16 Feb 2011

Online profile linking using usernames

There have been recent reports about security vulnerabilities arising from the reuse of passwords on different web sites. What about the reuse of usernames? Can identities established on multiple web sites be linked together based on the usernames, and what are the implications for privacy?

A recent research paper from INRIA in France described an experiment that looked at over 10 million usernames from popular services such as Google and eBay. In some of the tests, Google profiles that listed multiple accounts on different web services were used to establish “ground truth” about linked usernames.

The first finding was that the usernames chosen by people on the various websites tend to be very unique, with a probability of duplication being approximately one in one billion. This was true for a variety of web services, including a corporate network, Finnish web forums, and MySpace.

Second, the researchers found that when people used different usernames for different services, many of the usernames were constructed by making very small changes to existing usernames (e.g., sarah, sarah2).

Third, the study demonstrated that more than 50% of the usernames created for different services could be linked to one another because the username was identical, or very similar, and unique from other usernames.

The results are important for privacy protection. Although you may limit the amount of personal information you reveal when using a particular service, if your profile can be linked to other services than a detailed personal profile can be constructed from the various bits of partial information. This could lead to embarrassment if a supposedly anonymous profile is linked to a real-world identity. Spammers and fraudsters could also gather information from multiple services to target their messages or launch phishing and social engineering attacks.

In a demonstration of the risks involved, a quick examination of people using anonymous file sharing services (private BitTorrent trackers) found that 13 out of the 20 usernames examined could be linked to other web services (e.g., YouTube, eBay) and 4 usernames could be linked to real-world identities.

The lesson is similar to the warning about passwords – make sure that you choose a truly unique username (and password) for each service that you do not want linked together.

3 Responses

Tweets that mention Office of the Privacy Commissioner » Blog Archive » Online profile linking using usernames -- Topsy.com Says:

[…] This post was mentioned on Twitter by Privacy Commission , Social Hacking and Josh Rayman, LawyerNexus. LawyerNexus said: Online profile linking using usernames: There have been recent reports about security vulnerabilities arising fr… http://bit.ly/erV6Th […]

Andrew Patrick Says:

Google has just announced that they are doing username matching in their social search product: “if our algorithms find a public account that might be yours (for example, because the usernames are the same), we may invite you to connect your accounts right on the search results page and in your Google Account settings.”

It is kind of creepy that Google thinks it knows my various identities on different services. It is also not clear how effective this matching will be, and what the privacy implications are. Can I inadvertently reveal a username that I did not want to be public? Can I “claim” a username that is not really mine?

hide my ip دانلود Says:

Protect your online privacy and browse the web anonymous by changing your IP

Leave a Reply

If you wish to leave a reply, you will be asked to provide your name and e-mail address. Your e-mail address is required for the purposes of limiting spam and contacting you should we have questions about your comment.

To learn more about why this information is collected and how it will be used, please read our Blog Comment Policy.