De-Anonymizing Social Network Users

An anonymous reader writes "The H has an article about some researchers who found a new way to de-anonymize people. Compared to the EFF's Panopticlick, the goal of this experiment is not to identify a user's browser uniquely, but to identify individual users. The test essentially exploits the fact that many social network users are identifiable by their membership of various groups. According to the researchers, it's very unlikelly that two people on any social network will belong to exactly the same groups. A 'group fingerprint' can thus allow websites to identify previously anonymous visitors. They describe the setup and all details and the results look very interesting. They also have a live demo for the social network Xing that was able to de-anonymize me."

First Post

[Ethanol-fueled]

Fuck social networks.

Nothing new

[stephanruby]

There is nothing new about this. This is what any human being (a PI, or a stalker) would intuitively try to do. This is just streamlining and automating that process.

Solution: Never join any groups

[Anonymous Coward]

Just try to de-anonymize the antisocial network!

Summary is wrong; idea is worthless

[michaelmalak]

The summary is incorrectly worded. It should read "Contrasted with the EFF's..."

But worse than that, the paper itself is horribly written, especially the abstract. The threat presented is not de-anonymization within the social network (since usually most profiles are real people anyway) but rather de-anonymization of visitors to arbitrary websites if those visitors also have social networking URLs in their browser history.

Now, the big privacy hole here is browser history stealing [blogspot.com], which is four years old. All this paper does is refine this mountain of privacy-invading information using social networking URLs that might be found there.

Re:Nothing new

[AHuxley]

IP can change, country can change, name can change.
But if your the user with a Mac, version 2.0.1b of a browser posting to a small interest section, this would be great to find you again and your new set of friends.
Thats why you never go back to the same sites if people are interested in you.

Re:Xing?

[thePowerOfGrayskull]

I was wondering the same. Having never heard of xing, I went to its web site and learned that it's a "global network of professionals" that boasts "over 8 million members".

Xing membership is a fraction of facebook, linkedin, et al. I would have to assume that it's going to be easier to "fingerprint" users of Xing when they have such a relatively small userbase. TFA doesn't say that their method works anywhere else either (though they imply that it could...); further they specify it only works for people in groups. This reduces the population of 8 million down to 1.7 million by itself. How many of those belong to just 1 or 2 groups, in which you might expect to find a high degree of overlap?

Re:Can I get a big who cares?

[Anonymous Coward]

I suppose you could use it to set up a honey pot site for people with certain beliefs or interests and use it to accumulate a list of people with those beliefs or interests

You mean, like, a social networking site?

Re:Summary is wrong; idea is worthless

[pipatron]

Which is why browsing with NoScript should be mandatory and why we should try to stop webmasters from using unnecessary javascript on their websites.

(Oh, and please stop mocking those of us that takes basic security precautions.)

why is that modded offtopic?

[Adolf Hitroll]

It obviously hit the nail quick and straight on the head. ...I d' add: "social networks fuck" as they do have a very negative impact upon one's social life IRL.

Maybe some mod is being to sensitive about short first posts. I hope he knows not to act that stupidly IRL (though I higly doubt it).

Re:Fonts, Plugins, History... why?

[StripedCow]

Even more horrifying: in my case, my local username was part of the information that panopticlick found... the reason was that one of the plugin binaries was in a subdirectory of my homedir, and its path contained my username, and apparently the path of that binary was sent out by firefox. However, I'm not sure if the fault lies with firefox or with the particular plugin (citrix receiver for linux). Probably the latter, because in the plugin-box, it identifies itself with its full path.

Re:Summary is wrong; idea is worthless

[zdzichu]

The whole site and paper looks like an attempt at marketing Xing. I never heard of this site before, now it's on the news.

Re:False belief work both ways.

[osu-neko]

...register with different false data on separate sites

This attack allows for a bit of quasi-de-anonymizing in this case. It doesn't tell you that user "vikingsfan" is real life Eric J. Andersen of Frostbite Falls, MN, but it does tell you that "vikingsfan" on the site is none other than "hockeypuck" on site B, who is also the same person as "moosehead" on site C, etc.

This sounds trivial, but it's of interest to some of us who may not want people on site A to know who we are on site B, when site A is an important social locale for us, even if no one on site A knows our real name (which is probably unimportant to them in any case, it might as well be just another nick...)

Put succinctly, it can expose your alts even if it doesn't expose your RL identity.

uhh, why?

[TechnoVooDooDaddy]

All you have to do is post a stupid little survey to Facebook and millions of idiots will fill the silly thing out giving you their mother's maiden name, street they grew up on, and last 4 digits of their social security in return for generating a few sentences of nonsense.