Writer Andy Baio was able to uncover the identities of seven anonymous bloggers from a random sample of 50 in under
30 minutes; all thanks to a simple mistake they’d made in setting up their websites.
"One blog about Anonymous' hacking operations could easily be tracked to the founder's consulting firm, while another tracking Mexican cartels was tied to a second domain with the name and address of a San Diego man."
The mistake committed by the unlucky 7 was to inadvertently link the websites where they had chosen to be anonymous to other websites where they had not.
The link was a shared Google Analytics ID; a tiny and innocuous little signature unique to each blogger but shared across all of their websites.
Google Analytics is a hugely popular software package that allows website owners to gather detailed information about how their websites are used.
Users of the service are given a small piece of code and a unique ID like the one below which they must embed into every page on their website.
_gaq.push( ['gwo._setAccount', 'UA-737537-13'] );
People who own more than one website often share one ID across all of them for convenience.
If you can find two websites that share a Google Analytics ID then there’s a very good chance that the sites are being operated by the same person or the same group.
Of course even if the bloggers in Baio’s experiment had realised their error they might be forgiven for thinking that finding two matching IDs amongst billions of websites is an impossible task. What Baio knew and they didn’t was that it’s not impossible, it’s ridiculously easy.
The hard work of sifting through those billions of websites and harvesting the Analytics IDs is performed regularly by Search Engine Optimisation (SEO) tools. The fruits of all of that data crunching are then made available through free-to-use websites like eWhois.
So all Andy Baio had to do was type the address of an anonymous blogger’s website into one of these tools and see if the blogger was operating any other sites. He could then examine those sites for personal details or read their public whois records.
Baio’s motivation wasn’t to expose those seven bloggers but to warn everyone who wants to be anonymous about the pitfalls of sharing Analytics and AdSense IDs.
"Some of the most important and vital voices online are anonymous ... if you're an anonymous blogger writing about Chinese censorship or Mexican drug cartels, the consequences could be dire."
You can read Andy Baio’s full account of this experiment as well as his other recommendations on how to safeguard your anonymity online over at his website Waxy.org.
Source :- http://nakedsecurity.sophos.com
- Think You’re Anonymous? Google Analytics May Prove Different (readwriteweb.com)
- Basic error puts anonymous bloggers at risk (nakedsecurity.sophos.com)