There are quite a lot white papers about security on software level. You know, all those situations when an attacker sends some information not in the format expected by the software, and the latter fails; or passing some pieces of code in the registration form in places not intended for that and ending up with executing this code, or similar issues.
There are much less works describing security of some existing and popular Web 2.0 services (Facebook, Flickr, Google+, Picasa, Xing, LinkedIn, etc). But at least there are some.
What seems to be absolutely absent are white papers describing security (and more specifically, privacy issues) of the Web 2.0 ecosystem as a whole. Meanwhile, the situation there is quite remarkable. Fans of conspiracy theories would immediately assume that intelligence services of many countries are currently holding their breath observing rapid and voluntary de-privatization of many netizens; gathering all the information and preventing hackers from publishing their findings. Well, if it should be true, you are currently NOT reading this text, because it wasn’t successfully published. A more rational explanation would be, that just lazy me didn’t do any research before writing this blog post and has instead just bluntly asserted that there are no white papers on this topic to made his blog post more appealing.
To depict the current status quo, I’m going to show a couple of legal techniques to gather private information about a person from public sources.
1. Profile Scouting. This is obtaining links to public profiles of a target person, in a given Web 2.0 service:
a) By known real name. Many Web 2.0 services allow (and even motivate) their visitors to search profiles by known real name. This step can be either performed manually for each Web 2.0 service using the corresponding search field, or automatically using pipl.com.
b) By known username. Some Web 2.0 services display the username publicly, either in the web page itself, or at least as part of the public profile url. So, either public profile url can be constructed manually and checked if a given Web 2.0 service would return a profile or a 404 page, or some automated service can be used for this task, for example namechk.
c) By known place of living, company, school or interests. Many Web 2.0 services allow to search using these kind of metadata; from the resulting list of persons the target person has to be found using some additional information, for example their known appearance (looking at the profile photo). A variation of this method is using groups or forums; for example, if a target person is interested in some dance type, and some Web 2.0 service offers a group, it is possible to find them by looking up the members of the group.
d) By tagging. For example, a group photo on Facebook might be tagged with corresponding profiles; knowing appearance of the person of interest, it is possible to obtain their public profile. Another variation of this method is tagging of Flickr photos, where tags containing person names, cities and event names are used.
2. Profile Mapping. Having a profile in one Web 2.0 service, it is often easily possible to find out profiles of the same person in another Web 2.0 services; for example, by searching the same known real name. Many folks out there use the same username (or same couple of usernames) across several Web 2.0 services, so that their profiles can be mapped that way. The easiest way to map a profile is just a link, for example, it is possible to enter a link to Flickr account in the Facebook profile, and make it visible for everyone.
3. Social Graph Leveraging. This means, analyzing the “friends” of a target profile. This technique has the following shapes:
a) Leveraging Faulty Security Concept. For example, the target person has closed their photos on Facebook for public viewing, but opened them for their friends. A friend of the target person has a publicly available timeline and comments on a photo of the target person. Faulty Facebook allows anybody to follow to this comment and to see the original photo, even though it ought to be visible only “for friends”. I believe, this bug Facebook has at least since I’ve joined it in 2009.
b) Leveraging Different Privacy Settings. Let’s say the target person has closed their photos for public, but their friends haven’t. Some friend would publish their own photo, showing themselves, but also the target person (perhaps in the background or showing their back, but not necessarily so). Another variation of this technique is consuming the publicly available timeline of a friend of the target person, if it is known they interact closely in the real life (for example, study in the same university). By observing events, life style and mood of the target person’s friend, it is possible to conclude that the target person themselves should also have comparable mood, life style and perhaps participate in the same events.
c) Second Level Scouting. Let’s say, the target person A doesn’t want to publicly befriend another person B (due to any reason whatsoever). But, A’s friends C, D and E don’t have this constraint and all have B in their friends. By analysing common friends of the friends, it is possible to find a missing link. This technique has quite limited usefulness, as your typical Facebook profile has 100 to 200 of friends, the total number of friends of friends can be around 10000 in the worst case, which is way too much to be analyzed manually, and I don’t know any ready-to-use software that would automate such a “friends scouting”.
Combining these three techniques sequentially, it is possible to achieve impressive results. For example, it should be possible to start looking up the target person A by searching their real name and current city on Flickr. By a lucky chance, one could find only a couple of photos, and most of them would depict the target person. One then could go to the Flickr profile of these photos’ author, person R, and map their profile to Facebook. On Facebook, by a lucky chance, one would be able not only read the public timeline and obtain more photos, but also discover a couple of friends of R who would live in the same city, for example persons H and D. By mapping of H’s profile to spaces.live.com it could be possible to obtain additional photos, and by mapping D’s profile on a Web 2.0 service for travel reports, one could obtain additional information about some events happened.
I do believe these techniques are quite legal, because they leverage only the data made publicly available by respective owners / copyright holders. If this should be “problematic”, then Google and other spiders should be even more questioned and investigated.
On the other hand, depending on exact situation and on what exactly the researcher will do with the information found, this might be anything from being perfectly moral to being absolutely cruel. In any case, often it is the case that information flow is not as intended by the target person, and that’s why I think this issue is a security issue, and has to be publicly discussed and addressed.
I don’t know any handy solution for that, besides of trying and opening my own social profiles to the most possible extent. If I cannot prevent this kind of information gathering, at least I want to lead and control it by providing the most of information myself “from the first hands” and thus minimizing any possible misunderstanding or misinterpretations. But I do see that this approach is not suitable for every kind of situation.
So what do you think about it? I’m kindly requesting for your comments.