Slashdot Mirror
De-Anonymizing Social Network Users
An anonymous reader writes "The H has an article about some researchers who found a new way to de-anonymize people. Compared to the EFF's Panopticlick, the goal of this experiment is not to identify a user's browser uniquely, but to identify individual users. The test essentially exploits the fact that many social network users are identifiable by their membership of various groups. According to the researchers, it's very unlikelly that two people on any social network will belong to exactly the same groups. A 'group fingerprint' can thus allow websites to identify previously anonymous visitors. They describe the setup and all details and the results look very interesting. They also have a live demo for the social network Xing that was able to de-anonymize me."
Fuck social networks.
Probably not so anonymous anymore!
There is nothing new about this. This is what any human being (a PI, or a stalker) would intuitively try to do. This is just streamlining and automating that process.
A more accurate one, if I am RTFA right, is "by trawling through the browser history of visitors to a site it is possible to distinguish one from another so long as the user uses and regularly visits the group pages of select social networking sites and never clears their history". At most it seems to allow them to compare the "groups" pages you have visited on, say, Facebook and possibly identify which FB user you are using that information.
I see nothing to suggest that this helps them to identify who you actually are in meatspace unless you supply those details on your public Facebook page.
Just try to de-anonymize the antisocial network!
people like myself who belong to no groups would like to say go fuck yourself.
So basically if
then an attacker might be able to work out the name you use on that social networking site?
Why would anyone bother. Indexing facebook would take quite a bit of time and resources and at the end of it you'd have something which might or might not be someones real name. Even if it is their real name, what exactly are you going to do with it? So you've unmasked(maybe) the name(maybe) of someone who visited your site. It's not going to give you anything else useful unless you combine it with some other attack vector which could quite easily pick up their real name for free anyway.
I suppose you could use it to set up a honey pot site for people with certain beliefs or interests and use it to accumulate a list of people with those beliefs or interests, but to be honest, you'd probably do better social engineering their ISP to get their account details.
I prefer not to de-anatomized all the Anonymous Cowards. Neutered them, sure. Let's leave it at that.
But worse than that, the paper itself is horribly written, especially the abstract. The threat presented is not de-anonymization within the social network (since usually most profiles are real people anyway) but rather de-anonymization of visitors to arbitrary websites if those visitors also have social networking URLs in their browser history.
Now, the big privacy hole here is browser history stealing, which is four years old. All this paper does is refine this mountain of privacy-invading information using social networking URLs that might be found there.
similarly, the plugins list... another thing that doesn't need to be sent out by the browser...
Firefox devs, you listening here? these do not need to be transmitted so block them...
anyone know of a plugin that blocks them?
and why on earth is it possible to sniff the history list???
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
Brilliant plan, guys... except you still left one variable unknown: the aloof guy who doesn't belong to any groups. How do you pick him out of the crowd when he's not in it to begin with? Those aloof loners are always the ones we should be worrying about, right? That's what the movies always say.
They (the authors) keep mentioning it in the same breath as Facebook, Twitter, and LinkedIn - but I've never heard of it (I realize that may not necessarily mean anything). It also seems a bit odd to see the BSD demon in one of the article graphics. I can't help but wonder if this was posted to actually discuss an attack vector against social networking sites, or if it was really some weird attempt to promote some GNU/Free social networking club.
Anyway, it seems to me that demoing a practical de-anonymization of a Facebook user or a LinkedIn profile would be more interesting.
#DeleteChrome
Just as people who don't take privacy seriously aren't really anonymous, people who think that these revelations actually make people not anonymous online helps cater to said false belief, and keeping true Anonymous Cowards (who has the smarts to either not register on networking sites, or register with different false data on separate sites) safer, for the moment.
Posted as Anonymous Coward for obvious reasons.
It obviously hit the nail quick and straight on the head. ...I d' add: "social networks fuck" as they do have a very negative impact upon one's social life IRL.
Maybe some mod is being to sensitive about short first posts. I hope he knows not to act that stupidly IRL (though I higly doubt it).
Smile, don't click...
Your selectors example can be used similarly for font detection. Set up CSS with a particular font - fall back to a standard font with known metrics. Once the page is rendered, use javascript to get the metrics of e.g. the block element you stuck the text in, and you can determine with fair certainty that the user either has that font, or doesn't. Obviously user CSS overriding things, scripting getting blocked, etc. thwart this - but that's not going to be the vast majority of users.
... they could find a way to De-annoying people on social networks
Watch those corners
If anyone is even vaguely aware that they should be hiding their identity online, there's now an easy way to do it on every browser and it defeats history stealing.
This may still be useful to advertisers and other people chasing the unwary but don't bother setting up a porn site, hoping to catch a politician because they'd have to be a complete idiot to get caught by this... actually, never mind.
All you have to do is post a stupid little survey to Facebook and millions of idiots will fill the silly thing out giving you their mother's maiden name, street they grew up on, and last 4 digits of their social security in return for generating a few sentences of nonsense.
Next Slashdot poll:
I have N Facebook accounts, where N is:
*1-4
*5-9
*10-19
*20-29
*30-39
*41 or more
*I just "borrow" one of CowboyNeal's
*My probation officer won't let me use Facebook, you insensitive clod!
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
So it's been tested 30 times at about a minute per test. Do 30 minutes of testing make a tool worthy of all this press? Are these former Microsoft employees?
If I have a Social Networking account tied to the real me, and then I go and create an anonymous Social Networking page, do you really think I'm going to take the time to replicate all of my "groups" and things that would otherwise be on my primary profile? I obviously have something to hide, so this theory is bunk and not relevant.
I don't think this is what the tool is designed for. If you read the paper, you'll see that all they'd get would be a list of groups that either of your identities were members of.
What this is for is to match identities at different sites. To tell what Facebook account Candidate@LinkedIn is using... you get Candidate@LinkedIn to visit a site (hey, send your resume to http://example.com/5jh332 and it'll go right past HR) and hit him with a Facebook tracer while he's filling out the resume. Now you know that he's PartyGuy@Facebook and you send him a nice rejection letter.
It's amazing how long it took the private sector to rediscover good, old-fashioned intelligence analysis.
Proteus' Child
Doko ni datte; hito wa, tsunagette iru.
There's a reason why I joined a Young Communists group on Facebook and friended the GOP on MySpace...
Non impediti ratione cogitationus.
Who am I?
I have done nothing to especially hide myself except clicking "Post Anonymously" - I bet Cmdr Taco could make an educated guess by perusing logs though. I've often wondered if that is the case.
A few weeks ago, I viewed a video interview with Facebook founder Mark Zuckerberg. In the interview, he stated that privacy simply doesn't exist anymore, or rather, that the world will need to get used to a "new standard" of privacy in context to online networking. That statement alone was sufficient impetus for me to purge my Facebook acount (I let it sit empty for a few weeks, then deleted it), as well as all other social networking profiles that I irresponsibly let sit on the web, as the statement is indicative of a mindset that will abuse my information in the future, if not now. Many persons may think I am being overly paranoid, but this article is evidence to the contrary, and I feel vindicated in my efforts when I read this sort of thing. On a related note, I have also taken to preferring cash to credit card transactions lately, and have a long standing habit of never disseminating personal information to retailers. I seem to be in the minority, but I refuse to leave myself open to abuse.
Privacy law often says (roughly) that personally identifiable information needs to be protected. But this research calls into question whether we can define personally identifiable information in a legally-meaningful way. All information related to a person can contribute to identifying the person.
Benjamin Wright, Dallas, Texas, benjaminwright.us