A team of researchers from the French National Institute of Computer Science (INRIA) has just published their study of over 10 million usernames collected from Google profiles, eBay accounts and other sources. They discovered that around half of the usernames could be linked to another matching online profile, which could enable scammers to build up a more detailed profile of individuals they wish to target.
“A scammer could use this information to build a profile of a person and then target them with convincing phishing messages—perhaps referring to specific purchases on another website,” writes TechnologyReview in response to the study.
But while this research is certainly relevant to Internet users in general, it is also of great interest to those who may be sharing files online without the copyright holder’s permission.
TorrentFreak learned last year, perhaps unsurprisingly, that anti-piracy companies are increasingly using profiling techniques to identify and track the habits of the more prolific file-sharers, in particular initial uploaders.
However, while it’s unclear to what use this gathered data is being put, we can confirm 100% that users targeted in so-called Speculative Invoicing (we caught you sharing files, pay us money to go away) campaigns are being tracked through their general Internet use and comments they have made used as leverage against them.
In several cases last year, Internet users caught up in ACS:Law’s pay-up-or-else sweep asked for advice on how to respond to the law firm using online forums. The usernames they used were not unique. In fact they corresponded perfectly with ones they used on other forums where they had been less careful about disguising who they were.
In at least one case a user even discussed downloading the material he was accused of, albeit some months earlier. In another there was general talk about file-sharing, hardly proof of infringement, but it doesn’t help a case longer term.
Another person, who contacted TorrentFreak with his plight, had previously emailed ACS:Law using the same email address. We Googled that and found a site where the person mentioned his website, which led to a WHOIS which, coupled with his forename posted freely on the forum, conveniently supplied his surname and address.
From that information we were able to discover not that he had infringed, but had just come into some money – valuable information to a law firm looking to screw someone for hard cash.
In another recent case which ended particularly badly for one confirmed file-sharer, armed with nothing but an email address and a forum post we were able to follow a trail which led into highly personal aspects of the individual’s life. Our deep suspicions, without compromising this person’s privacy further, is that this same trail was cynically exploited by copyright holders to extract a very sizeable settlement.
Today, while writing this post, we spent just an hour on a private torrent tracker researching the site’s top 20 uploaders. In 13 cases we were able to find the users on other sites, including YouTube, Last.fm, eBay and any number of non-filesharing related forums. In 4 cases we were able to quickly identify real names. Given more time the exposure would almost certainly prove greater.
As the INRIA researchers note, people using unique and easily identifiable usernames are more vulnerable to cross-site profiling. Others with common usernames are far more difficult to track down and in our quick tests we have to agree.
Try Googling your regular usernames and email addresses….
Food for thought.