Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Privacy Your Rights Online

How Your Username May Betray You 308

An anonymous reader writes "By creating a distinctive username—and reusing it on multiple websites—you may be giving online marketers and scammers a simple way to track you. Four researchers from the French National Institute of Computer Science (INRIA) studied over 10 million usernames—collected from public Google profiles, eBay accounts, and several other sources. They found that about half of the usernames used on one site could be linked to another online profile, potentially allowing marketers and scammers to build a more complex picture the users."
This discussion has been archived. No new comments can be posted.

How Your Username May Betray You

Comments Filter:
  • Uh... (Score:5, Informative)

    by Anrego ( 830717 ) * on Monday February 14, 2011 @02:13PM (#35201192)

    Couldn't they already do this with cookies?

    In other news.. the gentleman wielding the running chainsaw could probably kick you really hard with those steel toe bootsand maybe even poke you in the eye!

    • yes, but for those who activley disable cookies, this is potentially another way of tracking that few people would have thought about.

      • by arth1 ( 260657 )

        Also, those who use one service from one machine, and a different service from a different machine, in which case cookies won't track you.

      • Re:Uh... (Score:4, Informative)

        by by (1706743) ( 1706744 ) on Monday February 14, 2011 @02:35PM (#35201458)
        There was an article [eff.org] on Slashdot [slashdot.org] a while back about a clever project [eff.org] to track your browser regardless of cookie settings / IP address. Neat stuff.
      • Re: (Score:3, Informative)

        by Desler ( 1608317 )

        this is potentially another way of tracking that few people would have thought about.

        Sure, if you're braindead. Did you really think that if you use a non-unique identifier across multiple sites that it couldn't be used to track you? That's about as 'duh' as it gets.

        • Yeah, I'm pretty disappointed at the histrionics here too. I'm not l33t enough to triple-route honeypot links shielded by a clandestine shadow router batched through a clandestine ISP installed behind the volcano damaged area of Monserrat and hooked through 7 false-positive generating mirrored proxies. (Your pointy headed bs may vary.) So I settled for a simple two level shield enough to stop the worst spam which has worked well enough for 7 years.

          But having a single net identity also lets fans follow my "n

          • by Gilmoure ( 18428 )

            Yeah, I've been using the same login name since I got into BBS'ing on my Ti-99/4A back in the early 80's. Oh noes, I can be tracked!

    • Couldn't they already do this with cookies?

      Wait, is that true? Can, for example, Slashdot see that I've been visiting eBay? I

      • slashdot could see if you were visiting ebay by exploiting the browser a bit -- they could make an invisible link to ebay, then pass back which color your browser made it. red link means you were there before. i dunno if they fixed this somehow, yet.

        • slashdot could see if you were visiting ebay by exploiting the browser a bit -- they could make an invisible link to ebay, then pass back which color your browser made it. red link means you were there before. i dunno if they fixed this somehow, yet.

          Okay... Leaving browser exploits out of it for the moment, though, isn't cookie access restricted to the domain that set it?

          I mean, the whole point of the story is that people use the same username all over the place. This makes them trackable without any sort of exploit, and not in a way that has anything to do with cookies.

          Now, if that's just pointless fearmongering, well I understand that. But I did, however, stop using my more identifiable nickname on Slashdot because I didn't want my professional co

          • by mcrbids ( 148650 )

            Okay... Leaving browser exploits out of it for the moment, though, isn't cookie access restricted to the domain that set it?

            Yes. But it's easy to circumvent by websites referencing a common 3rd party url for an image. (EG: a banner ad)

            Referencing a 3rd party URL in an image allows cookies to be set for that domain regardless of what URL you typed in and gives that 3rd party knowledge of the website the request originated from. (EG: what URL you typed in)

      • by drb226 ( 1938360 )

        Can, for example, Slashdot see that I've been visiting eBay?

        If it couldn't before, it can now >xD

      • Re:Uh... (Score:4, Funny)

        by Beardo the Bearded ( 321478 ) on Monday February 14, 2011 @02:55PM (#35201686)


        Now, I have different usernames for a lot of different websites and IRL I don't have a beard. (I shaved it off in 2004.)

        I was looking for a yoga mat; the "community" ones at the gym were a little more... used that I preferred for an item that I touch with my face. I am using IE7 since that's what corporate IT imposes. I was getting ads on /. for yoga classes and cheap yoga equipment. I volunteer at the YMCA and look up the schedule so I know what classes are on on a given day. I got ads for meeting "fitness singles".

        I also, due to my work, look up a lot of military things. I was getting ads for martial arts training and "how to handle a handgun" and other things like that.

        Apparently the ads computers think that yoga + military + YMCA = gay. I was getting ads for "meet local singles" with pictures of men. It was really weird until I realized that the ad servers think that I'm a fan of sausage. Or maybe they think I'm a woman; I look up vegan and vegetarian recipes and I'll look at knitting patterns to give my wife feedback. Oh, yeah, that makes more sense. They think I'm a woman.

        (An ugly one...)

        I've also got a quirk whereby the computers at work all go through the servers back east, so it also thinks that I live on the West Coast but work on the East coast; a 7000 mile trip can be covered in 30 minutes with ease.

  • Pretty sure (Score:5, Funny)

    by by (1706743) ( 1706744 ) on Monday February 14, 2011 @02:14PM (#35201202)
    that my username won't betray me...
  • by Toksyuryel ( 1641337 ) on Monday February 14, 2011 @02:16PM (#35201218)
    I thought this was the whole point of using a unique username. If I didn't want a unique identity, I wouldn't have created one for myself.
    • Film at eleven: Identifiers identify entities. I'm SHOCKED!

    • by Korin43 ( 881732 )

      That's what I was thinking. Maybe this is just setup for their next story: When you create a profile on a site, that site can tell when you're logged in or not :-o

    • I thought this was the whole point of using a unique username. If I didn't want a unique identity, I wouldn't have created one for myself.

      Yup. That's the whole reason why I picked a fairly unique name, and why I've re-used it all over the place. If you see that name, it's probably me.

  • That's why I have several aliases I use online, and will never use anything relating to my real name. The one you see here is for fairly anonymous forums. I have one that's used strictly for gaming and game related material. I have one that I use for throw-away accounts (spam e-mail, etc). Then I have a few super generic ones that I use for...shall we say... less honorable activities? ;)

  • No Shit (Score:5, Insightful)

    by lordandmaker ( 960504 ) on Monday February 14, 2011 @02:17PM (#35201238) Homepage

    Seriously, that's almost precisely why I've the same username all over place (amusingly, almost except /.) - so that people who know me on one might recognise me on another.

    I'd imagine that anyone with a desire to not let anyone know where else they go on the net already gets all their usernames out of pwgen or something.

  • I mean, we have to accept at some point that we are all in a public place. I for one don't want to have to live life online like a fugitive. Constantly changing my identity and browsing habits just to throw off marketers. And if you are smart you can easily avoid scammers by being more vigilant with your important information.
    • by sulfur ( 1008327 )
      I also don't bother hiding my real identity online; anyone with enough time on their hands and nothing better to do could correlate my accounts across different sites. It's much easier to assume that everything that you post online can be linked to you (similar to an assumption that everything you post on facebook is public). Just don't post anything that you don't want your boss to know, and you'll be fine. Maybe there will be fewer trolls on the Internet this way. Now, of course it is important to be able
      • by Gilmoure ( 18428 )

        Yup. And factor in gov't related employment since I went in the military after high school and they know what kind of underwear I'm going to put on before I do.

    • Re:Who cares? (Score:4, Interesting)

      by Jah-Wren Ryel ( 80510 ) on Monday February 14, 2011 @04:02PM (#35202406)

      Constantly changing my identity and browsing habits just to throw off marketers.

      Marketers are the least of our worries. The problems come from those who would use the marketers' databases for purposes other than marketing. Things like blackmail - such as a "straight" married politician who frequents a lot of gay websites. Or barratry (which is generally not illegal) such as Sony trying to subpoena youtube's records of everybody who has viewed a video on how to crack the PS3. Or the police state gone awry where they use the data from those gps services that record your position to back-fit cases to people who have done nothing more suspicious than be within a few blocks of a crime.

      The list of potential abuses of this sort of information is practically infinite - you may never be personally bothered by it, but then again relatively few people are ever assaulted or robbed or had their car stolen, but we still take precautions against all of those too.

  • by Ranger ( 1783 ) on Monday February 14, 2011 @02:19PM (#35201254) Homepage
    someone down named Analintruder?
  • by GameboyRMH ( 1153867 ) <gameboyrmh@NoSpam.gmail.com> on Monday February 14, 2011 @02:19PM (#35201256) Journal

    As long as they can't link my username to my real name, I don't care. They can collect information about "some dude who goes by GameboyRMH" all they like.

    • Are you sure about that Ronald?
    • Re:No problem (Score:4, Interesting)

      by georgesdev ( 1987622 ) on Monday February 14, 2011 @02:52PM (#35201648)
      How about: they start creating a fake account with your user name on facebook, become friend with some of your linkedin contacts, post on your new friends walls a scam using distorted extracts of what you posted on slashdot. Ok, you did a decent job of hiding your true name with that GameboyRMH ID, but still, if you use the same ID on lots of sites, you're still vulnerable to the kind of scenario I mention above. Personally, any online account that is indexed by search engines, I use a fake ID, and move to another one every 2 years, and it's not the same as my email address, etc ...
  • Build a username which uses Acrostics or Chunking of the place you are going.

    My Yahoo account is GPLDANJCYS, which stands for me + Jesus Christ Yahoo Sucks.

    Then, you know exactly who is leaking and linking your information, and how you feel about them to begin with.
  • Ummm (Score:5, Insightful)

    by Anonymous Coward on Monday February 14, 2011 @02:20PM (#35201266)

    Hey slashdot, why don't you be ahead of the curve on this and let posters change their username associated with their comments once every few years. Also, being able to delete an occasional comment would be thoughtful too. It's not 1995 anymore on both accounts.

    • Actually deleting comments is a bad idea, because it destroys the meaning of threads, ie the replies that follow a deleted comment don't make sense.

      However, a good way of allowing users to "delete" their past comments would be to convert them to being anonymous. Of course that's far from foolproof, but it can be surprisingly effective for preventing casual searching by others.

  • by Palestrina ( 715471 ) * on Monday February 14, 2011 @02:22PM (#35201290) Homepage

    And the installed fonts, and the screen resolution and color depth and the dozens of other factors that combined allow you to be tracked.

    Try this web site for an idea of how these factors can (in combination) uniquely identify you:

    https://panopticlick.eff.org/ [eff.org]

    I see that my browser is unique among the 1.4 million tested, with 20 bits of identifying information. Knowing my user name isn't going to compromise my privacy all that much more, especially compared to how Facebook screws your privacy every day.

  • by Ethereal.Visage ( 1990122 ) on Monday February 14, 2011 @02:23PM (#35201300)
    Umm . . . obvious, per chance? It seems to me that this is sort of . . . common sensical. Many people (myself included among that set) use a common username across multiple sites for that very reason mentioned in the article. To enable others to track us via our username. Of course, the intended audience is not the scammers -- oh, sorry, "marketers" -- but rather fellow hackers. But it's a double-edged sword. Perform an action, and the consequences will arrive, knocking on the door in the middle of the night. Welcome to the world, people.
  • by genghisjahn ( 1344927 ) on Monday February 14, 2011 @02:26PM (#35201336) Homepage
    Be at least 8 characters long. Have at least one upper and one lower case letter, a number, a symbol and an RGB code for your favorite color. Oh and change it every 6 months too.
  • Are we looking at a sever breach here if researchers have access to username on Google and Ebay? And what security do they have to keep those lists out of others hands. Probably the student in the University will keep all that information secure...

    Yah right.

    • And Slashdot is violating your privacy too! Your username is right there at the top of your comment! How dare they allow anyone who reads your comments to see the username that you created to identify yourself to those reading your comments!

      • That is true John. But we are looking at what appears to be a data dump of all usernames. To strip usernames is possible in any public site but I suspect they get a feed from those vendors. I could be wrong but the numbers they are looking for and things like google usernames would be harder to find than say Ebay names that could be screen scraped more easily, but then you still have a limited population.

        If they have user-names did they have other information to verify they had a match across systems? Op

  • Give it up. Privacy is gone.

  • So does this mean that Cowboy Neal is screwed?
  • by kwerle ( 39371 ) <kurt@CircleW.org> on Monday February 14, 2011 @02:32PM (#35201414) Homepage Journal

    Could we just move tautologies to idle? Or maybe we need a /. section called duh...

  • by kamelkev ( 114875 ) on Monday February 14, 2011 @02:34PM (#35201434)

    I work for a growing software company and I have basically used this technique for doing basic background checks on job applicants.

    Back in about 2006 we had someone apply who had a distinctive username that returned a handful of results via a careful google search. Almost all of them were to "alt.drugs.bongmaking" or something similar.

    I didn't care whether the guy/girl had used drugs, but about the complete lack of discretion in the posts. He had actually used his full name and detailed personal information that positively identified him as our applicant. Really sad, and not the only time something like that has happened.

    • Don't be an internet celebrity if you plan on applying for any job. Same thing vice versa. This economy punish creativity totally.

      Unless, of course you are living off from a trust fund, then you can afford to act in a civilized manner like Lindsey Lohan.

    • Sounds like the lesson should be that companies are overzealous in their "no drugs" stance. Because all they're ending up doing is only hiring the people that are better at hiding it and really... do you want to only hire the people that are good at hiding their discretions? Think that'll never end up biting you?

  • That's the point dumb asses. So you market to this useless account that you think you have nailed demographically. Can't sneak nothing past you guys.. And yes I would like a subscription to O magazine because as an older woman I love Oprah.. fucking morons.

  • by gstrickler ( 920733 ) on Monday February 14, 2011 @02:34PM (#35201442)
    ...don't get online. Don't post more info about yourself than you want to have distributed. Don't assume your username or password gives you any anonymity. If you're concerned about tracking, use a password manager and use a unique username/password for every site. If you're not that concerned, use 3-5 different user names with different passwords, they may be able to link some of your info, but not all of it.
  • by Minwee ( 522556 ) <dcr@neverwhen.org> on Monday February 14, 2011 @02:35PM (#35201450) Homepage

    You see, that's really THE WHOLE POINT of using the same username in multiple venues. In fact, it's the whole point of having a publicly visible username at all.

    It's there to promote continuity between your various posts. It builds a "brand identity", if that's a phrase that you can use without wanting to punch yourself. If that wasn't what you were trying to do then you shouldn't have registered a user name in the first place.

  • I wonder how many people use the same username as their email address.

    Honestly, who thinks it would be that hard to go through and scan the internet for usernames, and then append every popular domain name after them.

    Add to that the profiles that could be scanned, and combined, along the way, and you can probably find pretty good, targeted ads in a very automatable way.

  • Honestly, I don't care. I don't want government to have the power to track me, but if a marketer figures out in his database that the same person who posts on Slashdot also posts on a filmmaker site and a college football site, well, who cares? If I happen to want to do something where nobody can know who it is, yeah, I'll create another identity. But for the vast majority of what I do today, I've taken to using my real name as my user name. I can't figure out why people think a user name "betrays" you beca
  • DUH (Score:3, Insightful)

    by jdharm ( 1667825 ) on Monday February 14, 2011 @02:41PM (#35201524)
    Its called 'online presence' and it kind of the point isn't it?
  • I've used "Cro Magnon" several places, so one could assume it's the same person (especially if I make a referrence to one of the other sites). However, on at least one site, "Cro Magnon" is used by someone else, and my username is something entirely different.

    Also, I'm on plenty of sites with totally different usernames.

  • If someone sees that I buy a lot of stuff from bestbuy, and that I am a programmer because I have accounts on sqlserver.com and vb.net mag .com and also see i post a lot about tech stuff on /., etc...etc... guess what , they wont bother sending me spam about viagra, they will send me spam about the latest tech stuff for sale, which is just fine by me....allows less spam making it's way into my mailbox....

    • Don't look now but you just admitted to being a VB programmer on /.

      Prepare yourself for heaps of abuse.

  • Easily avoidable (Score:4, Insightful)

    by Virtex ( 2914 ) on Monday February 14, 2011 @02:48PM (#35201592)
    This kind of tracking is easy to avoid. Just do like me and never post on discussion forums like this one.
  • i googled my /. username and found more than one site duping /. articles:

    http://jetlib.com/news/tag/earth/page/20/ [jetlib.com]
    http://pubsub.com/Puck-Daddy-Mini-Doc-Talking-2010-NHL-Draft-and-dream-cars-with-Taylor-Hall-Tyler-Seguin-and-Cam-Fowler-Sunny-the-Sun-n-cpTsvVWHWnSS [pubsub.com]

    plus a lot of other stuff i knew would be found if anyone did that. so i don't feel betrayed at all.

  • Same problem also exists with people. I don't necessarily want people to track me down all over the web. Easy fix though:

    $ cat /etc/mail/aliases | grep -i $USER | sort | uniq | wc -l

    Randomly generated password for each.

  • My reputation is too important for me to want to change my nick just to avoid marketing. It's useful for recruiters or prospective employers to be able to do a quick search and find out more about me. It's like an implicit and well-earnt LinkedIn.

  • by rickb928 ( 945187 ) on Monday February 14, 2011 @03:10PM (#35201852) Homepage Journal

    Trying to hide from the marketers is almost a Hobson's choice. If I want to obscure my identity, I must:

    - Use multiple identities. Complexity and failure due to other means of tracking me make this fairly pointless.

    - Stop using cloud-based services. There goes Gmail and a bunch of other stuff. So I should be running my own webmail gizmo?

    - Opt-out of all marketing opportunities. Sure, and opting out is actually respected by how many? ESPN keeps turning video autoplay back on when I go there, as if they are going to respect my opting out of newsletters, sharing with other entities that have 'items of interest' to me.

    - Unsubscribe from services when I'm done with the business at hand. And re-enroll two weeks later. Nice, I get to play whack-a-userID as much as I do the thing I actually wanted to do.

    So I don't bother. I'm fairly immune to the sidebar ads I get, I never respond to spam ads, and I am now tending to avoid retailers that obviously use deceptive means to target me. Screw 'em.

    As an example of hilarity; I looked into getting a used shipping container a few months ago to use for storage. Turns out even old beatup ones are pretty expensive. For weeks after that, I would see sidebar ads for shipping containers 'everywhere'. Even today I coudl get one if I go to the 'wrong' site. I was never seriously in the market for containers, but it's a competitive market, and they are persistent.

    Another example; I made the rare mistake of going to a buy.com (or was it nextag.com?) link for an item. Aw, crap. Now I get those ads all the time. But I recognize them schlepping me ads for 'djebme strap' and ignore them.

    A final example; How often have I actually clicked a link to nextag.com to look for something specific, as a last resort, and find that they actually don't have ANY sources, but 'check back real soon'! Argh. And you can be sure I'll be peppered with ads for that item for a while. Grrr.

    It's a lot like old fashioned junk mail, except I don't even need to carry it to the dumpster. It could be worse.

    And it probably is. My only fear is that I will eventually get categorized, and red-lined so that I never see ads for what I actually want, but I see ads that are shoveling me something I don't want, but 'they' are trying to steer me to. This is entirely illegal in financing, but not quite yet in retailing. We'll see if it should be or not.

    • See, I'm the kind of person marketers hate. I never click on any ads... ever. If I see something I want, I manually go to the web site and look it up, bypassing the ad entirely.

  • The marketers/spammers must have traced my username around the web and revealed my interest in sex. Apparently they worked out my email address too, because my inbox has been full of porn and viagra ads for years. And all this time, I thought _everybody_ got those kinds of emails. I can't believe this!
  • ok, so obscurity isn't working... time for something different.
    Use a username that is a slight modification of a VERY common person. bradpitt, obama, billgates, sjobs, stevejobs, ibm, microsoft, etc etc.
    then, when some marketing puke googles that : the s/n ratio blows their little analytics apart.
    -- john smith
  • Why does everybody act surprised when there is a news story telling us that using a communication as ubiquitous and publicly accessible as the Internet allows people to find us? That's kind of the point, isn't it? My tin foil hat is every bit as shiny as anyone else's here on /., but seriously, this kind of seems like a "Meh..." story to me. If you don't already realize that using the same user name on multiple web sites will allow someone to correlate your on-line activity, then you probably s
  • For marketeers is is NOT a tool that will be used. Say you are on 2 technical sites and one social one, the marketeers won't say "We will send him technical ads." The will say "We will send him technical ads, social ads and some unrelated ones just to be sure."

    Just like saying "NO" to a marketeer means to him that he has not explained it well or often enough and if you say YES, it means it will work again.

  • Please Mr Marketer, read the history of everything I've posted, know my likes and dislikes, and cater the marketplace to me.

    How is this a bad thing?

  • by howardd21 ( 1001567 ) on Monday February 14, 2011 @04:07PM (#35202460) Homepage
    So my online user name may identify in multiple places just like my real name allows people to know who I am? Who would have imagined that?
  • by Yvan256 ( 722131 ) on Monday February 14, 2011 @04:21PM (#35202600) Homepage Journal

    I use Yvan256 for Slashdot, Yvan257 for Twitter, Yvan258 for Facebook, etc. No criminal mastermind could ever crack my username pattern!

  • by joeszilagyi ( 635484 ) on Monday February 14, 2011 @04:50PM (#35202912)

    A Real Man who wants to visit websites will load each site in a separate browser instance with a unique agent string and a different browser vendor and build each time with all cookies and scripts (1st, 2nd, 3rd, 87th party, etc.) hard-blocked, and only from within a series of totally unique VM environments of no less than Windows XP (Home and Pro), Vista (all 4,556 varieties), Win 7 (all varieties) and no less than 1,396 versions and flavors of Linux or Unix derived operating systems, and each randomly selected for each site visit, which are only done from a Tor onion connection running inside of the VM, which is in turn routed through a Tor onion connection running from the top-level main desktop that you're doing all this from, and each VM is promptly rolled back to pre-website status after your visit is done--and that's for EVERY SINGLE VISIT. ANYTHING LESS THAN THIS LETS THE INTERNET RAYS PENETRATE YOUR TINFOIL THINKING CAP.

God helps them that themselves. -- Benjamin Franklin, "Poor Richard's Almanac"