Dave is here!

Dave

I'm Dave, one of the founders of the Recurse Center.

On The Internet, _Everybody_ Knows You're a Dog

August 30, 2009

Updated: September 25th, 2009.

I care about my privacy, and I try to take reasonable steps to safeguard it. Every once and a while however, I am reminded of what little difference that makes.

A year ago I saw private investigator Steve Rambam give a talk entitled “Privacy is Dead, Get Over It” at The Last Hope. The talk is available on YouTube, and although it’s long, I’d highly recommend watching it. Steve gave a great lecture on what type of info is available to him as a PI, and how much of that is contributed by us. After that, I stopped twittering.

That didn’t last long. No more than a week later, I was back to broadcasting the various happenings of my life, having gained only a bit of perspective on what type of information I wanted to contribute. A year later, while thinking about this talk, I decided to do a little audit of my own privacy online. Here’s what I found:

What I Have Going for Me

Let’s start with the good. Where’s the first place you used to go to find info on someone? The phonebook. I don’t have a landline, so I’m not listed. That’s a good start. I’m also not particularly settled down yet. I move often, so info becomes stale quickly. I don’t own a house, run a company, or do many other things that would create public records.

I’m also lucky. A quick Google search will reveal that I’m not the only David Albert on the internet. Not only that, but there happens to be a rather famous and more accomplished one generating a bunch of noise that might help drown out what I generate.

These, as we’ll soon find out, are small comforts in the face of a very grim reality.

The Search Begins

Let’s say you got an e-mail from me, and wanted to know more about me. Maybe you even want to find me in person. The place to start would be my signature, which is pretty much standard at my office:

David Albert AdaptiveBlue - Software Engineer http://getglue.com http://twitter.com/davidbalbert

From here you already know where I work, and you have my Twitter account. From my twitter page, you’ll find a link to my website. While I might not be in the phonebook, I’m in the internet equivalent. WHOIS is a system where you can look up the owner of internet resources, including domain names. When you register a domain, you’re required to enter your name, address, and e-mail address. These become public and are available via WHOIS search. You can pay extra to have someone enter their info as a proxy, but you have to pay extra, so very few people do it. This service is also not available in every case (like mine). I’m not going to hand it to you on a silver platter, but if you know how to use WHOIS, you have my address. At this point I’m already screwed.

Look back at my Twitter account for a second. My latest tweet is about my Greyhound ticket. Seems pretty benign, right? Think again. With this info, you can infer that I was away for the weekend. If you had the means and desire, this would have been a good time to break into my apartment and snoop around.

Facebook

I use Facebook. I don’t use it as much as the vast majority of users, but there is still an obscene amount of info that has been put up there by me and others. I don’t link to my profile from anywhere and I have all my privacy settings as stringent as they can be, so this might seem like a bad angle of attack, however not all is lost. If you know a little bit about me, like where I live (available on my Twitter profile), or where I went to school, you’ll probably be able to find my profile pretty quick. If you’re so inclined, I’m sure you could find a friend of mine with access to my profile or be able to access my info via other means.

Even if you can’t find a way in, there is a nice little tidbit that you’ll probably be able to use. Facebook recently introduced usernames, and if you can find mine, you might notice something juicy. I use the same username on Facebook as I do on Twitter. A quick Google search for my Twitter and Facebook username reveals that I use the same one everywhere I go on the net. A lot more fruitful than searching for my name. From here, you can find forums I’ve used, companies I’ve worked for, accounts I’ve created, services I’ve used, code I’ve written, e-mails I’ve sent, the school I went to, photos I’ve taken, my interests, and people I’ve interacted with who might provide some sort of info about me or way to find me, just to name a few.

Twitpic

For the sake of brevity, let’s just take a look at one of the results. Twitpic is one of many services that allows you to post photos from Twitter. You can find my account from our most recent Google search, but you don’t even have to look because it uses my Twitter username and info. Browsing through my recent photos, we find a picture that looks interesting. While there’s no description attached, the page says that the picture was posted August 15th. While the date is apparently wrong, you can find the relevant tweet from the 14th. It says I’m on my balcony watching the sunset. Take a look at the picture again. The quality is not great, but given that you know my address, it’s probably good enough for you to pinpoint my window from the street.

You can do this stuff all day. Keep clicking on those links from Google, and you’ll be able to find all sorts of stuff on me. In an hour, you’ll probably have a pretty complete picture.

The Takeaway

So what is there to take from this besides every bit of personal information that anyone has ever posted about me? Steve Rambam was right, privacy is dead, and it’s our own damn fault. No matter how little info you put online about yourself, people who want to find out about you will be able to (remember, we only looked at public info that I put online myself. We haven’t even considered other private databases available to PIs, various public records, and government databases available to the Police and the Feds). Furthermore, if you’re thinking about taking it down now, don’t bother, it’s too late. Everything on the web is archived in some form or another. If you publish it, it’s there for good. No ifs ands or buts about it.

You can, however, begin to consider these things going forward. What types of info do you really want to share? Twitter just announced a geolocation API. Do you want people to know where you are all the time? How about who you’re hanging out with? Think about this the next time you share something on Facebook or checkin on Four Squre. If you make conscientious decisions about these things, you might not be able to stop interested parties from finding out all about you, but you might just make their jobs a little bit harder.

Update: There’s a great [article][16] by Jacqui Cheng on the subject that is totally worth your time.

[16]: http://arstechnica.com/security/news/2009/09/which-user-clicked-on- viagra-ads-ask-myspace-and-facebook.ars

*[PI]: Private Investigator