Friday, 27 March 2009

Social sites dent privacy efforts

Greater use of social network sites is making it harder to maintain true anonymity, suggests research.

By analysing links between users of social sites, researchers were able to identify many people in supposedly anonymous data sets.

The anonymised data is produced by social sites who sell it to marketing firms to generate cash.

The results suggest web firms should do more to protect users' privacy, said the researchers.

Circle of friends

Computer scientists Arvind Narayanan and Dr Vitaly Shmatikov, from the University of Texas at Austin, developed the algorithm which turned the anonymous data back into names and addresses.

The data sets are usually stripped of personally identifiable information, such as names, before it is sold to marketing companies or researchers keen to plumb it for useful information.

Before now, it was thought sufficient to remove this data to make sure that the true identities of subjects could not be reconstructed.

The algorithm developed by the pair looks at relationships between all the members of a social network - not just the immediate friends that members of these sites connect to.

Social graphs from Twitter, Flickr and Live Journal were used in the research.

The pair found that one third of those who are on both Flickr and Twitter can be identified from the completely anonymous Twitter graph. This is despite the fact that the overlap of members between the two services is thought to be about 15%.

The researchers suggest that as social network sites become more heavily used, then people will find it increasingly difficult to maintain a veil of anonymity.

The results also had implications for the social sites themselves, wrote the researchers.

"Social-network operators should stop relying on anonymisation as the 'get out of jail' card, insofar as user privacy is concerned," they said.

"They should inform users when their information is disclosed to third parties, even if this information has been anonymised, and give them the opportunity to opt out," they added.

Writing about their work, the two researchers said many different organisations might be interested in reconstructing the true identities.

They suggest that the information might be useful to governments interested in large scale monitoring or unscrupulous marketing firms keen to reach certain individuals. Even phishing gangs might be interested, they speculate, to make their messages look more convincing.

The pair will present a paper about their work to the IEEE Symposium on Security and Privacy taking place in California from 17-20 May.