MicroID considered harmful (to privacy)

Technical report CS-08-09

Abstract

MicroID is a deployed Internet standard designed for use as a lightweight decentralized identity primitive for social web applications. This study presents the standard's specification and deployment, and analyzes the security and privacy of MicroID, describing attacks that can be used to compromise the privacy of its users. Although it has been described by its designers as privacy-preserving, in practice the deployment of MicroID has put the private information of many of its millions of unwitting users at risk of compromise. We provide recommendations for changes to the standard and its deployment which prevent these attacks.

Please read the paper for more details on MicroID, privacy, and the evaluation: PDF, HTML

Results

These results were compiled from randomly-chosen users of three online services that published MicroID tokens at the time of the study. Username and full name profile information were used to mount dictionary attacks on the email address inside each token. The evaluation was able to successfully guess a user's email address between one-fifth to one-third of the time, using only the name information shown on a user's public profile.

	Digg	ClaimID	Last.fm
Total users examined	56,775	917	784
Users supplying full names	17,339	637	708
Total addresses guessed	14,294	312	149
Percentage of total	25%	34%	19%
Successful guesses based on:
Solely username	12,413	171	105
Permuted username	383	24	3
Permuted full name	1,498	117	41
Top 5 email domains	12,627	300	139

Table 1, on guessing the email addresses of users of three
popular websites publishing MicroID tokens (§6, Evaluation)

FAQ

Q: What is MicroID?
A: A MicroID token is the result of three hash operations that are computed and published by a website on behalf of one of its users. (For more, see microid.org.) For example, a typical Digg user would have had the output of the following published on her user profile:
SHA-1( SHA-1("mailto:username@gmail.com") + SHA-1("http://digg.com/users/username") )
Q: Spammers can already get your email in a number of other ways—DHAs, etc—why care about MicroID?
A: It's true that spammers already collect lists of emails using searches and brute-force methods like directory harvest attacks. However, while DHAs require a spammer to send each guess to the server they're attacking (and wait for a reply), MicroID tokens, once published, can be downloaded and cracked offline, with much higher success rates than simply emailing random people (as shown in the evaluation). Further, cracking a MicroID token reveals something more valuable than a randomly-guessed or scraped email address: the attacker learns a "verified" user email, along with that user's associated content (e.g., favorite Last.fm songs for ringtone advertisements, favorite Digg articles).

Timeline

(March 25, 2006) Jeremie Miller introduces MicroID on his blog and on microid.org.
(Aug 14, 2006) Last.fm developers indicate that MicroID tokens will soon be published on all user pages. (via MicroID blog)
(January 29, 2008) Digg announces they are joining the DataPortability project: "Just this week, we added MicroID, which lets you prove to other services that you own your Digg user profile." Digg begins publishing MicroID tokens on all >2M profiles.
(June 3, 2008) Sent a draft of my report to developers of MicroID, Digg, Last.fm, and ClaimID.
(June 27, 2008) Digg lets me know they have stopped publishing MicroID tokens on user profiles.
(July 1, 2008) Last.fm notifies me they will remove MicroID from user profiles.

Advice for MicroID publishers:

Don't publish tokens for all your users by default. By design, these tokens establish a public association between a user's email address and her profile/content that can be checked by anyone with an address in mind. By just using profile name information, the evaluation successfully revealed randomly chosen users' email addresses between one-fifth to one-third of the time (as evaluated on Digg, Last.fm, ClaimID).
Add a warning blurb about privacy near your checkbox for MicroID token publication: the WikiTravel privacy policy offers the best (and only) example online.

Advice for users of sites publishing MicroID:

If you already publish your email address online, and it's already clear that your account on one of these sites belongs to your email address, don't worry. MicroID simply offers another way of publicly linking your email address with your content.
If not, be careful that your public activity on these sites is now less anonymous. Anybody can check if your email address matches that of millions of suspects (a list of employees, students, etc) in seconds. Also, spammers might guess your email address—how similar is it to your username?—and harvest your associated profile activity.
If your site won't let you disable MicroID token publication, you could also try changing your email address to something harder to guess: many email providers allow you to add extra randomness to your email address with a +, like username+random@gmail.com.