Web sites that strip personally identifiable information about their users and then share that data may be compromising their users’ privacy, according to researchers at the University of Texas at Austin.
They took a close look at the way anonymous data can be analyzed and have come to some troubling conclusions. In a paper set to be delivered at an upcoming security conference, they showed how they were able to map out the connections on public social networks such as Twitter and Flickr. They were then able to identify people who were on both networks by looking at the many connections surrounding their network of friends. The technique isn’t 100 percent effective, but it may make some users uncomfortable about whether they should allow their data to be shared in an anonymous format.
Web site operators often share data about users with partners and advertisers after stripping it of any personally identifiable information such as names, addresses or birth dates. Arvind Narayanan and fellow researcher Vitaly Shmatikov found that by analyzing these “anonymized” data sets, they could identify Flickr users who were also on Twitter about two-thirds of the time, depending on how much information they have to work with.
“A lot of the time people will share information online and they’ll expect that they are anonymous,” Narayanan said in an interview. But if their identity can be ascertained on one social network, its possible to find out who they are on some other network, or at least make a “strong guess,” he said.
They do this not just by looking at one person’s immediate circle of friends, but by analyzing the patterns in the connections between all friends on the social network. “The more of a person’s network you can map out, the easier it gets to de-anonymize someone in the future, wherever they might go,” he said.
In 2006, hoping to give search researchers a useful tool, AOL released a database of more than 650,000 user search records. Although this data was scrubbed, it didn’t take long for the New York Times to identify one user based on her search queries, showing how supposedly anonymous data could be used to identify people.
The technique described by the University of Texas researchers could be used by government agencies looking to do surveillance or by online marketers or even scammers who want to target people with their messages. And it doesn’t only apply to social networks. This method could be used to identify users in databases of phone calls too, the researchers say.
Narayanan and Shmatikov used similar techniques two years ago to show how they could identify Netflix users by comparing the anonymous movie rating data released by Netflix with publicly available reviews posted to the Internet Movie Database.
The research also has implications for privacy policies on social networks, which share information on users, but with personally identifiable information such as names removed. According to Narayanan and Shmatikov, current techniques simply do not make people anonymous.
“Social-network operators should stop relying on anonymization as the ‘get out of jail’ card insofar as user privacy is concerned,” they write on their Web site. “They should inform users when their information is disclosed to third parties, even if this information has been anonymized, and give them the opportunity to opt out.”