Researchers Can ID Anonymous Twitterers

narramissic writes "In a paper set to be delivered at an upcoming security conference, University of Texas at Austin researchers showed how they were able to identify people who were on public social networks such as Twitter and Flickr by mapping out the connections surrounding their network of friends. From the ITworld article: 'Web site operators often share data about users with partners and advertisers after stripping it of any personally identifiable information such as names, addresses or birth dates. Arvind Narayanan and fellow researcher Vitaly Shmatikov found that by analyzing these 'anonymized' data sets, they could identify Flickr users who were also on Twitter about two-thirds of the time, depending on how much information they have to work with.'"

Re:Who promised?

[vux984]

Who ever promised this data would be anonymous? Do you really expect privacy when posting personal stuff on line, even if you don't sign your name in advance?

1) People still assume that if don't sign their name on the internet then its anonymous. People need to be educated otherwise. Articles like this help.

2) While a lot of people are still grappling with #1 above, there are a lot of more sophisticated people who need to learn that even if they ARE behind 7 proxies, using tor, ssh, on a hacked wifi they are accessing via a pringles can-tenna from across state or even national lines... and then use that super anonymous connection to participate anonymously in 'social networking' sites like twitter, facebook, etc... even if they never reveal a single personal detail about themselves, their place within the social network itself can be reliably used to unmask them once they've had their anonymous account linked to real friends.

People REALLY need to be educated about this.

Re:Who promised?

[Niris]

David.

You mean like willyhill?

[tepples]

Willyhill managed to ID fourteen Twitter accounts [slashdot.org]. Or is this something completely different?

Re:Who promised?

[arvindn]

Hi. I'm one of the authors. Please read our FAQ [utexas.edu]. It answers that very question. In short, our de-anonymization algorithm applies to far more than public social networks like twitter, including some very sensitive ones.

Re:Who promised?

[Runaway1956]

How sure are you, of that idea? You must realize that your IP is recorded again, and again on the web. Do you use Flash, Java, or any other plugins that potentially give away identifying data? Does your browser leave any data that you are unaware of? What about your operating system? Microsoft has this thing (I forget the name, but almost everyone here knows what it is) where you can sign into one account, then automagically be signed into dozens if not hundreds of other sites/accounts. Google has something similar, if on a smaller scale. I can sign into GMail, and be recognized on YouTube, and MySpace, if I should care to make use of that "feature". Your practices are commendable, but you also need to make sure that you are using the technical tools available to reinforce your practices. We mustn't forget the many forms of malware available to the modern browser. Picking up any common trojan designed to exploit Windows, IE, OE, or WMP can guarantee that you are tracked everywhere, despite any practices or tools that you may employ.

Re:Who promised?

[EdIII]

True, but that is not the same thing as what we are talking about in the article.

If you search my comments and find any postings with my real name, references to my place of work, real people, events, etc. then I do agree you could possibly do research in the real world to identify who I am. Sort of a 20 questions kind of deal.

Remember... that is identify , as in gain a positive identification of my real world identity to the point you could then actually find me. Learning about my likes, dislikes, religious or political affiliations, positions on various arguments is not the same as identifying me.

What the article is mentioning is that even though I am anonymous, there are enough of my own interactions with other non-anonymous people that my identity could be inferred by analyzing the data. Meaning that I am Mr.X, but Bob, Alice, Sally, Mary, and Steve all have information publicly available about somebody named Joe. Through process of elimination it is determined that it is highly likely I am the person Joe. Mr.X was still anonymous, his connections were still anonymous, but through analysis we have found it is highly likely that Mr.X is in fact Joe.

That does not apply to me as this identity has never communicated with anybody that knows my real identity. So I would agree, you could gain knowledge about my relationships with other /.'s, but they will not provide you with any knowledge of my identity, nor will my own posts.

I do invite you to research my posts should you want to. Feel free to let me know the results in this thread :)