De-Anonymizing Social Network Users 88
An anonymous reader writes "The H has an article about some researchers who found a new way to de-anonymize people. Compared to the EFF's Panopticlick, the goal of this experiment is not to identify a user's browser uniquely, but to identify individual users. The test essentially exploits the fact that many social network users are identifiable by their membership of various groups. According to the researchers, it's very unlikelly that two people on any social network will belong to exactly the same groups. A 'group fingerprint' can thus allow websites to identify previously anonymous visitors. They describe the setup and all details and the results look very interesting. They also have a live demo for the social network Xing that was able to de-anonymize me."
Misleading description of what they're doing (Score:1, Informative)
A more accurate one, if I am RTFA right, is "by trawling through the browser history of visitors to a site it is possible to distinguish one from another so long as the user uses and regularly visits the group pages of select social networking sites and never clears their history". At most it seems to allow them to compare the "groups" pages you have visited on, say, Facebook and possibly identify which FB user you are using that information.
I see nothing to suggest that this helps them to identify who you actually are in meatspace unless you supply those details on your public Facebook page.
Re:Fonts, Plugins, History... why? (Score:5, Informative)
Your font list is reported by flash and java. Your browser is innocent of this. Disabling flash & java goes long way to make your system information less accessible.
Sniffing history is basic feature of xhtml/css, price you pay for selectors. a:visited (background-image:"slashdotorg.png") && boo! [shasldot.org] - if you go to my site, you will request specific image and i can see it in logs, boom, i know you were to slashdot.
Re:Fonts, Plugins, History... why? (Score:2, Informative)
"anyone know of a plugin that blocks them?"
NoScript blocks Javascript which in turn blocks most of these queries.
Still says I'm 1 in 200.000. Probably due to running Ubuntu. I'd have to manipulate my HTTP headers to something very common to counter that. No idea if there's an add-on that does that ... or what value to use.
Add Flashblock if you want to control the execution of Flash independently (e.g. allow JavaScript but only run one of the flash applets, like the video but not all those add/tracker applets).
Re:Fonts, Plugins, History... why? (Score:3, Informative)
Re:Can I get a big who cares? (Score:3, Informative)
With this you get the friends of friends and their interests.
The ability to play an eco nut, poker fan, open source gamer or other 'lifestyle' undercover is very tempting.
Over time they build a relationship and might get invited in.
Re:Summary is wrong; idea is worthless (Score:1, Informative)
History stealing is even older than Jeremiah Grossman's blog posting, he also simply copied the idea: this design flaw was reported in bug tracking system of Mozilla (Netscape) back in 2000, the longest discussion in the system is from 2002 (http://bugzilla.mozilla.org/show_bug.cgi?id=147777 [mozilla.org]).
If you read the article, they clearly state that history stealing is a well-known technique, they just use it in a different setting to be able to find out the "group fingerprint".
Re:Xing? (Score:3, Informative)
Re:Fonts, Plugins, History... why? (Score:1, Informative)
Easy remedy:
about:config
plugin.expose_full_path Standard boolean false.
I bet yours is set to true.