There have been recent reports about security vulnerabilities arising from the reuse of passwords on different web sites. What about the reuse of usernames? Can identities established on multiple web sites be linked together based on the usernames, and what are the implications for privacy?
A recent research paper from INRIA in France described an experiment that looked at over 10 million usernames from popular services such as Google and eBay. In some of the tests, Google profiles that listed multiple accounts on different web services were used to establish “ground truth” about linked usernames.
The first finding was that the usernames chosen by people on the various websites tend to be very unique, with a probability of duplication being approximately one in one billion. This was true for a variety of web services, including a corporate network, Finnish web forums, and MySpace.
Second, the researchers found that when people used different usernames for different services, many of the usernames were constructed by making very small changes to existing usernames (e.g., sarah, sarah2).
Third, the study demonstrated that more than 50% of the usernames created for different services could be linked to one another because the username was identical, or very similar, and unique from other usernames.
The results are important for privacy protection. Although you may limit the amount of personal information you reveal when using a particular service, if your profile can be linked to other services than a detailed personal profile can be constructed from the various bits of partial information. This could lead to embarrassment if a supposedly anonymous profile is linked to a real-world identity. Spammers and fraudsters could also gather information from multiple services to target their messages or launch phishing and social engineering attacks.
In a demonstration of the risks involved, a quick examination of people using anonymous file sharing services (private BitTorrent trackers) found that 13 out of the 20 usernames examined could be linked to other web services (e.g., YouTube, eBay) and 4 usernames could be linked to real-world identities.
The lesson is similar to the warning about passwords – make sure that you choose a truly unique username (and password) for each service that you do not want linked together.