What’s in a Name (and a Number)?
“I was just doing it to tease her, basically.”
It was a harmless tweet. A girl named Brooklyn from Prosper, Texas, sent a picture to her friend Alanna in reply to one of many tweets about a cute boy Alanna had seen while shopping at a big-box store in nearby Frisco. Then something fundamentally unknowable happened: the mysterious Internet phenomenon of going viral.
Viruses reproduce by sending their DNA into a host cell, leaving the infected host, now itself a virus, to find another host cell for further reproduction. On the Internet, that process of cellular invasions and osmosis happens to users rather than cells, and it happens very fast. The DNA can be anything—a hilarious video or an unexpected quip harnessed to a snapshot. On November 2, 2014, the DNA was Brooklyn Reiff’s week-old picture of a teenage boy named Alex Lee, tweeted as a playful fillip to her friend’s obsession.
How did Brooklyn’s sneaky shot of Alex Lee invade an entire population, replicating her friend Alanna Page’s crush in one user after another?
You might call it theft. In fact, there were a lot of little robberies—and they added up. The first one happened when Brooklyn went beyond the act of stealing a glimpse of the checkout boy, and snapped his picture. The young man in question didn’t pose for the picture. He had no idea that a picture had been taken. Certainly, no modeling release was signed. He was just there, doing his job.
Lesson Number One: In the world of Big Data, with mobile, Internet-connected cameras in every pocket, we are always just a few clicks away from being everywhere. The young man whose picture went viral got a real-life taste of that fact when his total lack of privacy became apparent; he became an Internet sensation by doing nothing but bagging products at the checkout counter.
More than 500 million photographs are uploaded to major websites every day. More than 2 billion pictures are taken on mobile devices every day. Factor in webcams and other surveillance devices, and the chances that your image isn’t somewhere on the Internet are right up there with becoming the next Dalai Lama.
Alex Lee experienced one of these countless daily intrusions that happen in our social media–obsessed society. He won the jackpot in the “privacy is on life support” sweepstakes. It didn’t matter that he was tending to his own business. His existence created the potential for a transaction—one that required neither his consent nor his participation. The snapping of his picture underscored a simple reality: If you’re out in the world, the world can look at you. And if the world has a smartphone, it can snap, store, share, and reshare you, all in just a few taps, each one a little theft of your face, your identity, your self.
In this particular instance, someone grabbed Brooklyn’s snapshot from her Twitter account and put it on another social networking site, Tumblr. Brooklyn had no idea. Meanwhile, the picture started replicating on Twitter accounts. While the complexity of the picture’s distribution was at least potentially knowable, it was in no way controllable. The million “little thefts” that made Alex Lee famous are metaphorical. No court of law would rule that Brooklyn’s actions, or any of the actions of other people who retweeted her photo, rise to the level of theft. But, well, you get the picture—as did millions of people around the world.
Needless to say, Alex Lee had no idea any of this was happening. He hadn’t done anything wrong or unusual. There were no regrettable posts, no questionable sites visited, no malware behind it all. His phone wasn’t even powered on when the month-long distribution of his image reached critical mass the following Sunday sometime during the Cowboys-Packers game. It was right after that game that Brooklyn first noticed something was afoot on Twitter. She started getting mentioned in posts even though she didn’t have very many followers. Her surreptitious shot of Alanna’s crush with the waterfall of Justin Bieber hair was getting love from people she didn’t know. Among those taking a shine to the checkout boy was a teenager in the UK who had liberated the picture of Alex from a Tumblr user, who had pinched it from Brooklyn’s original reply tweet to her friend Alanna. The British girl’s tweet was simple: “YOOOOOOOOOO.”
Desirable information goes wherever it’s wanted.
A long line formed at Alex Lee’s checkout station. It was filled with giggling girls. The reason Alex had turned off his phone was the banal stuff of disorganized people everywhere—no charger, low battery, and needing to get in touch with his parents when his shift was over so they could come pick him up. It was his manager—a senior in high school—who told him what was going on, showing him the picture that had started to go viral. By the time he turned on his phone in the front seat of his mother’s Mercedes at the end of his shift, he had more than 100,000 followers, virtually all of whom were new that day. That number would triple before the end of the twenty-four-hour clickstorm set off by the Twitter user named @_twerkcam, who retweeted the “YOOOOOOOOOO” tweet with the hashtag that launched a million mentions—#AlexFromTarget. Brooklyn Reiff’s picture had gone viral.
Alex’s first tweet was a bit disingenuous. “Am I famous now?” he wrote. That of course got retweeted 42,000 times and was favorited by more than 86,000 users. The hashtag became a trending topic, and talk show host Ellen DeGeneres used it, tweeting, “Hey #AlexFromTarget, it’s #EllenFromEllen.”
Something else happened, too. According to the New York Times, Alex Lee received death threats against him and his family. He had to change his phone number because someone had leaked it—or his phone was hacked. The device failed, unable to keep up with all the texts that came streaming in.
YOOOOOOOOOO. There is no such thing as harmless personal information.
These last details of the #AlexFromTarget story got precisely one buried paragraph in the Times. Regardless, though, they highlight the nature of the identity theft problem.
It’s important to point out at the outset that it’s highly unlikely the Lee family was singularly lax about their personally identifiable information (PII). They didn’t do an Edith Byrd, the woman who famously held up her Medicare card during Bill Clinton’s speech at the Democratic National Convention in 2012, showing millions of potential identity thieves her name, enrollment date (the next best thing to a date of birth), and Social Security number. The Lee family’s information was likely already “out there”—either on the so-called dark web, where dangerous hackers trade other people’s secrets for money (or Bitcoins), or on a public-facing database. The reality illustrated in the breach of the Lee family is very simple, and should be a guiding principle in the way you think of your personally identifiable information: The only thing a hacker really needs to get your PII is a little motivation.
The Lee family’s personal information was leaked online within hours of the viral explosion of #AlexFromTarget, and the cache of exposed data included some serious digits: bank account numbers, Social Security numbers, and phone records. Worried about the safety of Alex and his five siblings, his parents spent many frenzied hours reaching out to school officials, the police, and security companies.
You Get Around
If you look at Brooklyn Reiff’s Twitter account now, it says, among other things, “I want a Jeep to mud in.” She is an ordinary Texas teenager. Alanna Page is still posting pictures of cute guys. Alex Lee, however, has ceased being an ordinary teenager. Those humble checkout boy days behind him, he now has more than 700,000 followers on Twitter, and a Gmail account set up for business. Ellen DeGeneres had him on her show, and gave him an iPad so he could tweet more. One would imagine a free Jeep to go mudding in could be his for the asking. A typical tweet informed followers: “Eating pizza and watching Netflix all day.… Best day ever.” With a national tour scheduled where Alex will do nothing more than appear—he has no special talents—it seems logical to wonder if Netflix paid to be a part of Alex’s perfect Sunday.
Alex’s story reveals something normally left obscure. It chronicles the way information moves around—in this instance how a tweet about a checkout boy’s cuteness turned into photographic evidence of the same, which then got grabbed by random users of social media until it was flicked into the upper climes of the Twittersphere by the fluke of a superuser who just happened to be online at the precise moment when the picture started taking flight—a case of the right tweet in a perfect alignment of tweeps.
Alex Lee’s story is also a good example of what we might call “information unicity.” The Merriam-Webster dictionary defines unicity as “the quality or state of being unique of its kind.” Information unicity is the trail of breadcrumbs we all leave on the Internet. This trail allowed tweeps and journalists alike to figure out that Alex Lee of Frisco, Texas, was #AlexFromTarget. If you know how to look for it, you can find time stamps, locations, and other data that leads all the way back to Alanna Page’s tweet, “hello alex check out boy @ target.” Many different arrangements of particular kinds of information can point to the same person, place, or thing, and that’s how Alex Lee and his family got hacked.
Alex from Target, of course, is an actual young man, but mostly he’s just #AlexFromTarget, an idea more than a person, something people talk about on social media. He could be a person or a marketing promotion or something in between—but it hardly matters. To data sleuths and cyberslime alike, he’s just another potential source of value, another identity to mine for profit. And he’s a lot easier to dig up than buried gold.
The first thing to try is finding the source of the meme and working outward. Let’s say the photo of Alex Lee wasn’t geotagged, no other identifying information was embedded in the photograph, and location services were turned off on both girls’ Twitter accounts. None of that stuff is necessary. We already know Alex works at Target; it’s pinned to his shirt. Going back to the originating tweet, we see that Alanna Page is from the Dallas area, and Brooklyn Reiff is from Prosper. Using those two data points alone—where Alanna and Brooklyn live—anyone who wanted to find Alex could have done so easily by entering Prosper into Target’s online store-locator tool. The closest Target: Frisco.
Unless you live on a primitive, deserted island, you almost certainly have identifying data, your digital fingerprints. This data, your information unicity, is what distinguishes you from anyone else. It’s how a line of teenage girls located Alex Lee’s checkout counter, and how the death threats found their way to Alex’s home. It’s also how the Lee family’s Social Security numbers got leaked along with Alex’s mobile phone number. Numbers, dates, schools attended, clubs, hobbies, race results, family and friends—they all can be used to pin a name to the disparate facts that comprise us on paper. Our personally identifiable information is everywhere, and of course there are people who make money deploying the information unicity of complete strangers. They are good at cobbling together different clusters of information that point at you, and only you, and then using that information to get more information, until they can convince someone in a position to hand over goods or services (or someone who approves credit applications) that they are you, and “you” want whatever it is your identity thief desires.
Social Media Can Get You Got
Facebook and other social media sites can be an identity thief’s El Dorado (not to be confused with Eldorado Parkway in Frisco, Texas, where Alex Lee worked at Target).
The more you share about your life, the more opportunities an identity thief has to piece together what might be your response to security questions and zero in on zeroing out your financial resources.
In this new information landscape, everyone is a celebrity. It doesn’t matter who you are, and the only reason everyone hasn’t become a victim of identity-related crime is the backlog. If you are in any way plugged into the commerce of daily life, your information is out there, and no matter how scrambled and scattered it is, there is someone out there who can make enough sense of it to obtain goods and services (or credit) in your name.
You may be surprised to learn that some of your personal information is publicly available, including possibly detailed lists of items or services you’ve purchased with a credit or debit card.
Large-scale studies depend on huge data sets comprised of the behavior of thousands of consumers that is collected when we use our smartphones, credit cards, Internet browsers, and many other conveniences of modern life. That information can be utilized for a variety of purposes ranging from assessing traffic patterns to decrease congestion during rush hour to predicting and controlling outbreaks of infectious diseases. These metadata sets are always anonymized. That means you are not you. Names, account numbers, and IP addresses—all the simple stuff that identifies you—are stripped away because they aren’t necessary for most of the determinations made by crunching the numbers. It’s all about seeing trends and patterns. Companies like Amazon and Facebook use the same kinds of data to serve you content that is most likely to interest you. The main point is that the use of your information is for good, not evil.
Except when it isn’t.
The problem is that information can be misused. Sometimes you don’t know anything’s wrong until you’re making a purchase at a checkout counter and your credit card is declined, or you get a phone call at your home in Nantucket (“Can you confirm a purchase of $502.35 at BJ’s Wholesale Club in Honolulu?”), or you are buying a car or trying to refinance your house and learn that your credit score is too low—shot to hell by a process that didn’t happen on Twitter or Facebook, but that may have been aided by the things you shared there.
Trust but verify: Anonymized data is publicly available because it’s thought to be safe, but it may not be as anonymous as you think.
Your undoing happened in less public forums, many of them tucked away on so-called deep web sites or on the dark web (about which more later). It was your Social Security number, or some combination of seemingly harmless information like your email address, your mother’s maiden name, and your birthday, that gave a criminal just enough information about you so that he or she could poke around social media and glean the kinds of information that show up in security questions, like where you’ve lived, what companies you’ve worked for, the names of pets past and present, and schools attended or their mascots.
Alex from Target’s story is a parable about the ways in which we’re all exposed. It’s about the myriad ways we are vulnerable—financially or personally—and how woefully unprotected we are against various kinds of intrusion.
As the reach of social media extends to ever more remote segments of the market, anyone who cares to take a look can with relative ease become acquainted with the particular aspects of your life that banks and other financial institutions use to determine your unicity—that you are who you claim to be—before green-lighting a transaction. While the process of how something goes viral is fundamentally unknowable, a forensic approach can reveal how a particular viral message or meme traveled from point of origin to tipping point. Unfortunately, that forensics approach only works after the fact in a postmortem examination.
We Are All Already Exposed
The pieces of your information puzzle are out there waiting for the wrong person with the right skills to piece together your digital “you” and use it to defraud you.
As Brooklyn said in an interview with Yahoo shortly after #AlexFromTarget entered the popular lexicon, “This shows you how fast something can go viral. It’s, like, scary. It really is. Because if you say one wrong thing your life could be over, basically.”
If the wrong person gets his or her grubby little fingers on your private information, Brooklyn is absolutely right, “Your life could be over, basically.” If that seems like hyperbole, put it this way: Your life as you now know it could well be over. Alex Lee’s parents know this firsthand, even as their son goes on to reap the random fortune that the Twittersphere laid at his feet.
The chances that you are reading this book right now just for fun and have not yet become a victim of some form of identity-related crime are declining by the minute. Worse yet are the chances that at least some of your personally identifiable information hasn’t already been either used to commit a crime (this would include one of those phishing emails that regularly wind up in your inbox or trash folder) or bundled with other kinds of information to be sold in a criminal transaction. Major data breaches are now commonplace.
Credit card numbers get stolen all the time. You get those phone calls informing you that a new card is in the mail, and it’s no longer even alarming. It’s just the way things are. But credit card fraud is sometimes just the beginning. In the right (or wrong) hands, the Lee family’s Social Security numbers were worth a pretty penny, and really could have forever changed the fate of that family. That discrete arrangement of nine digits is to personal information what DNA is to your body. Using nothing but bank account information and these essential digits, a tremendous amount of damage can be done.
The “virus” of identity theft relies on cracking your information unicity. It needs you to be you when it drills down into the personal information “DNA” that comprises who you are financially, because everything it can grab requires an accurate impersonation of your digital persona. Unicity is necessary to this kind of fraud. Ironically, the instant stardom Alex Lee experienced was probably the only reason serious damage wasn’t inflicted on him and his family. They were under siege because of the #AlexFromTarget hashtag, which placed them on high alert, so they found out quickly when they were compromised.
For most of us, the most essential fact of our digital lives is embedded in the Alex Lee story: You’re going to get got. But instead of a sip at the fountain of fame and a chance to monetize a no-longer-trending hashtag on Twitter, you may be ruined. The point is that our level of exposure is the same as Alex’s when he was an anonymous teenager working at Target in Frisco, Texas. Our most sensitive personally identifiable information is already in the wrong hands—so we need to be as vigilant as if we were overnight celebrities. We can’t wait to become the victims of serious, and sometimes prolonged, fraud.
You are your Social Security number. Consider for a moment all the places that have those nine digits, from memberships dating back to your childhood, to old jobs at places that probably stored your personnel file in a storage facility—or sent it to a landfill—to doctors, health insurers, and accountants. Then consider the major breaches of recent years—and the not so major breaches at smaller organizations that never made the nightly news. There is no way to know whether your Social Security number has been sold, stolen, or both. But it probably has.
Your Social Security number is the skeleton key to your finances past, present, and future.
There are as many ways for your personal information to wind up in enemy territory as there are databases and filing cabinets that store your personal information. Data breaches are an increasingly common way for your information to get out there. The 2013 Target breach exposed the financial and personal information of perhaps as many as 100 million people. Then came the aftershocks—reports in January 2014 of similar hits at Sally’s Beauty and Neiman Marcus. There was another big breach at White Lodging, the giant hotel and restaurant management chain. There were still more breaches at Home Depot, Adobe, JPMorgan Chase, eBay, and others. Then came the Sony hack, which not only exposed the personally identifiable information of tens of thousands of Sony employees and stars, but actually forced the company to initially cancel the theatrical release of what was supposed to be their big Christmas movie, The Interview, after major theaters decided it was too risky to show the film. The hits keep coming. In January 2015, headlines screamed that some 80 million customers of Anthem were exposed in a giant breach. In March 2015, Premera began notifying 11 million members that personal information (including Social Security numbers and medical records) had been exposed by persons unknown. In June 2015, the Office of Personnel Management, in effect, the human resources department of the United States, announced perhaps the most devastating breaches of all with anywhere between 18 and 32 million (possibly higher) records involved—including millions of background checks for present and former government employees, contractors, family members of candidates, and even their friends. Numbers don’t lie. Since 2005, more than a billion sensitive records with personally identifiable information have been leaked. That information is not unified. It is not organized. It is most likely in the hands of several different criminal enterprises that have bought and sold it multiple times. Regardless, it is out there, and there are people who make a seriously good living working on the puzzle of personally identifiable information that is available, piecing it together into useable blocks of reidentified information that can be used in the commission of fraud.
An example of the myriad ways data can be used by criminals comes from a report in Science Magazine, which revealed the soft underbelly of what was once considered a well-armored use of “anonymized” consumer information. As it turns out, it’s not so well armored after all. In fact, anonymized data may offer no more protection than you’d get by leaving your Social Security card in plain view in a good neighborhood. All that seems to matter is whether someone with bad intentions gets hold of it.
The study’s authors were able to successfully identify consumers based on several anonymized data sets. Using publicly available metadata with no credit card numbers, names, or any other identifiers, the report’s coauthors were able to connect a specific person to specific purchases using just three factors: a receipt, an Instagram post, and a Tweet about a new purchase or a Facebook post that included the location of a favorite bar or a restaurant frequently visited. And in case you’re wondering if this was some kind of fluke or exceptional case, lead author Yves-Alexandre de Montjoye was successful more than 90 percent of the time.
The discovery that two or three purchases in a metadata set containing millions of transactions can be pegged to a specific person raises a rather obvious question as to whether data sets that track large-scale human behavior should be made available to the public.
Anonymized data helps scientists figure things out. It’s the social information equivalent of being an organ donor, only less severe and completely involuntary. Because it involves only random pieces of your story that have been excised from anything that might be linked to you, it’s supposed to be okay. But at least when you donate an organ, you’re helping another person. The “doctors” who harvest your data don’t have MDs, and they aren’t necessarily going to use your specific information to fix anything. Many of them just want your information so they can better understand how to make money from you.
It’s easier than it looks to find the people behind anonymized data—including you.
Details about purchases, phone calls made, places visited—stripped of the identifiers (such as account numbers, IP addresses, email accounts, names, addresses, and credit card numbers) that connect them to specific people—are regularly used by the government, private researchers, and consumer-facing enterprises. These so-called metadata sets contain detailed information regarding the media large groups of people regularly consume, where we’ve been, what we did when we were there, what food we like, what sorts of illnesses we’ve contracted as a result, and how we got better (or didn’t). In theory, these huge samples of human behavior could hold the key to addressing many kinds of problems—everything from the way we fight diseases and feed the world’s population to how we find the best deal on a new car or the fastest commute from Point A to Point B. Metadata is also used to stop identity thieves from using purloined credit card information—specifically by monitoring purchases and sounding the alarm when something doesn’t match the purchasing history for a particular credit card holder.
And all this is OK because the use of your information—scrubbed and swept and disconnected from your personal identity—is being used for good, not evil. At least, that’s how it works in theory.
This is one reason that it would be a mistake to stop collecting anonymized data, or even to stop publishing it. As the author of the study, Yves-Alexandre de Montjoye, explains, “The transformational potential of metadata data sets is … conditional on their wide availability.” Scientists need whatever data they are using to be available to their peers so that their work can be checked and verified, challenged and improved. Progress requires it. According to the report, “Several publishers and funding agencies now require experimental data to be publicly available.” So, increasingly, data of all kinds is available publicly. Just as it should be.
The real problem is not that this data is public—it’s that it’s not truly anonymous. That’s what de Montjoye’s study really proved.
Social Media Posts That Can Get You Got
Here’s something else it showed: Social media can make your identity much easier to crack. Remember that de Montjoye used posts from Instagram, Facebook, and Twitter to triangulate the identities of people in his sample metadata sets. But the problem doesn’t end there. Whatever you put out there can be seen by people who may have a particular crime in mind for you based on what you post.
Does the Science study mean that the government should shut down the public’s access to metadata sets? I don’t think so. There is too much to gain from that information remaining publicly available. Does it mean everyone should stop using social media? Again, not so far as I can tell. The new data landscape brings great rewards, but also new risks. Organizations can do their part by finding ways to make metadata sets harder to decode. You can help yourself by not using social media to broadcast your purchases, your location, or other identifying facts. Or, if that’s too much of a sacrifice, here’s another option: You can still post that stuff, but think like a thief, and then make your posts (or at least some of them) inaccurate. Cover your tracks not by sweeping them away, but by making too many to follow.
This is a sound strategy, but remember it’s not a solution. There is no solution; there are only best practices and knowledge. Even if you do everything right, you need to assume that your information has been (or will be) used against you. Your job is to be like Alex Lee’s family: on high alert. That way, you can detect the scam before it causes real damage.
It doesn’t matter who you are. It doesn’t matter how many transaction alerts are set up. The only reason everyone hasn’t become a victim of identity-related crime is that the bad guys just haven’t gotten around to them yet.
Think of this as a bandwidth issue: There simply aren’t enough identity thieves to harvest all the lost and free-floating information that’s out there. It pays to be paranoid here. Assume that the bad guys figured out de Montjoye’s method of reidentification long ago—or something that works just as well.
The bottom line: If you are in any way plugged into the commerce of daily life, your information is out there, and it is only a matter of time before you become a victim of an identity-related crime. But while this seems like a problem (and it sure is), it’s not the end of the world. It’s a situation that can be handled.