De-Anonymizing Social Network Users

An anonymous reader writes "The H has an article about some researchers who found a new way to de-anonymize people. Compared to the EFF's Panopticlick, the goal of this experiment is not to identify a user's browser uniquely, but to identify individual users. The test essentially exploits the fact that many social network users are identifiable by their membership of various groups. According to the researchers, it's very unlikelly that two people on any social network will belong to exactly the same groups. A 'group fingerprint' can thus allow websites to identify previously anonymous visitors. They describe the setup and all details and the results look very interesting. They also have a live demo for the social network Xing that was able to de-anonymize me."

First Post

[Ethanol-fueled]

Fuck social networks.

Re:

[NSN A392-99-964-5927]

Fuck social networks.

This is why slashdot needs to close their facebook account.

An anonymous reader?

[Tyir]

Probably not so anonymous anymore!

Nothing new

[stephanruby]

There is nothing new about this. This is what any human being (a PI, or a stalker) would intuitively try to do. This is just streamlining and automating that process.

Re:Nothing new

[AHuxley]

IP can change, country can change, name can change.
But if your the user with a Mac, version 2.0.1b of a browser posting to a small interest section, this would be great to find you again and your new set of friends.
Thats why you never go back to the same sites if people are interested in you.

Re:

[Mashdar]

Or update your f*ing browser.

Re:

[The Wild Norseman]

Thats why you never go back to the same sites if people are interested in you.

Then how do I get any dates from eHarmony?

Re:

[Hurricane78]

Thats why you never go back to the same sites if people are interested in you.

Only on Slashdot is this not modded as “Funny”...

Misleading description of what they're doing

[Anonymous Coward]

A more accurate one, if I am RTFA right, is "by trawling through the browser history of visitors to a site it is possible to distinguish one from another so long as the user uses and regularly visits the group pages of select social networking sites and never clears their history". At most it seems to allow them to compare the "groups" pages you have visited on, say, Facebook and possibly identify which FB user you are using that information.

I see nothing to suggest that this helps them to identify who you

Solution: Never join any groups

[Anonymous Coward]

Just try to de-anonymize the antisocial network!

Re:

[daveime]

Billy No-Mates, is that you ?

Can I get a big who cares?

[Eskarel]

So basically if

1. An attacker indexes the entire user list and group memberships of a social networking sites.
2. You regularly visit a large number of the groups you belong to on said social networking site so that their url paths are in your history.
3. You're the only person who uses your PC to log onto said social networking site.
4. You visit a malicious website using this technique.

then an attacker might be able to work out the name you use on that social networking site?

Why would anyone bother. Indexing facebook would take quite a bit of time and resources and at the end of it you'd have something which might or might not be someones real name. Even if it is their real name, what exactly are you going to do with it? So you've unmasked(maybe) the name(maybe) of someone who visited your site. It's not going to give you anything else useful unless you combine it with some other attack vector which could quite easily pick up their real name for free anyway.

I suppose you could use it to set up a honey pot site for people with certain beliefs or interests and use it to accumulate a list of people with those beliefs or interests, but to be honest, you'd probably do better social engineering their ISP to get their account details.

Re:

[AHuxley]

It could be about the connections. If you get an ip and raid a house you get 1 person and a clean computer. They alert their friends and its all over.
With this you get the friends of friends and their interests.
The ability to play an eco nut, poker fan, open source gamer or other 'lifestyle' undercover is very tempting.
Over time they build a relationship and might get invited in.

Re:

[Anonymous Coward]

I suppose you could use it to set up a honey pot site for people with certain beliefs or interests and use it to accumulate a list of people with those beliefs or interests

You mean, like, a social networking site?

Re:

[Eskarel]

This was sort of my point. What on earth can they do with this?

Uh, no thanks...

[__aaclcg7560]

I prefer not to de-anatomized all the Anonymous Cowards. Neutered them, sure. Let's leave it at that.

Re:

[Fred_A]

I prefer not to de-anatomized all the Anonymous Cowards.

I think it's time anonymous users were de-anathemized.

Summary is wrong; idea is worthless

[michaelmalak]

The summary is incorrectly worded. It should read "Contrasted with the EFF's..."

But worse than that, the paper itself is horribly written, especially the abstract. The threat presented is not de-anonymization within the social network (since usually most profiles are real people anyway) but rather de-anonymization of visitors to arbitrary websites if those visitors also have social networking URLs in their browser history.

Now, the big privacy hole here is browser history stealing [blogspot.com], which is four years old. All this paper does is refine this mountain of privacy-invading information using social networking URLs that might be found there.

Re:

[Anonymous Coward]

History stealing is even older than Jeremiah Grossman's blog posting, he also simply copied the idea: this design flaw was reported in bug tracking system of Mozilla (Netscape) back in 2000, the longest discussion in the system is from 2002 (http://bugzilla.mozilla.org/show_bug.cgi?id=147777 [mozilla.org]).

If you read the article, they clearly state that history stealing is a well-known technique, they just use it in a different setting to be able to find out the "group fingerprint".

Re:

[ArsenneLupin]

the longest discussion in the system is from 2002 (http://bugzilla.mozilla.org/show_bug.cgi?id=147777 [mozilla.org]).

Actually, an even earlier discussion can be found here: https://bugzilla.mozilla.org/show_bug.cgi?id=57351 [mozilla.org]. And that one is probably not the oldest one either...

Re:

[pipatron]

Which is why browsing with NoScript should be mandatory and why we should try to stop webmasters from using unnecessary javascript on their websites.

(Oh, and please stop mocking those of us that takes basic security precautions.)

Re:

[ciderVisor]

(Oh, and please stop mocking those of us that takes basic security precautions.)

[Nelson Muntz] Ha ha ! [/Nelson Muntz]

Re:

[maxume]

CSS can be used to execute the same sort of attack.

Re:

[zdzichu]

The whole site and paper looks like an attempt at marketing Xing. I never heard of this site before, now it's on the news.

Re:

[camperslo]

The whole site and paper looks like an attempt at marketing Xing.

It's a clever trick to profile the Slashdot crowd, known for penguin worship, frequently known to follow radical publications (Periodic Table, Bill of Rights, Wikipedia...), secretly behind tech controversies (Do triodes or tetrodes sound better??)...

Re:

[Doctor O]

Xing has over 8 million members and is the #1 B2B social network in Europe. It isn't irrelevant or exotic just because you haven't heard of it. Duh. Yes, I'm a member. Yes, I made quite a nice amount of business (=money) because of Xing.

http://corporate.xing.com/english/company/ [xing.com]

Before they rebranded it, it was called OpenBC (Open Business Club). Maybe you've heard of that. ;)

Re:

[paleshadows]

Not sure why you think it's worthless. Like you say, the paper shows that browser-history-stealing can be exploited in a new way, allowing any web site to uniquely identify those who actively participate in social networks. All people who fall under the latter category (presumably very many) are affected, and I imagine quite a few of them do not wish to be identified. So why is this worthless?

Re:

[michaelmalak]

How about all the other things that can be found in one's browser history, such as Google searches, or, say, one's own name on some websites, such as Facebook when viewing one's own profile?

Re:

[paleshadows]

How about all the other things that can be found in one's browser history, such as Google searches, or, say, one's own name on some websites, such as Facebook when viewing one's own profile?

I think you don't get it. The same-origin principle [wikipedia.org], enforced by all contemporary browsers, prevents sites from just querying the history. Thus, an arbitrary site is by no means able to just view the user's Google searches or Facebook profile from the browser's history, contrary to what you seem to suggest.

The problem is that it's very, very hard to truly enforce 100% of the same-origin principle. Some limited information might leak due to side channels. For example, an attacker can try to find out if th

Fonts, Plugins, History... why?

[advocate_one]

Having gone on that panopticlick site and discovered that my browser was unique amongst some half million visitors... I was shocked that my browser was blabbing about what fonts were on my system... Why on earth would a browser transmit the list of installed fonts at all? All it needs locally are a set of alternatives, ie. if page says this font, then use this local font... wasn't that the entire point of the webfonts package?

similarly, the plugins list... another thing that doesn't need to be sent out by the browser...

Firefox devs, you listening here? these do not need to be transmitted so block them...

anyone know of a plugin that blocks them?

and why on earth is it possible to sniff the history list???

Re:Fonts, Plugins, History... why?

[macraig]

You're barking up the wrong tree: you should be screaming at the JavaScript wizards, I think.

Re:Fonts, Plugins, History... why?

[zwei2stein]

Your font list is reported by flash and java. Your browser is innocent of this. Disabling flash & java goes long way to make your system information less accessible.

Sniffing history is basic feature of xhtml/css, price you pay for selectors. a:visited (background-image:"slashdotorg.png") && boo! [shasldot.org] - if you go to my site, you will request specific image and i can see it in logs, boom, i know you were to slashdot.

Re:

[grumbel]

That should be easy to fix, shouldn't it? Just fetch all images from the CSS instead of doing it on demand.

Re:

[netsharc]

Annoying design trade-off, fetching all images specified in CSS will waste a lot of bandwidth, sure for a lot of desktop people bandwidth is fast and cheap, but mobile and modem users might not like the idea that much. (In Australia they still have x GB monthly limits on broadband!).

Also, I can foresee another trick: ok, the browser fetches all images, rendering my log examination useless. So now I can write a Javascript function that checks whether a particular element has this particular background image,

In similar ways you can detect font w/o Flash/Java

[Animaether]

Your selectors example can be used similarly for font detection. Set up CSS with a particular font - fall back to a standard font with known metrics. Once the page is rendered, use javascript to get the metrics of e.g. the block element you stuck the text in, and you can determine with fair certainty that the user either has that font, or doesn't. Obviously user CSS overriding things, scripting getting blocked, etc. thwart this - but that's not going to be the vast majority of users.

Re:

[pjt33]

I saw the Java plugin fire up when I visited the Panopticlick site. It contains an applet.

Re:

[ArsenneLupin]

Sniffing history is basic feature of xhtml/css, price you pay for selectors. a:visited (background-image:"slashdotorg.png")

Why not load a:visited images unconditionally (even when they aren't displayed)? And why allow getComputedStyle on elements whose rendering depends on :visited?

Re:

[equivocal]

browser.display.use_document_colors defeats background-image in firefox. At least I think that's the correct one. Whatever it is, it's user accessible through the gui prefs interface. There may be some side-effects, like not being able to buy from amazon.com, but they're pretty insignificant.

Re:

[Anonymous Coward]

"anyone know of a plugin that blocks them?"

NoScript blocks Javascript which in turn blocks most of these queries.

Still says I'm 1 in 200.000. Probably due to running Ubuntu. I'd have to manipulate my HTTP headers to something very common to counter that. No idea if there's an add-on that does that ... or what value to use.

Add Flashblock if you want to control the execution of Flash independently (e.g. allow JavaScript but only run one of the flash applets, like the video but not all those add/tracker applet

Re:

[advocate_one]

I was running with noscript, flashblock and adblock... mind you, I think I had noscript set not quite so strictly... and clicked on the flash blocked box thinking it needed clicking on for the site to work...

Re:

[pipatron]

"anyone know of a plugin that blocks them?"

NoScript blocks Javascript which in turn blocks most of these queries.

Still says I'm 1 in 200.000. Probably due to running Ubuntu. I'd have to manipulate my HTTP headers to something very common to counter that. No idea if there's an add-on that does that ... or what value to use.

Add Flashblock if you want to control the execution of Flash independently (e.g. allow JavaScript but only run one of the flash applets, like the video but not all those add/tracker applets).

Not many people disable javascript, that's just one more thing to make you more unique.

And there is a big drawback from changing your headers: You're no longer advertising a free operating system. I was thinking of changing my signatures, but I figured that I would rather like webmasters to know that they have linux users as well.

.. And last, if I'm not mistaken, NoScript lets me enable individual flash applets on a page, at least I can do that and I don't have Flashblock.

Re:

[icebraining]

Not many people disable javascript, that's just one more thing to make you more unique.

Yes, but you replace many bits of data (plugin list, fonts, etc) with a single information, so it's probably better either way.

Re:Fonts, Plugins, History... why?

[StripedCow]

Even more horrifying: in my case, my local username was part of the information that panopticlick found... the reason was that one of the plugin binaries was in a subdirectory of my homedir, and its path contained my username, and apparently the path of that binary was sent out by firefox. However, I'm not sure if the fault lies with firefox or with the particular plugin (citrix receiver for linux). Probably the latter, because in the plugin-box, it identifies itself with its full path.

Re:

[osu-neko]

This is one of the reasons why, on my Windows box, my local username is "root". If it gets embedded somewhere, this doesn't tell people much. (Just to add to the confusion, it's a normal user account, not an "administrator".)

Re:

[Anonymous Coward]

Easy remedy:
about:config

plugin.expose_full_path Standard boolean false.

I bet yours is set to true.

Re:

[JackieBrown]

It tells you were the blame is on that site.

For example my IE at work reads
Marlett, ..., Kanafont, Eurofont (via Flash)

My opera on my USB device with flash and javiscript disabled give almost no information other than the useragent (and that user-agent is not as detailed rich as my IE one.)

What about loners?

[macraig]

Brilliant plan, guys... except you still left one variable unknown: the aloof guy who doesn't belong to any groups. How do you pick him out of the crowd when he's not in it to begin with? Those aloof loners are always the ones we should be worrying about, right? That's what the movies always say.

Re:

[AHuxley]

They slip up during car trips and are spotted by local cops.
Or buy 10X the normal amount of a substance and the local supplier pulls the FBI card as they are a upstanding citizen or are owned by the feds.
The smart ones make their own, but then it is always the essay to trip them up.

Re:

[countertrolling]

That already happens now. Been that way for years. People without a traceable history, for example a credit history, or a small stack of credit cards, a job, etc., receive all sorts of "special" treatment at the border, made even worse in today's hysterical times. Yes, not having a file makes you very suspicious indeed. Upon its discovery, one will be created automatically for you. Those without facebook accounts clearly have something to hide. It will be mandatory real soon now. - Papers please -

Xing?

[93 Escort Wagon]

They (the authors) keep mentioning it in the same breath as Facebook, Twitter, and LinkedIn - but I've never heard of it (I realize that may not necessarily mean anything). It also seems a bit odd to see the BSD demon in one of the article graphics. I can't help but wonder if this was posted to actually discuss an attack vector against social networking sites, or if it was really some weird attempt to promote some GNU/Free social networking club.

Anyway, it seems to me that demoing a practical de-anonymization of a Facebook user or a LinkedIn profile would be more interesting.

Re:Xing?

[thePowerOfGrayskull]

I was wondering the same. Having never heard of xing, I went to its web site and learned that it's a "global network of professionals" that boasts "over 8 million members".

Xing membership is a fraction of facebook, linkedin, et al. I would have to assume that it's going to be easier to "fingerprint" users of Xing when they have such a relatively small userbase. TFA doesn't say that their method works anywhere else either (though they imply that it could...); further they specify it only works for people in groups. This reduces the population of 8 million down to 1.7 million by itself. How many of those belong to just 1 or 2 groups, in which you might expect to find a high degree of overlap?

Re:

[that this is not und]

I have always been of the impression that Xing was a chat site for adolescent girls.

Re:

[LKM]

Xing is a German site similar to LinkedIn. It's quite popular in Europe. Nothing to do with BSD, GNU or anything else along those lines.

False belief work both ways.

[Anonymous Coward]

Just as people who don't take privacy seriously aren't really anonymous, people who think that these revelations actually make people not anonymous online helps cater to said false belief, and keeping true Anonymous Cowards (who has the smarts to either not register on networking sites, or register with different false data on separate sites) safer, for the moment.

Posted as Anonymous Coward for obvious reasons.

Re:

[osu-neko]

...register with different false data on separate sites

This attack allows for a bit of quasi-de-anonymizing in this case. It doesn't tell you that user "vikingsfan" is real life Eric J. Andersen of Frostbite Falls, MN, but it does tell you that "vikingsfan" on the site is none other than "hockeypuck" on site B, who is also the same person as "moosehead" on site C, etc.

This sounds trivial, but it's of interest to some of us who may not want people on site A to know who we are on site B, when site A is an important social locale for us, even if no one on site A

I'd be more interested if...

[Dupple]

... they could find a way to De-annoying people on social networks

uhh, why?

[TechnoVooDooDaddy]

All you have to do is post a stupid little survey to Facebook and millions of idiots will fill the silly thing out giving you their mother's maiden name, street they grew up on, and last 4 digits of their social security in return for generating a few sentences of nonsense.

Use multiple pseudo-identities

[davidwr]

Next Slashdot poll:

I have N Facebook accounts, where N is:
*1-4
*5-9
*10-19
*20-29
*30-39
*41 or more
*I just "borrow" one of CowboyNeal's
*My probation officer won't let me use Facebook, you insensitive clod!

Lame Theory

[duggaman57]

If I have a Social Networking account tied to the real me, and then I go and create an anonymous Social Networking page, do you really think I'm going to take the time to replicate all of my "groups" and things that would otherwise be on my primary profile? I obviously have something to hide, so this theory is bunk and not relevant.

Misleading summary

[argent]

I don't think this is what the tool is designed for. If you read the paper, you'll see that all they'd get would be a list of groups that either of your identities were members of.

What this is for is to match identities at different sites. To tell what Facebook account Candidate@LinkedIn is using... you get Candidate@LinkedIn to visit a site (hey, send your resume to http://example.com/5jh332 [example.com] and it'll go right past HR) and hit him with a Facebook tracer while he's filling out the resume. Now you know that

Took 'em long enough.

[Proteus Child]

It's amazing how long it took the private sector to rediscover good, old-fashioned intelligence analysis.

I feared this day will come.

[RyuuzakiTetsuya]

There's a reason why I joined a Young Communists group on Facebook and friended the GOP on MySpace...

opting out of social networking

[Fuji Kitakyusho]

A few weeks ago, I viewed a video interview with Facebook founder Mark Zuckerberg. In the interview, he stated that privacy simply doesn't exist anymore, or rather, that the world will need to get used to a "new standard" of privacy in context to online networking. That statement alone was sufficient impetus for me to purge my Facebook acount (I let it sit empty for a few weeks, then deleted it), as well as all other social networking profiles that I irresponsibly let sit on the web, as the statement is i

Privacy Law

[Benjamin_Wright]

Privacy law [typepad.com] often says (roughly) that personally identifiable information needs to be protected. But this research calls into question whether we can define personally identifiable information in a legally-meaningful way. All information related to a person can contribute to identifying the person.