MicroID considered harmful (to privacy)
Technical report CS-08-09
Abstract
MicroID is a deployed Internet standard designed for use as a lightweight decentralized identity primitive for social web applications. This study presents the standard's specification and deployment, and analyzes the security and privacy of MicroID, describing attacks that can be used to compromise the privacy of its users. Although it has been described by its designers as privacy-preserving, in practice the deployment of MicroID has put the private information of many of its millions of unwitting users at risk of compromise. We provide recommendations for changes to the standard and its deployment which prevent these attacks.
Please read the paper for more details on MicroID, privacy, and the evaluation:
PDF,
HTML
Results
These results were compiled from randomly-chosen users of three online services that published MicroID tokens at the time of the study. Username and full name profile information were used to mount dictionary attacks on the email address inside each token. The evaluation was able to successfully guess a user's email address between one-fifth to one-third of the time, using only the name information shown on a user's public profile.
| Digg | ClaimID | Last.fm |
Total users examined | 56,775 | 917 | 784 |
Users supplying full names | 17,339 | 637 | 708 |
Total addresses guessed | 14,294 | 312 | 149 |
Percentage of total | 25% | 34% | 19% |
Successful guesses based on: | | | |
Solely username | 12,413 | 171 | 105 |
Permuted username | 383 | 24 | 3 |
Permuted full name | 1,498 | 117 | 41 |
Top 5 email domains | 12,627 | 300 | 139 |
Table 1, on guessing the email addresses of users of three
popular websites publishing MicroID tokens (§6, Evaluation)
FAQ
Timeline
-
(March 25, 2006) Jeremie Miller introduces MicroID on his blog and on microid.org.
-
(Aug 14, 2006) Last.fm developers indicate that MicroID tokens will soon be published on all user pages. (via MicroID blog)
-
(January 29, 2008) Digg announces they are joining the DataPortability project: "Just this week, we added MicroID, which lets you prove to other services that you own your Digg user profile." Digg begins publishing MicroID tokens on all >2M profiles.
-
(June 3, 2008) Sent a draft of my report to developers of MicroID, Digg, Last.fm, and ClaimID.
-
(June 27, 2008) Digg lets me know they have stopped publishing MicroID tokens on user profiles.
-
(July 1, 2008) Last.fm notifies me they will remove MicroID from user profiles.
Advice for MicroID publishers:
- Don't publish tokens for all your users by default. By design, these tokens establish a public association between a user's email address and her profile/content that can be checked by anyone with an address in mind. By just using profile name information, the evaluation successfully revealed randomly chosen users' email addresses between one-fifth to one-third of the time (as evaluated on Digg, Last.fm, ClaimID).
- Add a warning blurb about privacy near your checkbox for MicroID token publication: the WikiTravel privacy policy offers the best (and only) example online.
- If you already publish your email address online, and it's already clear that your account on one of these sites belongs to your email address, don't worry. MicroID simply offers another way of publicly linking your email address with your content.
-
If not, be careful that your public activity on these sites is now less anonymous. Anybody can check if your email address matches that of millions of suspects (a list of employees, students, etc) in seconds. Also, spammers might guess your email address—how similar is it to your username?—and harvest your associated profile activity.
- If your site won't let you disable MicroID token publication, you could also try changing your email address to something harder to guess: many email providers allow you to add extra randomness to your email address with a +, like username+random@gmail.com.
Links
Chris Erway, Brown CS