Sharing Personal Information: A Scenario
2016, January 13
Sharing Personal Information: A Scenario
You may think that little bits of personal information are okay to share, but even disparate, small pieces of information can be aggregated into a very clear picture of your identity and become actionable intelligence for an individual with too much free time or a grudge.
- Randomguy1337 and SueSomebody8 are in the same chat room.
- Random has been watching Sue's chat room activity for some time. She said something he didn't like, or she simply exists -- Sue has been targeted for any reason or no reason at all. Random begins collecting any information he can find.
- Sue has told the room that she is an accountant, but has not disclosed her location or the name of her employer. Random has, however, narrowed down Sue's identity somewhat -- as a woman, she is a member of half of the population of the planet. You could say that this isn't much to go on, but you could also say that Random has eliminated about four billion candidates.
- Sue occasionally uses idioms used only in the United States, and never uses idioms used in any other country. She once corrected a British user's spelling of "aluminium." Random takes note: Sue is an American.
- Later, Sue complains in public chat about her boss subjecting her to increased pressure ever since her employer came under increased scrutiny because of those penny pinchers on Capitol Hill. Random now has reason to suspect that Sue is a federal government employee: Capitol Hill refers to the United States Congress, and the federal government only has budgetary authority over the rest of the federal government, not state or private entities.
- Random remembers a news story about the US Federal Trade Commission being in hot water recently because of excessive spending at some of their offices. There is now some degree of reason to suspect that Sue is an employee of the Federal Trade Commission.
- Sue knows that Random doesn't like her, and Random knows that Sue knows this, as he does nothing to keep it a secret. Random, however, registers a second chat username in order to talk to Sue, because he is determined to extract personal information from her.
- Random, connecting as Bloodhax1911, feigns interest in a chat topic in which Sue is engaged, and the two begin to chat privately.
- The subject, engineered by Random, shifts to general life annoyances. Random knows that people are very willing to commiserate, as part of our general good nature, and that this can be a good way to get people to reveal information about themselves.
- Knowing that Sue's boss is keeping her under a lot of pressure, Random dangles bait and mentions that his boss is "this close" to firing him for being so often late to work, but that he can't help it because traffic is bad due to construction.
- Sue relates, and says that her boss, since being under increased budget scrutiny, constantly bothers her about her unnessary printer usage, reminds her that time is money, and carefully checks when she arrives at work in the morning. She goes on, shocked as she tells Random that she has to go, as it is almost midnight and she needs to sleep before having to get up to go to work, and that she, too, is sometimes late because traffic is terrible this time of year on The Beltway.
- It is almost 10 PM where Random is, so now he knows Sue's time zone.
- Sue mentioned The Beltway. Random doesn't know exactly what this is, but he knows, from context, that it is a road. In less than a minute on Google, Random discovers that the phrase "The Beltway" refers to Interstate 495), the Capital Beltway, which runs through Maryland, Virginia, and Washington, DC.
- Knowing that Sue is a federal government employee, possibly an employee of the Federal Trade Commission, and probably in or near Washington, DC, all of which match without conflict with all personal facts Sue has casually shared, Random begins to further narrow his search.
- The Federal Trade Commission itself lists its regional offices on its website; the exact page was found with a Google search: "Federal Trade Commission Offices." The "Northeast Region" is served by an office in New York, so that can't be it, as it is too far a commute for Sue to make every day. The nearest regional office on the coast is in Cleveland, Ohio, which is also too far a commute for Sue to reasonably make. However, each regional office's page lists the same Consumer Response Center, located on Pennsylvania Avenue, right in Washington, DC.
- To avoid visits from scary men in suits, (one of the lessons in this article: paranoia can be good!) I won't be too specific about methods, but it is possible to acquire the phone number for this office, and it requires the same level of technical skill required to use our chat rooms -- almost none. No seedy hacker underground connections required.
- Random calls this office, from a payphone, just to be safe, and asks to be transferred to Human Resources, as he would like to file a complaint. Once he reaches someone, he says that a woman in her 30s -- a good median age approximation -- last week, who works in accounting, was rude to him about some element of cultural garb that he wears. As there is, in this fictional case, only one woman that matches that description in the accounting office, the human resources representative on the phone recognizes her immediately. "Susan Smith? But she's always been so nice and culturally sensitive!" People thoughtlessly blurt out information like this all the time, even when they should know better! The weakest link in security is humans, not technology! Random, having what he needs, replies, "no, that's not it," and hangs up, leaving the human resources representative baffled, but none the wiser. She does not warn Sue because she does not know that she has reason to do so.
Our hypothetical attacker now knows our hypothetical victim's full name and the exact location of her workplace. He can further aggregate information to carry out any kind of attack that he wishes. He could casually ask Sue about her car, so that he can identify it in the parking lot and slash its tires. He could wait in the parking lot and do much worse. Or, he could just be annoying, but you never know.
Other users on the Internet are real people, and as such, some of them are smart, dangerous, and determined, with unknown grudges and inscrutable motives. Please follow our safety guidelines in order to protect yourself.