can ID Anonymous Twitterers

← Back to Stories (view on slashdot.org)

Researchers Can ID Anonymous Twitterers

Posted by timothy on Thursday March 26, 2009 @10:48AM from the 140-shady-characters dept.

narramissic writes "In a paper set to be delivered at an upcoming security conference, University of Texas at Austin researchers showed how they were able to identify people who were on public social networks such as Twitter and Flickr by mapping out the connections surrounding their network of friends. From the ITworld article: 'Web site operators often share data about users with partners and advertisers after stripping it of any personally identifiable information such as names, addresses or birth dates. Arvind Narayanan and fellow researcher Vitaly Shmatikov found that by analyzing these 'anonymized' data sets, they could identify Flickr users who were also on Twitter about two-thirds of the time, depending on how much information they have to work with.'"

29 of 108 comments (clear)

Min score:

Reason:

Sort:

Who promised? by plover · 2009-03-26 10:52 · Score: 4, Insightful

Who ever promised this data would be anonymous? Do you really expect privacy when posting personal stuff on line, even if you don't sign your name in advance?

--
John
1. Re:Who promised? by vux984 · 2009-03-26 11:05 · Score: 5, Informative
  
  Who ever promised this data would be anonymous? Do you really expect privacy when posting personal stuff on line, even if you don't sign your name in advance?
  1) People still assume that if don't sign their name on the internet then its anonymous. People need to be educated otherwise. Articles like this help.
  2) While a lot of people are still grappling with #1 above, there are a lot of more sophisticated people who need to learn that even if they ARE behind 7 proxies, using tor, ssh, on a hacked wifi they are accessing via a pringles can-tenna from across state or even national lines... and then use that super anonymous connection to participate anonymously in 'social networking' sites like twitter, facebook, etc... even if they never reveal a single personal detail about themselves, their place within the social network itself can be reliably used to unmask them once they've had their anonymous account linked to real friends.
  People REALLY need to be educated about this.
2. Re:Who promised? by Niris · 2009-03-26 11:08 · Score: 2, Informative
  
  David.
3. Re:Who promised? by Anonymous Coward · 2009-03-26 11:09 · Score: 4, Funny
  
  Clearly, you're both me.
4. Re:Who promised? by Anonymous Coward · 2009-03-26 11:18 · Score: 2, Interesting
  
  2) While a lot of people are still grappling with #1 above, there are a lot of more sophisticated people who need to learn that even if they ARE behind 7 proxies, using tor, ssh, on a hacked wifi they are accessing via a pringles can-tenna from across state or even national lines... and then use that super anonymous connection to participate anonymously in 'social networking' sites like twitter, facebook, etc... even if they never reveal a single personal detail about themselves, their place within the social network itself can be reliably used to unmask them once they've had their anonymous account linked to real friends.
  People REALLY need to be educated about this.
  Or read some spy novels from the cold war. Lots of spies are discovered by figuring out who had access to information and who their associates are.
5. Re:Who promised? by Rorschach1 · 2009-03-26 11:22 · Score: 3, Insightful
  
  Then again, some of us are very well aware of it and just don't care so much. If I want to post thoughts to a blog that I don't want linked back to me (and I've done so in the past), I'll set up something entirely separate, with a name I've never used before, linked to a new gmail account.
  Anyone with half a brain can figure out exactly who I am, where I live, and what I do for a living, starting from this post, in about 20 seconds. Medical conditions and sexual preference might take a little more work, but I'm sure some of it is out there.
  Frankly, I don't care. I'm self-employed and don't worry about what an employer might think of me. My friends and family seem to like me well enough despite already knowing that stuff. So long as it's not information that's going to result in identity theft (account numbers and such), there's not much that's worth the effort to conceal.
6. Re:Who promised? by Webious · 2009-03-26 11:24 · Score: 2, Insightful
  
  So, to be anonymous, I need to get behind 7 proxies, use tor and ssh on a hacked wifi...
  RTFA - I think you missed the point:
  
  Our de-anonymization algorithm is based purely on the network topology
7. Re:Who promised? by petermgreen · 2009-03-26 11:28 · Score: 4, Interesting
  
  The important thing is that anyone or anything that links your "real persona" and your "anonymous persona" is a potential threat to your anonymity both through things they willingly or mistakenly do and through things they could be coerced or forced into doing.
  It's all too easy to put lots of thought into making it bloody hard to trace your connection but then link your "anonymous persona" to your "real persona" through common friends, accidently logging into a site using the wrong account for the connection you are using, forgetting to flush cookies (and any similar tracing objects) when moving between your "nonanoymous connection" and your "anonymous connection" and so on.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
8. Re:Who promised? by davester666 · 2009-03-26 11:31 · Score: 3, Insightful
  
  "all of the social network connections I have are to similarly protected people"
  No, for you to remain anonymous, you must disavow all knowledge of anybody in your social network, for all 'accounts' or whatever, for all postings that you want to not be readily linked back to you. And they must not have any links to these accounts either (so the easiest way is to not tell them about these 'anonymous' accounts).
  
  --
  Sleep your way to a whiter smile...date a dentist!
9. Re:Who promised? by Anonymous Coward · 2009-03-26 11:31 · Score: 2, Insightful
  
  I think you missed the point actually.
  or should I say... wooosh!
  maybe try reading past the first 19 words before replying to a post?
10. Re:Who promised? by arvindn · 2009-03-26 11:48 · Score: 5, Informative
  
  Hi. I'm one of the authors. Please read our FAQ. It answers that very question. In short, our de-anonymization algorithm applies to far more than public social networks like twitter, including some very sensitive ones.
11. Re:Who promised? by ssintercept · 2009-03-26 11:49 · Score: 5, Insightful
  
  how 'bout not using twitter, myspace, facebook, etc??
  
  don't you use those services to be noticed?
  
  --
  "You can kill the revolutionary, but you can't kill the revolution."-- Fred Hampton
12. Re:Who promised? by MadAhab · 2009-03-26 11:53 · Score: 4, Interesting
  
  I agree, but I think it's an age and culture issue. These issues are new.
  In 10 years, no one would expect that a Twitter account couldn't be connected to your FB account any more than they would think you could cheat on your partner by taking your partner-in-crime to a pub you and your date frequent. The principle is no different - if two social spheres overlap, you've given up your relative anonymity.
  That's why Larry Craig tapped his toe in an airport bathroom in a stop-over airport - low likelihood of running into someone who might know him.
  
  --
  Expanding a vast wasteland since 1996.
13. Re:Who promised? by ssintercept · 2009-03-26 12:21 · Score: 2, Insightful
  
  whoosh yourself- as per the above article "researchers showed how they were able to identify people who were on public social networks such as Twitter".
  
  so the first step on concealing your identity is to not use the public social networks.
  
  --
  "You can kill the revolutionary, but you can't kill the revolution."-- Fred Hampton
14. Re:Who promised? by Runaway1956 · 2009-03-26 12:50 · Score: 2, Insightful
  
  Heh. To right. When I got TOR up and running, I was tempted to sign into a couple places, to look at my - uhh - "internet profile" being presented by browser, etc. Was reaching for the "submit" button, when I realized, "Hey, this is STOOOO-PID!" I'm no longer anonymous once I sign in ANYWHERE!
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
15. Re:Who promised? by EdIII · 2009-03-26 14:22 · Score: 2, Funny
  
  That's why Larry Craig tapped his toe in an airport bathroom in a stop-over airport - low likelihood of running into someone who might know him.
  I thought it was just because he had a "wide stance".
16. Re:Who promised? by Runaway1956 · 2009-03-26 14:50 · Score: 2, Informative
  
  How sure are you, of that idea? You must realize that your IP is recorded again, and again on the web. Do you use Flash, Java, or any other plugins that potentially give away identifying data? Does your browser leave any data that you are unaware of? What about your operating system? Microsoft has this thing (I forget the name, but almost everyone here knows what it is) where you can sign into one account, then automagically be signed into dozens if not hundreds of other sites/accounts. Google has something similar, if on a smaller scale. I can sign into GMail, and be recognized on YouTube, and MySpace, if I should care to make use of that "feature". Your practices are commendable, but you also need to make sure that you are using the technical tools available to reinforce your practices. We mustn't forget the many forms of malware available to the modern browser. Picking up any common trojan designed to exploit Windows, IE, OE, or WMP can guarantee that you are tracked everywhere, despite any practices or tools that you may employ.
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
17. Re:Who promised? by Jason+Levine · 2009-03-26 16:23 · Score: 2, Interesting
  
  Years back, I used my real name for all of my online activities. After my kids were born, though, I reconsidered using my real name and address. So when I started a blog, I made up an "anonymous" name. I'm under no illusion that it is 100% anonymous, but I do my best to keep my "real name identity" and my "blog identity" separate. I'm go "blog identity" on all of the sites I frequent, but I'm unwilling to disappear as "Jason Levine" and either a) pretend to be a newbie at the site for awhile or b) reveal to everyone that "Jason Levine" and "BLOG_ID" are one and the same. While I might make some mistakes that wind up linking the two, I'm not going to come out and do it on purpose. (A really creative type could locate my blog ID though. I'll even give a hint: it's through my wife's blog name.)
  
  --
  My sci-fi novel, Ghost Thief, is now available from Amazon.com.
18. Re:Who promised? by EdIII · 2009-03-26 19:24 · Score: 2, Informative
  
  True, but that is not the same thing as what we are talking about in the article.
  If you search my comments and find any postings with my real name, references to my place of work, real people, events, etc. then I do agree you could possibly do research in the real world to identify who I am. Sort of a 20 questions kind of deal.
  Remember... that is identify , as in gain a positive identification of my real world identity to the point you could then actually find me. Learning about my likes, dislikes, religious or political affiliations, positions on various arguments is not the same as identifying me.
  What the article is mentioning is that even though I am anonymous, there are enough of my own interactions with other non-anonymous people that my identity could be inferred by analyzing the data. Meaning that I am Mr.X, but Bob, Alice, Sally, Mary, and Steve all have information publicly available about somebody named Joe. Through process of elimination it is determined that it is highly likely I am the person Joe. Mr.X was still anonymous, his connections were still anonymous, but through analysis we have found it is highly likely that Mr.X is in fact Joe.
  That does not apply to me as this identity has never communicated with anybody that knows my real identity. So I would agree, you could gain knowledge about my relationships with other /.'s, but they will not provide you with any knowledge of my identity, nor will my own posts.
  I do invite you to research my posts should you want to. Feel free to let me know the results in this thread :)
Tin foil! by mc1138 · 2009-03-26 11:11 · Score: 4, Funny

Must... cover... everything...

--
The musings of just another geek and his junk.
Twits by brkello · 2009-03-26 11:16 · Score: 4, Insightful

Slashdotters care about privacy. People on these social networking sites want their lives to be on show for everyone. I don't think people who twit every 5 minutes where they are and what they are doing are really to concerned about their privacy.

--
Support a great indie game: http://www.abaddon360.com
1. Re:Twits by LandDolphin · 2009-03-26 11:20 · Score: 5, Insightful
  
  This.
  
  However, I don't think a lot of people fully understand the negative side of placing your life online for all to see. They fail to realize that placing their discussion about smoking pot (or other dubious activity) on twitter might one day cause them a job.
  
  --
  Spelling and Grammar errors have been added to this post for your enjoyment
2. Re:Twits by Animaether · 2009-03-26 12:47 · Score: 4, Funny
  
  They fail to realize that placing their discussion about smoking pot (or other dubious activity) on twitter might one day cause them a job.
  That's right - The Netherlands are hiring again!
You mean like willyhill? by tepples · 2009-03-26 11:19 · Score: 4, Informative

Willyhill managed to ID fourteen Twitter accounts. Or is this something completely different?
Social network can-o-worms by xixax · 2009-03-26 11:38 · Score: 4, Insightful

Are there really any surprises here? Social networks behave a lot like the Internet, with many routes pointing to your front door.
For example, use whatever falese names you want. Your email address makes a dandy primary key squirreled away in all your friends mailboxes, just waiting for Facebook to Hoover it up and join the dots.
Your privacy and anonymity is defined by the aggregate social stupidity of your friends.
Xix.

--
"Everything is adjustable, provided you have the right tools"
This is new technology to me by moteyalpha · 2009-03-26 11:42 · Score: 3, Funny

I understand networks and how you can get somebody's IP and translate it to a location or identify them with algorithms that analyze sentence structure or even use some TCP packet tricks.
The thing that confuses me is the acronym "FRIEND", I have looked in all my technical references and I can't find that tool.
Please read our FAQ by arvindn · 2009-03-26 11:43 · Score: 5, Insightful

We have an FAQ about this paper. It answers many of the misconceptions expressed in the comments here. In particular, our algorithm applies to much more than public social networks like twitter and flickr. A variety of networks including the phone call network are being shared behind your back in anonymous form, and our de-anonymization techniques apply just as much. You'll probably agree that people expect more privacy there. See my blog for a variety of demonstrations and thought-experiments of de-anonymization.
I can ID anyone using Twitter by FlyingSquidStudios · 2009-03-26 12:05 · Score: 2, Funny

as someone whose every thought I have no interest in reading.

--
http://twitter.com/OLDTELEGRAM
Please do not go and work for google by tqft · 2009-03-26 12:36 · Score: 2, Insightful

http://www.guardian.co.uk/technology/2009/mar/26/seth-finkelstein-google-advertising
"Google recently took another step along the path of surveillance as a service, launching what it called "interest-based advertising", and which everyone else calls "behavioural targeting". These are systems that collect extensive personal data, for marketing purposes. To best understand the issues,"
http://sethf.com/infothought/blog/archives/001422.html
I once upon a time worked for a statistics agency and even without names and addresses it is surprisingly easy to identify people in anonymous data, even anonymised unit record data can be deconstructed to some degree. Depending on what you want to achieve don't even need to identify them.
Marrying up these datasets and ideas would be gruesome.

--
The Singularity is closer than you think
Quant