Account Linking

Many many years ago now I spent a while working on the Internet Identity management problem.  In fact I have a whole category with postings I did during that period.  Boy, talk about a tough problem!

Back in day one of the problems we worried about a lot went under the name “account linking.”  This problem comes up in lots of guises.  One most people are familiar with is the problem of removing duplicates from a mailing list.  Another is using social security numbers to link together account information.  Account linking is one of the corner stones of the privacy problem.  Account records are journals of somebodies’ behavior, but if you can’t link that record to them then the privacy question is muted.

As a result of that period I tend to be fastidious, some would say obsessive, about keeping some accounts hard to link.  I have a primary user name I use when I don’t care; but otherwise I have distinct user names, passwords, email addresses.  I justify this as a hobby, ongoing research in privacy and identity.  It’s a pain, but I seem to enjoy that exercise – whatever.

So it was with some amusement that I received an email from some valley startup that has offers a service for your inner stalker.    Of course they advertise it as a way to follow your friends, yeah right.  What they appear to have built is a scheme for doing account linking that is based on both the usual heuristic’s approaches (such as those seen in mailing list de-duping) and a modicum of social engineering.  The later part is clever, if vile, they get your “friends” to link your accounts.

The email I got told me that they and my “friends” had figured out four different accounts I have; flicker, digg, pandora, and stumbleupon.  Only one of these was interesting.  The account they had uncovered for me at digg was one of the ones where I thought I had made it resistant to casual linking.

Their email went on to say; and I love this in a eye-rolling way: “you would like to make these accounts private, please change the privacy settings on the original network and Spokeo will update its search results to reflect your changes.”

So I head off to Digg to see if I can see what I missed.  Digg has a complex page of privacy settings, it’s one of dozens of pages in their account management UI.  At the bottom of that page is a toggle for advanced settings.  Inside that is a toggle to disable finding me using my email address.  I hadn’t set that.  So I’d guess is that the stalker service is polling every email address they harvest to discover digg accounts.  Digg and I slipped up, but at least we were trying.

Did I mention that this problem is hard?  I’ve grown increasingly doubtful we can solve this one.  But yeah, what choice do we have but to try?

Leave a Reply

Your email address will not be published. Required fields are marked *