In a recent experiment writer Andy Baio was able to uncover the identities of seven anonymous bloggers from a random sample of 50 in under 30 minutes; all thanks to a simple mistake they’d made in setting up their websites.
"One blog about Anonymous' hacking operations could easily be tracked to the founder's consulting firm, while another tracking Mexican cartels was tied to a second domain with the name and address of a San Diego man."
The mistake committed by the unlucky 7 was to inadvertently link the websites where they had chosen to be anonymous to other websites where they had not.
The link was a shared Google Analytics ID; a tiny and innocuous little signature unique to each blogger but shared across all of their websites.
Google Analytics is a hugely popular software package that allows website owners to gather detailed information about how their websites are used.
Users of the service are given a small piece of code and a unique ID like the one below which they must embed into every page on their website.
_gaq.push( ['gwo._setAccount', 'UA-737537-13'] );
People who own more than one website often share one ID across all of them for convenience.
If you can find two websites that share a Google Analytics ID then there’s a very good chance that the sites are being operated by the same person or the same group.
Of course even if the bloggers in Baio’s experiment had realised their error they might be forgiven for thinking that finding two matching IDs amongst billions of websites is an impossible task. What Baio knew and they didn’t was that it’s not impossible, it’s ridiculously easy.
The hard work of sifting through those billions of websites and harvesting the Analytics IDs is performed regularly by Search Engine Optimisation (SEO) tools. The fruits of all of that data crunching are then made available through free-to-use websites like eWhois.
So all Andy Baio had to do was type the address of an anonymous blogger’s website into one of these tools and see if the blogger was operating any other sites. He could then examine those sites for personal details or read their public whois records.
Baio’s motivation wasn’t to expose those seven bloggers but to warn everyone who wants to be anonymous about the pitfalls of sharing Analytics and AdSense IDs.
"Some of the most important and vital voices online are anonymous ... if you're an anonymous blogger writing about Chinese censorship or Mexican drug cartels, the consequences could be dire."
You can read Andy Baio’s full account of this experiment as well as his other recommendations on how to safeguard your anonymity online over at his website Waxy.org.
9 comments on “Basic error puts anonymous bloggers at risk”
Thanks Mark for pointing out a simple mistake. I am guilty of doing the same thing.
"If you can find two websites that share a Google Analytics ID then there's a very good chance that the sites are being operated by the same person or the same group."
It's only a chance, though. It's nowhere near enough evidence on its own. After all, it could merely be that someone is trying to make it _look_ as though you operate both sites.
(Whenever I hear of HR staff with no investigative training using social networking and web search tools "to vet prospective employees", I cringe to think of what wrongs might have been done to innocent jobseekers…mind you, perhaps it's better not to be employed by a company with sloppy "due diligence" procedures.)
'…while another tracking Mexican cartels was tied to a second domain with the name and address of a San Diego man."
Mexican Cartels don't need enough evidence. Simply your name is enough for them.
I blocked Google Analytics via hosts file
Sorry Google, you are nice but you need extreme customizations to make you tolerable.
No need for three separate lines.
Wow, I had not thought about this. I’m glad I never tried to set up any kind of anonymous site as I most certainly would have done this had I not known better.
To add, I corrected it by creating different Analytics “accounts” under account administration, which results in different Urchin ID’s that I could use per-blog. Easy fix, just takes some clicking and copy-pasting.