Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo

 

Unsupported browser: Your browser does not meet modern web standards. See how it scores »

By creating a distinctive username—and reusing it on multiple websites—you may be giving online marketers and scammers a simple way to track you. Four researchers from the French National Institute of Computer Science (INRIA) studied over 10 million usernames—collected from public Google profiles, eBay accounts, and several other sources. They found that about half of the usernames used on one site could be linked to another online profile, potentially allowing marketers and scammers to build a more complex picture of the users.

“These results show that some users can be profiled just from their usernames,” says Claude Castelluccia, research director of the security and privacy research group at INRIA, and one of the authors of a paper on the work. “More specifically, a profiler could use usernames to identify all the site [profiles] that belong to the same user, and then use all the information contained in these sites to profile the victim.”

A scammer could use this information to build a profile of a person and then target them with convincing phishing messages—perhaps referring to specific purchases on another website. The INRIA researchers developed a way to determine how unique a username is, and a method of connecting usernames based on the information published to different sites.

Those who have more unique usernames are more vulnerable. “The other 50 percent of users are more difficult to link because their usernames have ‘low’ entropy and could in fact be linked to multiple users,” says Daniele Perito, a doctoral candidate at INRIA, who was involved with the work. The INRIA researchers have created a tool that can check how unique a username is, and thus how easily an attacker could use it to build a profile of a person.

Researchers are exploring ways that the traces of data that people leave on different websites and devices could be combined and used to track them. A 2010 paper showed that the online groups to which people belonged could be used to infer their real identity in 42 percent of cases. Another research team found that more than half of all smart-phone apps leak unique IDs that could be used to track a user’s interests and, potentially, their location.

Building profiles of consumers using online information has already become a major industry for marketers as well as cybercriminals. Last year, for example, PatientsLikeMe.com, an online community for patients with life-changing conditions, caught marketing firm Nielsen scraping information from its users’ posts.  

Experts say users should avoid websites that openly publish their data. “It’s not surprising that people use the same username in different places,” says Avi Rubin, a professor of computer science at Johns Hopkins University who is currently on sabbatical as a Fullbright Scholar at Tel Aviv University. “What’s important is that people pick different passwords for different Internet sites, and that knowledge of their password for one site does not provide any useful clues toward deducing their passwords on other sites.”

2 comments. Share your thoughts »

Credit: Technology Review

Tagged: Web, security, privacy, hackers, phishing, identity theft

Reprints and Permissions | Send feedback to the editor

From the Archives

Close

Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me