By creating a distinctive username—and reusing it on multiple websites—you may be giving online marketers and scammers a simple way to track you. Four researchers from the French National Institute of Computer Science (INRIA) studied over 10 million usernames—collected from public Google profiles, eBay accounts, and several other sources. They found that about half of the usernames used on one site could be linked to another online profile, potentially allowing marketers and scammers to build a more complex picture of the users.
“These results show that some users can be profiled just from their usernames,” says Claude Castelluccia, research director of the security and privacy research group at INRIA, and one of the authors of a paper on the work. “More specifically, a profiler could use usernames to identify all the site [profiles] that belong to the same user, and then use all the information contained in these sites to profile the victim.”
A scammer could use this information to build a profile of a person and then target them with convincing phishing messages—perhaps referring to specific purchases on another website. The INRIA researchers developed a way to determine how unique a username is, and a method of connecting usernames based on the information published to different sites.
Those who have more unique usernames are more vulnerable. “The other 50 percent of users are more difficult to link because their usernames have ‘low’ entropy and could in fact be linked to multiple users,” says Daniele Perito, a doctoral candidate at INRIA, who was involved with the work. The INRIA researchers have created a tool that can check how unique a username is, and thus how easily an attacker could use it to build a profile of a person.
Researchers are exploring ways that the traces of data that people leave on different websites and devices could be combined and used to track them. A 2010 paper showed that the online groups to which people belonged could be used to infer their real identity in 42 percent of cases. Another research team found that more than half of all smart-phone apps leak unique IDs that could be used to track a user’s interests and, potentially, their location.
Building profiles of consumers using online information has already become a major industry for marketers as well as cybercriminals. Last year, for example, PatientsLikeMe.com, an online community for patients with life-changing conditions, caught marketing firm Nielsen scraping information from its users’ posts.
Experts say users should avoid websites that openly publish their data. “It’s not surprising that people use the same username in different places,” says Avi Rubin, a professor of computer science at Johns Hopkins University who is currently on sabbatical as a Fullbright Scholar at Tel Aviv University. “What’s important is that people pick different passwords for different Internet sites, and that knowledge of their password for one site does not provide any useful clues toward deducing their passwords on other sites.”