How Your Username May Betray You

The more unusual your username, the easier marketers and scammers can build a profile of you.

By creating a distinctive username—and reusing it on multiple websites—you may be giving online marketers and scammers a simple way to track you. Four researchers from the French National Institute of Computer Science (INRIA) studied over 10 million usernames—collected from public Google profiles, eBay accounts, and several other sources. They found that about half of the usernames used on one site could be linked to another online profile, potentially allowing marketers and scammers to build a more complex picture of the users.

“These results show that some users can be profiled just from their usernames,” says Claude Castelluccia, research director of the security and privacy research group at INRIA, and one of the authors of a paper on the work. “More specifically, a profiler could use usernames to identify all the site [profiles] that belong to the same user, and then use all the information contained in these sites to profile the victim.”

A scammer could use this information to build a profile of a person and then target them with convincing phishing messages—perhaps referring to specific purchases on another website. The INRIA researchers developed a way to determine how unique a username is, and a method of connecting usernames based on the information published to different sites.

Those who have more unique usernames are more vulnerable. “The other 50 percent of users are more difficult to link because their usernames have ‘low’ entropy and could in fact be linked to multiple users,” says Daniele Perito, a doctoral candidate at INRIA, who was involved with the work. The INRIA researchers have created a tool that can check how unique a username is, and thus how easily an attacker could use it to build a profile of a person.

Researchers are exploring ways that the traces of data that people leave on different websites and devices could be combined and used to track them. A 2010 paper showed that the online groups to which people belonged could be used to infer their real identity in 42 percent of cases. Another research team found that more than half of all smart-phone apps leak unique IDs that could be used to track a user’s interests and, potentially, their location.

Building profiles of consumers using online information has already become a major industry for marketers as well as cybercriminals. Last year, for example, PatientsLikeMe.com, an online community for patients with life-changing conditions, caught marketing firm Nielsen scraping information from its users’ posts.  

Experts say users should avoid websites that openly publish their data. “It’s not surprising that people use the same username in different places,” says Avi Rubin, a professor of computer science at Johns Hopkins University who is currently on sabbatical as a Fullbright Scholar at Tel Aviv University. “What’s important is that people pick different passwords for different Internet sites, and that knowledge of their password for one site does not provide any useful clues toward deducing their passwords on other sites.”

Get stories like this before anyone else with First Look.

Subscribe today
Already a Premium subscriber? Log in.

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look. Exclusive early access to stories.

    Insider Conversations. Listen in as our editors talk to innovators from around the world.

  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning magazine and daily delivery of The Download, our newsletter of what’s important in technology and innovation.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.