How Your Username May Betray You 308
Posted
by
CmdrTaco
from the you-are-a-number-not-a-name dept.
from the you-are-a-number-not-a-name dept.
An anonymous reader writes "By creating a distinctive username—and reusing it on multiple websites—you may be giving online marketers and scammers a simple way to track you. Four researchers from the French National Institute of Computer Science (INRIA) studied over 10 million usernames—collected from public Google profiles, eBay accounts, and several other sources. They found that about half of the usernames used on one site could be linked to another online profile, potentially allowing marketers and scammers to build a more complex picture the users."
Uh... (Score:5, Informative)
Couldn't they already do this with cookies?
In other news.. the gentleman wielding the running chainsaw could probably kick you really hard with those steel toe bootsand maybe even poke you in the eye!
Re: (Score:3)
yes, but for those who activley disable cookies, this is potentially another way of tracking that few people would have thought about.
Re: (Score:3)
Also, those who use one service from one machine, and a different service from a different machine, in which case cookies won't track you.
Re:Uh... (Score:4, Informative)
Re: (Score:3, Informative)
this is potentially another way of tracking that few people would have thought about.
Sure, if you're braindead. Did you really think that if you use a non-unique identifier across multiple sites that it couldn't be used to track you? That's about as 'duh' as it gets.
Re: (Score:3)
Yeah, I'm pretty disappointed at the histrionics here too. I'm not l33t enough to triple-route honeypot links shielded by a clandestine shadow router batched through a clandestine ISP installed behind the volcano damaged area of Monserrat and hooked through 7 false-positive generating mirrored proxies. (Your pointy headed bs may vary.) So I settled for a simple two level shield enough to stop the worst spam which has worked well enough for 7 years.
But having a single net identity also lets fans follow my "n
Re: (Score:2)
Yeah, I've been using the same login name since I got into BBS'ing on my Ti-99/4A back in the early 80's. Oh noes, I can be tracked!
Re: (Score:2)
Couldn't they already do this with cookies?
Wait, is that true? Can, for example, Slashdot see that I've been visiting eBay? I
Re: (Score:2)
slashdot could see if you were visiting ebay by exploiting the browser a bit -- they could make an invisible link to ebay, then pass back which color your browser made it. red link means you were there before. i dunno if they fixed this somehow, yet.
Re: (Score:3)
slashdot could see if you were visiting ebay by exploiting the browser a bit -- they could make an invisible link to ebay, then pass back which color your browser made it. red link means you were there before. i dunno if they fixed this somehow, yet.
Okay... Leaving browser exploits out of it for the moment, though, isn't cookie access restricted to the domain that set it?
I mean, the whole point of the story is that people use the same username all over the place. This makes them trackable without any sort of exploit, and not in a way that has anything to do with cookies.
Now, if that's just pointless fearmongering, well I understand that. But I did, however, stop using my more identifiable nickname on Slashdot because I didn't want my professional co
Re: (Score:2)
Okay... Leaving browser exploits out of it for the moment, though, isn't cookie access restricted to the domain that set it?
Yes. But it's easy to circumvent by websites referencing a common 3rd party url for an image. (EG: a banner ad)
Referencing a 3rd party URL in an image allows cookies to be set for that domain regardless of what URL you typed in and gives that 3rd party knowledge of the website the request originated from. (EG: what URL you typed in)
Re: (Score:2)
Can, for example, Slashdot see that I've been visiting eBay?
If it couldn't before, it can now >xD
Re:Uh... (Score:4, Funny)
Yes.
Now, I have different usernames for a lot of different websites and IRL I don't have a beard. (I shaved it off in 2004.)
I was looking for a yoga mat; the "community" ones at the gym were a little more... used that I preferred for an item that I touch with my face. I am using IE7 since that's what corporate IT imposes. I was getting ads on /. for yoga classes and cheap yoga equipment. I volunteer at the YMCA and look up the schedule so I know what classes are on on a given day. I got ads for meeting "fitness singles".
I also, due to my work, look up a lot of military things. I was getting ads for martial arts training and "how to handle a handgun" and other things like that.
Apparently the ads computers think that yoga + military + YMCA = gay. I was getting ads for "meet local singles" with pictures of men. It was really weird until I realized that the ad servers think that I'm a fan of sausage. Or maybe they think I'm a woman; I look up vegan and vegetarian recipes and I'll look at knitting patterns to give my wife feedback. Oh, yeah, that makes more sense. They think I'm a woman.
(An ugly one...)
I've also got a quirk whereby the computers at work all go through the servers back east, so it also thinks that I live on the West Coast but work on the East coast; a 7000 mile trip can be covered in 30 minutes with ease.
That's why I always use (Score:2)
a unique username on every site:
head /dev/urandom | md5sum
Re: (Score:3)
Exactly the same as it putting out 'MaskedS'. Or '1234567'. Or 'b5c2502'.
Re: (Score:3)
No, no. From "time-" to "-time". Not a big change, but maybe enough to throw off the trackers.
Pretty sure (Score:5, Funny)
Re:Pretty sure (Score:5, Funny)
Re: (Score:2)
My username on every other site is hunter2, so it just comes up as asterisks anyway.
I wonder how many caught the reference [bash.org]
Re: (Score:2)
Yes it will.
http://www.youtube.com/watch?v=Eo-KmOd3i7s [youtube.com]
Re: (Score:2)
http://slashdot.org/~myusername/ [slashdot.org]
Or will he?
Re: (Score:2)
Re:Pretty sure (Score:4, Funny)
Re: (Score:2)
Slow news day much? (Score:4, Insightful)
Re: (Score:2)
Film at eleven: Identifiers identify entities. I'm SHOCKED!
Re: (Score:2)
That's what I was thinking. Maybe this is just setup for their next story: When you create a profile on a site, that site can tell when you're logged in or not :-o
Re: (Score:2)
I thought this was the whole point of using a unique username. If I didn't want a unique identity, I wouldn't have created one for myself.
Yup. That's the whole reason why I picked a fairly unique name, and why I've re-used it all over the place. If you see that name, it's probably me.
Duh. (Score:2)
That's why I have several aliases I use online, and will never use anything relating to my real name. The one you see here is for fairly anonymous forums. I have one that's used strictly for gaming and game related material. I have one that I use for throw-away accounts (spam e-mail, etc). Then I have a few super generic ones that I use for...shall we say... less honorable activities? ;)
Re: (Score:2)
less honorable activities
Marketing?
Re: (Score:2)
"John Doe's Peener"
Not really that generic.
No Shit (Score:5, Insightful)
Seriously, that's almost precisely why I've the same username all over place (amusingly, almost except /.) - so that people who know me on one might recognise me on another.
I'd imagine that anyone with a desire to not let anyone know where else they go on the net already gets all their usernames out of pwgen or something.
Who cares? (Score:2)
Re: (Score:3)
Re: (Score:2)
Yup. And factor in gov't related employment since I went in the military after high school and they know what kind of underwear I'm going to put on before I do.
Re:Who cares? (Score:4, Interesting)
Constantly changing my identity and browsing habits just to throw off marketers.
Marketers are the least of our worries. The problems come from those who would use the marketers' databases for purposes other than marketing. Things like blackmail - such as a "straight" married politician who frequents a lot of gay websites. Or barratry (which is generally not illegal) such as Sony trying to subpoena youtube's records of everybody who has viewed a video on how to crack the PS3. Or the police state gone awry where they use the data from those gps services that record your position to back-fit cases to people who have done nothing more suspicious than be within a few blocks of a crime.
The list of potential abuses of this sort of information is practically infinite - you may never be personally bothered by it, but then again relatively few people are ever assaulted or robbed or had their car stolen, but we still take precautions against all of those too.
Do you really want to track (Score:5, Funny)
Depends what you're selling. (Score:2)
Re:Do you really want to track (Score:5, Funny)
Re: (Score:2)
No problem (Score:3)
As long as they can't link my username to my real name, I don't care. They can collect information about "some dude who goes by GameboyRMH" all they like.
Re: (Score:2)
Re: (Score:2)
Haha nice try.
Re:No problem (Score:4, Interesting)
Re:Reverse Identity Problem (Score:3)
Sure, if some jerk has it out for you and you get stuck in one of these nets you'll never escape.
Big Picture, we're thrashing through a ton of social change with this here Net thingie.
Johnny Mnemonic says... (Score:2)
My Yahoo account is GPLDANJCYS, which stands for me + Jesus Christ Yahoo Sucks.
Then, you know exactly who is leaking and linking your information, and how you feel about them to begin with.
Re: (Score:2)
Sham-Wow?
Really?
Ummm (Score:5, Insightful)
Hey slashdot, why don't you be ahead of the curve on this and let posters change their username associated with their comments once every few years. Also, being able to delete an occasional comment would be thoughtful too. It's not 1995 anymore on both accounts.
Re: (Score:3)
However, a good way of allowing users to "delete" their past comments would be to convert them to being anonymous. Of course that's far from foolproof, but it can be surprisingly effective for preventing casual searching by others.
Oh, and then there are the cookies (Score:5, Informative)
And the installed fonts, and the screen resolution and color depth and the dozens of other factors that combined allow you to be tracked.
Try this web site for an idea of how these factors can (in combination) uniquely identify you:
https://panopticlick.eff.org/ [eff.org]
I see that my browser is unique among the 1.4 million tested, with 20 bits of identifying information. Knowing my user name isn't going to compromise my privacy all that much more, especially compared to how Facebook screws your privacy every day.
Re: (Score:3)
Fortunately NoScript protects me from those scumbags at eff.org.
Re: (Score:2)
So you need a collection of fonts you don't like and a script to randomly add/remove them to your system.
interestingly... (Score:2)
IE9 crashes hard on that page.
-Rick
. . . common sensical, it seems to me. (Score:3, Informative)
Strong Usernames should - (Score:5, Funny)
How did they get the usernames? (Score:2)
Are we looking at a sever breach here if researchers have access to username on Google and Ebay? And what security do they have to keep those lists out of others hands. Probably the student in the University will keep all that information secure...
Yah right.
Re: (Score:2)
And Slashdot is violating your privacy too! Your username is right there at the top of your comment! How dare they allow anyone who reads your comments to see the username that you created to identify yourself to those reading your comments!
Re: (Score:2)
That is true John. But we are looking at what appears to be a data dump of all usernames. To strip usernames is possible in any public site but I suspect they get a feed from those vendors. I could be wrong but the numbers they are looking for and things like google usernames would be harder to find than say Ebay names that could be screen scraped more easily, but then you still have a limited population.
If they have user-names did they have other information to verify they had a match across systems? Op
Are we still beatin' that horse? (Score:2, Insightful)
Give it up. Privacy is gone.
Cowboy Neal (Score:2)
Re: (Score:2)
Identifiers may be used to identify you! (Score:5, Insightful)
Could we just move tautologies to idle? Or maybe we need a /. section called duh...
Re: (Score:2)
Re: (Score:3)
No, you have to be a member of Tautology Club [xkcd.com] to do that.
I use unique usernames for background checks... (Score:5, Insightful)
I work for a growing software company and I have basically used this technique for doing basic background checks on job applicants.
Back in about 2006 we had someone apply who had a distinctive username that returned a handful of results via a careful google search. Almost all of them were to "alt.drugs.bongmaking" or something similar.
I didn't care whether the guy/girl had used drugs, but about the complete lack of discretion in the posts. He had actually used his full name and detailed personal information that positively identified him as our applicant. Really sad, and not the only time something like that has happened.
Virtue of the story (Score:2)
Don't be an internet celebrity if you plan on applying for any job. Same thing vice versa. This economy punish creativity totally.
Unless, of course you are living off from a trust fund, then you can afford to act in a civilized manner like Lindsey Lohan.
Re: (Score:3)
Sounds like the lesson should be that companies are overzealous in their "no drugs" stance. Because all they're ending up doing is only hiring the people that are better at hiding it and really... do you want to only hire the people that are good at hiding their discretions? Think that'll never end up biting you?
Re: (Score:3)
That is why I rarely use my real name on the Internet
Unfortunately there are a half a dozen other people using your real name. Better hope none of them is into stuff your prospective employers or whatever don't like!
My last name is unexceptionable but not common and there are at least one or two people I can find on google with exact matches, including middle name. One of them is even in a vaguely-related technical field, albeit in a different country. A sufficiently lazy search--and really, what other kind is there likely to be, what with automated proce
Isn't that the point? (Score:2)
That's the point dumb asses. So you market to this useless account that you think you have nailed demographically. Can't sneak nothing past you guys.. And yes I would like a subscription to O magazine because as an older woman I love Oprah.. fucking morons.
If you don't want your actions tracked... (Score:3)
I'm not sure that's what 'Betray' means. (Score:4, Insightful)
You see, that's really THE WHOLE POINT of using the same username in multiple venues. In fact, it's the whole point of having a publicly visible username at all.
It's there to promote continuity between your various posts. It builds a "brand identity", if that's a phrase that you can use without wanting to punch yourself. If that wasn't what you were trying to do then you shouldn't have registered a user name in the first place.
More shocked they haven't done this for email (Score:2)
I wonder how many people use the same username as their email address.
Honestly, who thinks it would be that hard to go through and scan the internet for usernames, and then append every popular domain name after them.
Add to that the profiles that could be scanned, and combined, along the way, and you can probably find pretty good, targeted ads in a very automatable way.
What's the big deal? (Score:2)
DUH (Score:3, Insightful)
Sounds iffy (Score:2)
I've used "Cro Magnon" several places, so one could assume it's the same person (especially if I make a referrence to one of the other sites). However, on at least one site, "Cro Magnon" is used by someone else, and my username is something entirely different.
Also, I'm on plenty of sites with totally different usernames.
So let them....! (Score:2)
If someone sees that I buy a lot of stuff from bestbuy, and that I am a programmer because I have accounts on sqlserver.com and vb.net mag .com and also see i post a lot about tech stuff on /., etc...etc... guess what , they wont bother sending me spam about viagra, they will send me spam about the latest tech stuff for sale, which is just fine by me....allows less spam making it's way into my mailbox....
Re: (Score:3)
Don't look now but you just admitted to being a VB programmer on /.
Prepare yourself for heaps of abuse.
Easily avoidable (Score:4, Insightful)
Or it could show sites betraying /. (Score:2)
i googled my /. username and found more than one site duping /. articles:
http://jetlib.com/news/tag/earth/page/20/ [jetlib.com]
http://pubsub.com/Puck-Daddy-Mini-Doc-Talking-2010-NHL-Draft-and-dream-cars-with-Taylor-Hall-Tyler-Seguin-and-Cam-Fowler-Sunny-the-Sun-n-cpTsvVWHWnSS [pubsub.com]
plus a lot of other stuff i knew would be found if anyone did that. so i don't feel betrayed at all.
Not new (Score:2)
Same problem also exists with people. I don't necessarily want people to track me down all over the web. Easy fix though:
Randomly generated password for each.
what about advantages? (Score:2)
My reputation is too important for me to want to change my nick just to avoid marketing. It's useful for recruiters or prospective employers to be able to do a quick search and find out more about me. It's like an implicit and well-earnt LinkedIn.
I'm pretty much pwned already.. big woop (Score:5, Insightful)
Trying to hide from the marketers is almost a Hobson's choice. If I want to obscure my identity, I must:
- Use multiple identities. Complexity and failure due to other means of tracking me make this fairly pointless.
- Stop using cloud-based services. There goes Gmail and a bunch of other stuff. So I should be running my own webmail gizmo?
- Opt-out of all marketing opportunities. Sure, and opting out is actually respected by how many? ESPN keeps turning video autoplay back on when I go there, as if they are going to respect my opting out of newsletters, sharing with other entities that have 'items of interest' to me.
- Unsubscribe from services when I'm done with the business at hand. And re-enroll two weeks later. Nice, I get to play whack-a-userID as much as I do the thing I actually wanted to do.
So I don't bother. I'm fairly immune to the sidebar ads I get, I never respond to spam ads, and I am now tending to avoid retailers that obviously use deceptive means to target me. Screw 'em.
As an example of hilarity; I looked into getting a used shipping container a few months ago to use for storage. Turns out even old beatup ones are pretty expensive. For weeks after that, I would see sidebar ads for shipping containers 'everywhere'. Even today I coudl get one if I go to the 'wrong' site. I was never seriously in the market for containers, but it's a competitive market, and they are persistent.
Another example; I made the rare mistake of going to a buy.com (or was it nextag.com?) link for an item. Aw, crap. Now I get those ads all the time. But I recognize them schlepping me ads for 'djebme strap' and ignore them.
A final example; How often have I actually clicked a link to nextag.com to look for something specific, as a last resort, and find that they actually don't have ANY sources, but 'check back real soon'! Argh. And you can be sure I'll be peppered with ads for that item for a while. Grrr.
It's a lot like old fashioned junk mail, except I don't even need to carry it to the dumpster. It could be worse.
And it probably is. My only fear is that I will eventually get categorized, and red-lined so that I never see ads for what I actually want, but I see ads that are shoveling me something I don't want, but 'they' are trying to steer me to. This is entirely illegal in financing, but not quite yet in retailing. We'll see if it should be or not.
Re: (Score:3)
See, I'm the kind of person marketers hate. I never click on any ads... ever. If I see something I want, I manually go to the web site and look it up, bypassing the ad entirely.
Suddenly everything makes sense (Score:2)
security through commonality (Score:2)
Use a username that is a slight modification of a VERY common person. bradpitt, obama, billgates, sjobs, stevejobs, ibm, microsoft, etc etc.
then, when some marketing puke googles that : the s/n ratio blows their little analytics apart.
-- john smith
Communication? (Score:2)
OK, they can. I wish they would (Score:2)
For marketeers is is NOT a tool that will be used. Say you are on 2 technical sites and one social one, the marketeers won't say "We will send him technical ads." The will say "We will send him technical ads, social ads and some unrelated ones just to be sure."
Just like saying "NO" to a marketeer means to him that he has not explained it well or often enough and if you say YES, it means it will work again.
So? (Score:2)
Please Mr Marketer, read the history of everything I've posted, know my likes and dislikes, and cater the marketplace to me.
How is this a bad thing?
Wow, just like real life (Score:3)
Good luck with that! (Score:3)
I use Yvan256 for Slashdot, Yvan257 for Twitter, Yvan258 for Facebook, etc. No criminal mastermind could ever crack my username pattern!
Real Men Browse The Internets (Score:4, Insightful)
A Real Man who wants to visit websites will load each site in a separate browser instance with a unique agent string and a different browser vendor and build each time with all cookies and scripts (1st, 2nd, 3rd, 87th party, etc.) hard-blocked, and only from within a series of totally unique VM environments of no less than Windows XP (Home and Pro), Vista (all 4,556 varieties), Win 7 (all varieties) and no less than 1,396 versions and flavors of Linux or Unix derived operating systems, and each randomly selected for each site visit, which are only done from a Tor onion connection running inside of the VM, which is in turn routed through a Tor onion connection running from the top-level main desktop that you're doing all this from, and each VM is promptly rolled back to pre-website status after your visit is done--and that's for EVERY SINGLE VISIT. ANYTHING LESS THAN THIS LETS THE INTERNET RAYS PENETRATE YOUR TINFOIL THINKING CAP.
Re: (Score:2)
Re: (Score:3)
And when they find me, how will I resist their clever and informative advertising?
I'm sure there must be plenty of marketeers scratching their heads trying to understand what's this "Anonymous Coward" guy's preferences.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It isn't just Europe.
The WSJ ran an entire series of articles about scary analytics and their evil quant masters. NPR "Fresh Air" then ran an hour long episode quoting the WSJ. The horror! I was shopping for shoes and then shoe adverts started popping up! Dammit, they know EVERYTHING!
Re:Why would you care about marketers tracking you (Score:4, Insightful)
why would anyone wish to hide what brand of jeans they like to wear?
Because it's none of their business?
I for one would very much prefer that marketers and ad networks had a good picture of my product preferences so that instead of ads for mortgage refinancing and painfully unfunny t-shirts, I would get advertisements for things that I might actually be interested in.
There are ads on the Internet?
Re: (Score:2)
I think this is related to the way in which brands don't just sell us products, they sell us identities. So the underlying worry is that, if our consumption habits are really just data that marketers can aggregate, then the brand of jeans we buy and the music we listen to and the films we watch don't actually make us the special snowflake we would like to imagine.
Re: (Score:2)
And I am neither an annoying Indian pop singer, nor a Japanese goddess.
Re: (Score:2)
Oops. :)