Basic error puts anonymous bloggers at risk

Filed Under: Featured, Privacy

In a recent experiment writer Andy Baio was able to uncover the identities of seven anonymous bloggers from a random sample of 50 in under 30 minutes; all thanks to a simple mistake they'd made in setting up their websites.

"One blog about Anonymous' hacking operations could easily be tracked to the founder's consulting firm, while another tracking Mexican cartels was tied to a second domain with the name and address of a San Diego man."

Anonymous avatarsThe mistake committed by the unlucky 7 was to inadvertently link the websites where they had chosen to be anonymous to other websites where they had not.

The link was a shared Google Analytics ID; a tiny and innocuous little signature unique to each blogger but shared across all of their websites.

Google Analytics is a hugely popular software package that allows website owners to gather detailed information about how their websites are used.

Users of the service are given a small piece of code and a unique ID like the one below which they must embed into every page on their website.

_gaq.push( ['gwo._setAccount', 'UA-737537-13'] );

People who own more than one website often share one ID across all of them for convenience.

If you can find two websites that share a Google Analytics ID then there's a very good chance that the sites are being operated by the same person or the same group.

Of course even if the bloggers in Baio's experiment had realised their error they might be forgiven for thinking that finding two matching IDs amongst billions of websites is an impossible task. What Baio knew and they didn't was that it's not impossible, it's ridiculously easy.

The hard work of sifting through those billions of websites and harvesting the Analytics IDs is performed regularly by Search Engine Optimisation (SEO) tools. The fruits of all of that data crunching are then made available through free-to-use websites like eWhois.

So all Andy Baio had to do was type the address of an anonymous blogger's website into one of these tools and see if the blogger was operating any other sites. He could then examine those sites for personal details or read their public whois records.

Baio's motivation wasn't to expose those seven bloggers but to warn everyone who wants to be anonymous about the pitfalls of sharing Analytics and AdSense IDs.

"Some of the most important and vital voices online are anonymous ... if you're an anonymous blogger writing about Chinese censorship or Mexican drug cartels, the consequences could be dire."

You can read Andy Baio's full account of this experiment as well as his other recommendations on how to safeguard your anonymity online over at his website Waxy.org.

, , , ,

You might like

9 Responses to Basic error puts anonymous bloggers at risk

  1. Kevin · 1009 days ago

    Thanks Mark for pointing out a simple mistake. I am guilty of doing the same thing.

  2. pinkimagination · 1008 days ago

    Uh-oh.... :(((

  3. Paul Ducklin · 1008 days ago

    "If you can find two websites that share a Google Analytics ID then there's a very good chance that the sites are being operated by the same person or the same group."

    It's only a chance, though. It's nowhere near enough evidence on its own. After all, it could merely be that someone is trying to make it _look_ as though you operate both sites.

    (Whenever I hear of HR staff with no investigative training using social networking and web search tools "to vet prospective employees", I cringe to think of what wrongs might have been done to innocent jobseekers...mind you, perhaps it's better not to be employed by a company with sloppy "due diligence" procedures.)

    • Todd · 1008 days ago

      '...while another tracking Mexican cartels was tied to a second domain with the name and address of a San Diego man."
      Mexican Cartels don't need enough evidence. Simply your name is enough for them.

  4. Sunk · 1008 days ago

    I blocked Google Analytics via hosts file

    127.0.0.1 http://www.google-analytics.com
    127.0.0.1 google-analytics.com
    127.0.0.1 ssl.google-analytics.com

    Sorry Google, you are nice but you need extreme customizations to make you tolerable.

  5. Oliver V · 1008 days ago

    Wow, I had not thought about this. I'm glad I never tried to set up any kind of anonymous site as I most certainly would have done this had I not known better.

  6. Alex W · 1008 days ago

    To add, I corrected it by creating different Analytics "accounts" under account administration, which results in different Urchin ID's that I could use per-blog. Easy fix, just takes some clicking and copy-pasting.

  7. Alex W · 1008 days ago

    Oh, and another thing to add. Adsense publisher ID has the same problem and there is *no* way to fix that right now (there are some complaints about that on Google discussion groups).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Mark Stockley is the founder of independent web consultancy Compound Eye and he's interested in literally anything that makes websites better. Follow him on Twitter at @MarkStockley