Technology & Science

Could your username be used against you?

Columnist Dan Misener reports that employing the same username across Google, Facebook, Twitter and other sites could make you vulnerable to marketers and web scammers.
Dan Misener
You don’t need a computer science degree to know that "password" is not a very good password. Nor is your birth date, your street address or the name of your dog (unless your dog’s name happens to be 3$m_iLtVF3M9w8s, but that’s a terrible name for a dog).

We’re told again and again about the importance of choosing strong, hard-to-guess passwords. What’s more, we’re told that our passwords should be unique — your email password should be different from your Facebook, eBay and online banking passwords. Reusing passwords is a no-no.

Even if you manage to choose strong, unique passwords for each and every service you use, you shouldn’t stop worrying. New research suggests there’s another factor that may put your online security and privacy at risk: your username.

On some websites, I go by "danmisener." On others, I’m "dmisener." At work, I’m "misenerd" (or, as some people are fond out pointing out, "miseNERD"). The thing is, I tend to reuse the same handful of usernames, based on what’s already been taken by Miseners that have come before me.

According to researchers from the French National Institute of Computer Science, that may not be such a good idea. They’ve found that by reusing usernames across multiple websites, you may be giving marketers and online scammers an easy way to profile and track you.

Daniele Perito, one of the researchers, says: "We looked into the uniqueness of the usernames that people use online. We found that people tend to reuse the usernames a lot, and tend to choose extremely identifying usernames for their online activity, which can pose privacy risks."

Just what are those privacy risks? If you use the same username across multiple computer networks, it’s not hard for an advertiser or marketer to pull together bits of your digital identity from across the internet into one place, creating a more complete profile than one network could provide alone.

For example, I might use Facebook to share personal information with my friends and family. And I might use LinkedIn to connect with business colleagues. Try as I might to keep the two separate, if I use the same username for both websites, they can be linked. Advertisers and marketers will love this. People concerned about online profiling won’t.

In a more nefarious example, multiple online profiles could be linked together by scammers for phishing or targeted spam campaigns. The more scammers know about you, the better they can tailor their attacks. Though it may be easy to ignore an email plea for money from "Mr. Richard Ramos" of the "Capital Diplomatic Courier Services Company" in West Africa, it’s harder to ignore one that claims to come from Aunt Peggy, especially if it mentions cousins Eric and Julia by name. Sure, it might actually be from Aunt Peggy, but it might also be from a scammer who’s been browsing my public Facebook profile.

In order to do their experiments, the French researchers needed usernames. So they collected more than 10 million of them (from Google, eBay, and other sources), and were able to calculate what they call "username probabilities." According to their system, statistically speaking, the usernames "dmisener" and "misenerd" probably belong to the same person (me). So even if you only use similar usernames across different sites, you can still be tracked or targeted.

This isn’t just an issue for people who re-use their usernames, but also for people with uncommon usernames. For instance, there aren’t too many Dan Miseners in the world, but there are a lot of John Smiths. Daniele Perito told me that people with more uncommon and unusual username are more susceptible to profiling techniques. So bad news for "EngelbertHumperdinck1936," but good news for anyone named John Smith.

Taking responsibility

What am I supposed to do with this information? Should I spend an afternoon changing all my existing usernames, whilst I fashion a cap out of tin foil? Perito says no, he doesn’t expect people to go and change their usernames. He and his colleagues are more interested in techniques that large web services like Google, eBay or Facebook could use to keep username information out of unscrupulous hands. Several websites display usernames publicly for the world to see. The French researchers were able to download 3.5 million usernames from Google, and 6.5 million from eBay. Daniele says that’s part of the problem.

For those of us who don’t run large web services, the researchers have created a tool that lets you analyze your own usernames. You type one in, and it’ll tell you how easily it can be used to identify you. Or, you can type in two usernames, and the software will tell you if it thinks they belong to the same person. You can find the tool by searching for "How unique are your usernames?"

Personally, I’m not going to start changing all my existing usernames. But I am going to be much more aware of the ones I choose going forward.

The thing that strikes me most about this story is the tension of online identity. Often, we want our friends and family to be able to find us easily. I like that I’m misener on Twitter, misener on Facebook and misener on Instagram. In one sense, there’s a strong case for having a single, pervasive online identity. But at the same time, this research suggests there are risks.

That’s what happens when you sign up for a pervasive online identity. You get a pervasive online identity, for better or worse.

But just to be safe, you can call me John Smith from now on.

(Dan Miseneris a national technology columnist for CBC Radio afternoon shows, and one of the minds behindSpark, with Nora Young.)