Correlating a Persona to a Person

Abstract

Participation in online social networks (OSNs) such as Facebook, Linked In, and Twitter has dramatically increased over the years. For example, it is estimated that Facebook has more than eight hundred million registered users. The popularity of OSNs has increased the sheer amount of personal information on the Internet. In this paper, we introduce a profiling and tracking attack that correlates a visitor's online persona that is captured from a seemingly innocuous website with that of the same visitor's real Facebook profile. We compare this with the analytics captured from a custom Facebook Fan Page to show how we can identify the visitor given only their online persona. Furthermore, we create a Facebook application that is linked from the custom website and Fan Page. This application when, accessed and allowed by a visitor (assuming they have a Facebook account), will capture their profile. We tie the analytics captured by the custom website and the Fan Page with that of the profiling and tracking enabled application. Our stated hypothesis is: The majority of visitors can be profiled, tracked, and led to reveal their identity by an adversary who uses website analytic tools. This is because of the actions the visitor performs on the Internet and the information they freely display on their Facebook profiles. We analyze the online behavior of 25 participants and our results show we are able to correctly determine 16 of 25 or 64% of them. We focus on the ramifications of this research and provide defense mechanisms to help protect OSN users.