Matthijs Koot, PhD researcher at the University of Amsterdam (UvA), has shown how easy it is to get hold of information from personal profiles via Google Profiles on a large scale. In February of this year, the researcher stumbled across a number of public files in Google Profiles, a service where users can share personal information. The files contain links to all 35 million Google Profiles. This is the first time that somebody has shown that it is possible to obtain personal details on such a large scale. Koot is particularly concerned about the potential abuse of this data by criminals. He made the discovery as part of his doctoral research on the traceability of anonymous data to individuals, which he is conducting with UvA professors Cees de Laat and Michel Mandjes from the Informatics Institute and the Korteweg-de Vries Institute respectively.
The public profiles which people create themselves on Google Profiles contain only information about themselves that they have made public, such as occupation, residence, education, work experience and links to their other profiles such as Facebook and LinkedIn. If a profile is linked to a Twitter account, Twitter conversations are also visible in Google Profiles. Koot was able to obtain information from Google Profiles without encountering any technical barriers or safeguards. Google was informed by Koot, but has not (yet) undertaken any action.
Abuse of private information
Koot is particularly concerned about the possible abuse of personal data. ‘It is easy to filter “interesting” groups among the millions of profiles. Who works with police, the judiciary or the military? Who travels a lot and takes pictures with expensive cameras? Criminals can connect different profiles to Twitter, Facebook, LinkedIn and Facebook and use it to send “smart” e-mails to victims of interest; emails that seem to originate from an acquaintance and tempt you to click on a link leading to a malicious website; a website that seems to belong to the government, a bank or an insurance company, but quietly attempts to infect your computer with malicious software that copies passwords or manipulates banking transactions. Antivirus software is of little help. Awareness could be.’
Koot also talks about the risks: ‘Prospective employers or insurers may also use information that people unknowingly put on their personal pages. There may be companies that store this information about you for a long time and extract the information of interest to banks, insurers, employers and government; companies that operate outside the European privacy law. Have you ever said something on Twitter about your weak heart valves or use of antidepressants? Have you been critical of previous employers? Do people in your social circle form a risk?’
Control over information
‘People are not aware that they have lost control over their information once it's on the Web. When personal information from various social networks is coupled together, a clear profile of a person is often formed, ‘ says Koot. The researcher recommends further research into possible abuse scenarios, to ultimately help strengthen trust in the information society.