"Pardon me, your metadata is showing."
July 26, 2011 6:38 PM Subscribe
Thinking out loud - after reading many articles on the G+ naming problem, it occurred to me all the myriad ways that someone using a pseudonym could accidentally expose their real name.
My traditional field is records management, so I am keenly aware of the ways privacy might be violated online and offline (and have seen several real life examples of such). I have also seen the pseudonyms of some people fall apart on forums and such.
Some examples I have come up with are:
BTW, while I am normally an optimistic person, I'm pessimistic about privacy. I tend to think that it is mostly an illusion or never existed to begin with. Not sure why I think this way, but maybe it's because my brother snooped through my diary as a kid ;-)
My traditional field is records management, so I am keenly aware of the ways privacy might be violated online and offline (and have seen several real life examples of such). I have also seen the pseudonyms of some people fall apart on forums and such.
Some examples I have come up with are:
- WHOIS search where privacy protection has not been purchased
- Metadata in Office documents that include someone's "real name"
- Geotagged photos
- Receipts with a "real name" on it, either paper or electronic
- Using the same username across various sites
- A computer named the same as the secret name
BTW, while I am normally an optimistic person, I'm pessimistic about privacy. I tend to think that it is mostly an illusion or never existed to begin with. Not sure why I think this way, but maybe it's because my brother snooped through my diary as a kid ;-)
Response by poster: Interesting! I didn't realize that. Thanks.
posted by Calzephyr at 7:00 PM on July 26, 2011
posted by Calzephyr at 7:00 PM on July 26, 2011
Email aliases, preferences, auto-reply, or automatic signatures.
Also, people knowing your 'handle' and telling others. That's decidedly low-tech, but really common and completely out of one's control.
posted by iamkimiam at 7:29 PM on July 26, 2011 [1 favorite]
Also, people knowing your 'handle' and telling others. That's decidedly low-tech, but really common and completely out of one's control.
posted by iamkimiam at 7:29 PM on July 26, 2011 [1 favorite]
Also, people knowing your 'handle' and telling others.
AKA, Sneakernet, a notoriously foetid p2p network.
posted by carsonb at 7:31 PM on July 26, 2011 [1 favorite]
AKA, Sneakernet, a notoriously foetid p2p network.
posted by carsonb at 7:31 PM on July 26, 2011 [1 favorite]
Response by poster: Ha! I have never heard of the term sneakernet, and I thought I was pretty nerdy :-)
posted by Calzephyr at 7:40 PM on July 26, 2011
posted by Calzephyr at 7:40 PM on July 26, 2011
Response by poster: Iamkimiam, you are definitely right. One thing I have been trying to mention is how out of control one's information really can be, whether it's Mom telling Aunt Gertie something to a company handling your data.
Even the most carefully crafted privacy policy is only as good as the people who abide by it or have been trained to abide by it. My parents had a problem with a building contractor last year, and I was really surprised at how easy it was to get their work order number just by calling up and saying "I'm calling on behalf of my parents, they're seniors..." with no other verification required :S
posted by Calzephyr at 7:43 PM on July 26, 2011
Even the most carefully crafted privacy policy is only as good as the people who abide by it or have been trained to abide by it. My parents had a problem with a building contractor last year, and I was really surprised at how easy it was to get their work order number just by calling up and saying "I'm calling on behalf of my parents, they're seniors..." with no other verification required :S
posted by Calzephyr at 7:43 PM on July 26, 2011
Best answer: Are you looking just for metadata issues, or are user "error" issues interesting too? "Using the same username across various sites" seems to be leaning that way, so...
One example would be incautious linking to web presence elsewhere. If I link to one of my Flickr photos in a question - "what's this bug?" or "look at my pet porcupine!" - I'll be decloaking. But precisely because this is the only place on the web where I go by a pseudonym, it would be easy to forgetfully do that. I'm not in the habit of remembering to guard my name.
Another would be mentioning personal details that can be associated elsewhere with your true identity. If you say on here that you have a cat called Claudius and, separately, that you moved to NYC from Tulsa, then your Flickr photos of Claudius the cat geotagged with Tulsa and the photos of the fantastic view from your new office in NYC might be enough to identify you.
Along similar lines, unique turns of phrase can identify you. If you talk about your favourite pastime, "the daredevil art of pastry-making", both here and on your blog... that's an uncommon enough turn of phrase to make it easy to link the two.
posted by ManyLeggedCreature at 7:48 PM on July 26, 2011 [3 favorites]
One example would be incautious linking to web presence elsewhere. If I link to one of my Flickr photos in a question - "what's this bug?" or "look at my pet porcupine!" - I'll be decloaking. But precisely because this is the only place on the web where I go by a pseudonym, it would be easy to forgetfully do that. I'm not in the habit of remembering to guard my name.
Another would be mentioning personal details that can be associated elsewhere with your true identity. If you say on here that you have a cat called Claudius and, separately, that you moved to NYC from Tulsa, then your Flickr photos of Claudius the cat geotagged with Tulsa and the photos of the fantastic view from your new office in NYC might be enough to identify you.
Along similar lines, unique turns of phrase can identify you. If you talk about your favourite pastime, "the daredevil art of pastry-making", both here and on your blog... that's an uncommon enough turn of phrase to make it easy to link the two.
posted by ManyLeggedCreature at 7:48 PM on July 26, 2011 [3 favorites]
Someone once asked me to stalk him and try to figure out his real name. I could see from his email headers that he sent mail from a certain small company, so I googled for people who worked at that company and seemed to be in the same field as him. I had to try about four or five names before I found his.
posted by novalis_dt at 7:50 PM on July 26, 2011 [1 favorite]
posted by novalis_dt at 7:50 PM on July 26, 2011 [1 favorite]
Response by poster: ManyLeggedCreature, I'm looking for just about anything which could be user error or a metadata problem. Both methods are usually do to a lack of technical understanding or just plain whoopsies.
The pet example is great actually for another reason. If your pet is uniquely named, it's possible someone could use that as a clue.
I'm not very good at picking up people's writing styles online, but yes, I know of some cases on forums where someone "left forever" and came back with a different username and were outed right away. Another good example!
posted by Calzephyr at 7:53 PM on July 26, 2011
The pet example is great actually for another reason. If your pet is uniquely named, it's possible someone could use that as a clue.
I'm not very good at picking up people's writing styles online, but yes, I know of some cases on forums where someone "left forever" and came back with a different username and were outed right away. Another good example!
posted by Calzephyr at 7:53 PM on July 26, 2011
I've seen people reveal themselves accidentally by posting a link to a photo or file where the file structure included part of their name.
posted by Vectorcon Systems at 7:56 PM on July 26, 2011 [1 favorite]
posted by Vectorcon Systems at 7:56 PM on July 26, 2011 [1 favorite]
Links to user profiles can often be found in the source code of blogs hosted by Blogger—even if the user has removed any visible links to the profile.
posted by Knappster at 7:58 PM on July 26, 2011 [2 favorites]
posted by Knappster at 7:58 PM on July 26, 2011 [2 favorites]
Best answer: My favorite social networking face-palm moment is when people sign up for services "anonymously" and are then flummoxed when the service seems to "know" who they are; in truth, they're not anonymous, they're pseudonymous, and they've signed up under their real main email address.
Another giveaway is birthdays - obviously, they can really only be used for a final confirmation of identity when other details match, but that's occasionally useful.
posted by lesli212 at 8:03 PM on July 26, 2011
Another giveaway is birthdays - obviously, they can really only be used for a final confirmation of identity when other details match, but that's occasionally useful.
posted by lesli212 at 8:03 PM on July 26, 2011
Best answer: Oh, if you know somebody's handle, you can put it into usernamecheck and see where else they are and dig there. Or, better yet, attach @gmail.com (or hotmail or yahoo or whatever) to their handle and send them money through Paypal!
posted by iamkimiam at 8:12 PM on July 26, 2011 [3 favorites]
posted by iamkimiam at 8:12 PM on July 26, 2011 [3 favorites]
Oh, another unconventional one I read about was tracking the timing of information as published across different web outlets. That's part of how the HBGary guy was supposedly going to "out" anonymous. He had this idea that he'd be able to match links and info discussed on IRC channels with the same info as published soon after via various Twitter accounts. To me, he seemed overconfident in his assumptions (and of course, there was the matter of him being completely pwned), but I think there's potential in his idea.
posted by lesli212 at 8:13 PM on July 26, 2011 [1 favorite]
posted by lesli212 at 8:13 PM on July 26, 2011 [1 favorite]
Best answer: And, I forgot the first thing that I was going to say, which is that having online friends who freely share their info and link to your pseudonym in meatspace (which was another HBGary strategy) is another way a real identity can be exposed.
(As in, "userxyz" is known to be the Sysadmin for "blah3234" aka Bob Smith who works at Cyberdyne... then work backwards.)
posted by lesli212 at 8:17 PM on July 26, 2011 [1 favorite]
(As in, "userxyz" is known to be the Sysadmin for "blah3234" aka Bob Smith who works at Cyberdyne... then work backwards.)
posted by lesli212 at 8:17 PM on July 26, 2011 [1 favorite]
Best answer: I tracked down a person's real name on OK Cupid because they used a headshot that had the photographer's name watermarked on it. I went to the photographer's website, found the same shot and the guy's name was attached to it and from there it was easy to find his website.
Sometimes police will come into the library with someone's wallet and ask for the user's phone number/address from their library card. Privacy policies strictly forbid giving out this sort of information, but sometimes people do anyhow because, hey they're cops.
After my dad died, I had to cancel or downgrade a lot of the stuff he paid for. A few places were like "bla bla bla fax us the death certificate" However I found that since I knew the answers to all his sekrit questions, I could usually IM with a rep online (who didn't know he had died) who would just do whatever I needed right then, assuming I was him.
You might also enjoy this from MeFi days of yore where small bits of data are no thing, but aggregated they become quite a bunch of identifiable stuff.
And, in the combinatorial realm, in the days of reading servers web logs, I found that you could often identify a person by a combination of their IP address [giving rough geographic location sometimes] and their machine configuration [combination of browser and flavor of linux] so if you wanted to see if some cute guy was reading your website, you could send him a link to a picture hosted on your server, check his "footprint" of the person that hit that image (which you'd only given to one person) and then you'd know whenever he was looking at any page on your website in the future, and which ones.
When I used to work for an ISP, you could have your reverse-DNS set up custom with your DSL so you could see your username in the logs, or it would say whatever you wanted. So where your ip would be 1.2.3.4 the reverse would be like 4.3.2.1-jessamyn or 4.3.2.1-quitspying something (I forget exactly how it worked, but we loved messing with it on our own DSL connections)
I talk about digital privacy a lot with librarians since we have privacy laws at a state level in the US that are fairly strict, for public libraries. At the same time, I think people don't totally understand the geotagged photo thing ["here is a picture of me with my dick out on guyswithiphones.com What do you mean it contains directions to my apartment??"] and the example that is easy to explain is PleaseRobMe not for usernames exactly, but for triangulating data in a way that is easy for computers, less easy for humans.
posted by jessamyn at 8:29 PM on July 26, 2011 [6 favorites]
Sometimes police will come into the library with someone's wallet and ask for the user's phone number/address from their library card. Privacy policies strictly forbid giving out this sort of information, but sometimes people do anyhow because, hey they're cops.
After my dad died, I had to cancel or downgrade a lot of the stuff he paid for. A few places were like "bla bla bla fax us the death certificate" However I found that since I knew the answers to all his sekrit questions, I could usually IM with a rep online (who didn't know he had died) who would just do whatever I needed right then, assuming I was him.
You might also enjoy this from MeFi days of yore where small bits of data are no thing, but aggregated they become quite a bunch of identifiable stuff.
And, in the combinatorial realm, in the days of reading servers web logs, I found that you could often identify a person by a combination of their IP address [giving rough geographic location sometimes] and their machine configuration [combination of browser and flavor of linux] so if you wanted to see if some cute guy was reading your website, you could send him a link to a picture hosted on your server, check his "footprint" of the person that hit that image (which you'd only given to one person) and then you'd know whenever he was looking at any page on your website in the future, and which ones.
When I used to work for an ISP, you could have your reverse-DNS set up custom with your DSL so you could see your username in the logs, or it would say whatever you wanted. So where your ip would be 1.2.3.4 the reverse would be like 4.3.2.1-jessamyn or 4.3.2.1-quitspying something (I forget exactly how it worked, but we loved messing with it on our own DSL connections)
I talk about digital privacy a lot with librarians since we have privacy laws at a state level in the US that are fairly strict, for public libraries. At the same time, I think people don't totally understand the geotagged photo thing ["here is a picture of me with my dick out on guyswithiphones.com What do you mean it contains directions to my apartment??"] and the example that is easy to explain is PleaseRobMe not for usernames exactly, but for triangulating data in a way that is easy for computers, less easy for humans.
posted by jessamyn at 8:29 PM on July 26, 2011 [6 favorites]
I am just curious - what is the "G+ naming problem"?
posted by Conrad Cornelius o'Donald o'Dell at 8:39 PM on July 26, 2011
posted by Conrad Cornelius o'Donald o'Dell at 8:39 PM on July 26, 2011
Response by poster: Oh, sorry Conrad...I should have linked to something. G+ prefers that you use your "real name" but people who go by mononyms, non-English names, initials, pseudonyms and online handles are finding that that their accounts are being suspended. Here's one survey of types of suspended names.
posted by Calzephyr at 8:46 PM on July 26, 2011
posted by Calzephyr at 8:46 PM on July 26, 2011
Response by poster: Jessamyn, I'm just about to go to bed, but yes, the geotagging is a big thing that people don't realize is going on. I didn't even realize it until I went to a presentation by a digital forensics expert. They were able to use geotagging to find out what a woman suspected of embezzling was spending the money on. It turned out to be a new mansion, thanks to photos and co-ordinates.
posted by Calzephyr at 8:48 PM on July 26, 2011
posted by Calzephyr at 8:48 PM on July 26, 2011
Best answer: Some specific things I've run into:
* I used an old instant messaging account (in a rather embarrassingly nerdy past on the internet) and connected it with my real name in one forum post, which I can now not edit because I can't regain access to the forum account anymore.
* Many people post their resumes online, and you can cross-check these with other facts (places lived, degrees, interests, guesstimate age, phone number, address, email address) to find a person's pseudonyms or vice versa.
* When World of Warcraft login info got collapsed into a greater Battle.net portal for all Blizzard games, people from my Facebook suddenly started friending me in game because both used the same email account. By knowing the real me, they had access to the names of my game characters, some of which are private pseudonyms reused elsewhere disassociated with my real name. This was really unexpected since I've always put my facebook at the highest levels of privacy - it was, if I recall correctly, a setting on the Battle.net portal.
* TinEye does reverse look-up via an image (Google seems to have added something similar that might give better results). If you uploaded an image to your public flickr, and also sent it to people from a pseudonym, TinEye be able to point people to your flickr if they search for that image - so long as you don't crop it or distort it (I think).
posted by subject_verb_remainder at 12:08 AM on July 27, 2011 [1 favorite]
* I used an old instant messaging account (in a rather embarrassingly nerdy past on the internet) and connected it with my real name in one forum post, which I can now not edit because I can't regain access to the forum account anymore.
* Many people post their resumes online, and you can cross-check these with other facts (places lived, degrees, interests, guesstimate age, phone number, address, email address) to find a person's pseudonyms or vice versa.
* When World of Warcraft login info got collapsed into a greater Battle.net portal for all Blizzard games, people from my Facebook suddenly started friending me in game because both used the same email account. By knowing the real me, they had access to the names of my game characters, some of which are private pseudonyms reused elsewhere disassociated with my real name. This was really unexpected since I've always put my facebook at the highest levels of privacy - it was, if I recall correctly, a setting on the Battle.net portal.
* TinEye does reverse look-up via an image (Google seems to have added something similar that might give better results). If you uploaded an image to your public flickr, and also sent it to people from a pseudonym, TinEye be able to point people to your flickr if they search for that image - so long as you don't crop it or distort it (I think).
posted by subject_verb_remainder at 12:08 AM on July 27, 2011 [1 favorite]
Response by poster: I haven't ever had much luck using TinEye to see where my images are ending up (I'm a photographer and artist) but I can see where that would be another way of searching. Sometimes I have noticed that people use the same profile pic across sites, so that has been a clue for me. It is amazing where you bump into people online you know in real life!
Your comment about the Battle.net setting makes me wonder why sites, instead of presenting a privacy policy that makes one's eyes glaze over, instead present a checklist of things to do to make sure you aren't showing your info. That would be a huge usability gain.
posted by Calzephyr at 5:34 AM on July 27, 2011
Your comment about the Battle.net setting makes me wonder why sites, instead of presenting a privacy policy that makes one's eyes glaze over, instead present a checklist of things to do to make sure you aren't showing your info. That would be a huge usability gain.
posted by Calzephyr at 5:34 AM on July 27, 2011
Response by poster: I'll have to look up HBGary, lesli212...I haven't heard of him. There really is no end to the creative thinking people come up with to find something out. I used to catalog photos and had to identify buildings, plants, animals, etc and sometimes it was just luck that I would hit on the correct thing, or a series of detective methods.
posted by Calzephyr at 5:39 AM on July 27, 2011
posted by Calzephyr at 5:39 AM on July 27, 2011
The definitive HBGary roundup is, of course, from Metafilter.
posted by lesli212 at 12:18 PM on July 27, 2011 [1 favorite]
posted by lesli212 at 12:18 PM on July 27, 2011 [1 favorite]
Best answer: I've seen people post screenshot images to forums not realizing that identifying information was visible in the image. Things like their email address or different usernames showing up on a tab in their browser or on a program on the task bar.
posted by des at 4:49 PM on July 27, 2011 [1 favorite]
posted by des at 4:49 PM on July 27, 2011 [1 favorite]
Response by poster: Jessamyn, loved that MeTa post you linked to! That's the sort of thing that people don't realize either...with enough breadcrumbs, you can make a loaf of bread :-)
I'm sorry that your dad passed away :/ My husband probably knows the ISP trick you mentioned...I'll ask him. Great answer btw! I'm a library technician and we had no such training back in the day!
posted by Calzephyr at 7:53 PM on July 27, 2011 [1 favorite]
I'm sorry that your dad passed away :/ My husband probably knows the ISP trick you mentioned...I'll ask him. Great answer btw! I'm a library technician and we had no such training back in the day!
posted by Calzephyr at 7:53 PM on July 27, 2011 [1 favorite]
Response by poster: Ah! Now I think I remember HBGary from back in February...February was a bit nuts for me because I was wrapping up a lot of things at work before my last day there.
I've seen people post screenshot images to forums not realizing that identifying information was visible in the image. Things like their email address or different usernames showing up on a tab in their browser or on a program on the task bar.
Ah yes, a particulary bad case of the whoopsies. I have seen this happen at workplaces where someone was logged into a site they probably should not have been when they took the screencap.
posted by Calzephyr at 8:04 PM on July 27, 2011
I've seen people post screenshot images to forums not realizing that identifying information was visible in the image. Things like their email address or different usernames showing up on a tab in their browser or on a program on the task bar.
Ah yes, a particulary bad case of the whoopsies. I have seen this happen at workplaces where someone was logged into a site they probably should not have been when they took the screencap.
posted by Calzephyr at 8:04 PM on July 27, 2011
This thread is closed to new comments.
posted by jessamyn at 6:54 PM on July 26, 2011 [2 favorites]