Disaster LLMs can unmask pseudonymous users at scale with surprising accuracy - Pseudonymity has never been perfect for preserving privacy. Soon it may be pointless. -- FULLY DOXXED

archive

Burner accounts on social media sites can increasingly be analyzed to identify the pseudonymous users who post to them using AI in research that has far-reaching consequences for privacy on the Internet, researchers said.

The finding, from a recently published research paper, is based on results of experiments correlating specific individuals with accounts or posts across more than one social media platform. The success rate was far greater than existing classical deanonymization work that relied on humans assembling structured data sets suitable for algorithmic matching or manual work by skilled investigators. Recall—that is, how many users were successfully deanonymized—was as high as 68 percent. Precision—meaning the rate of guesses that correctly identify the user—was up to 90 percent.

I know what you posted last year​

The findings have the potential to upend pseudonymity, an imperfect but often sufficient privacy measure used by many people to post queries and participate in sometimes sensitive public discussions while making it hard for others to positively identify the speakers. The ability to cheaply and quickly identify the people behind such obscured accounts opens them up to doxxing, stalking, and the assembly of detailed marketing profiles that track where speakers live, what they do for a living, and other personal information. This pseudonymity measure no longer holds.

“Our findings have significant implications for online privacy,” the researchers wrote. “The average online user has long operated under an implicit threat model where they have assumed pseudonymity provides adequate protection because targeted deanonymization would require extensive effort. LLMs invalidate this assumption.”

1772651091902.png
An overview of the pseudonymous stripping framework.

The researchers collected several datasets from public social media sites to test the techniques while preserving the privacy of the speakers. One of them collected posts from Hacker News and LinkedIn profiles and then linked them by using cross-platform references that appeared in user profiles. They then stripped all identifying references from the posts and ran a large language model on them. A second dataset was obtained from a Netflix release of micro-identities, such as individual preferences, recommendations, and transaction records. A 2008 research paper showed that using what has come to be known as the Netflix prize attack, the list could identify users and ID their political affiliations and other personal information. The last technique split a single user’s Reddit history.

“What we found is that these AI agents can do something that was previously very difficult: starting from free text (like an anonymized interview transcript) they can work their way to the full identity of a person,” Simon Lermen, a co-author of the paper, told Ars. “This is a pretty new capability; previous approaches on re-identification generally required structured data, and two datasets with a similar schema that could be linked together.”

Unlike those older pseudonymity-stripping methods, Lermen said, AI agents can browse the web and interact with it in many of the same ways humans do. They can use simulated reasoning to match potential individuals. In one experiment, the researchers looked at responses given in a questionnaire Anthropic took about how various people use AI in their daily lives. Using the information taken from answers, the researchers were able to positively identify 7 percent of 125 participants.

1772651127097.png
End-to-end deanonymization from a single interview transcript (with details altered to protect the subject’s identity). An LLM agent extracted structured identity signals from a conversation, autonomously searched the web to identify a candidate individual, and verified the candidate matched all extracted claims.

While a 7 percent recall is relatively low, it demonstrates the growing capability of AI to identify people based on very general information they gave. “The fact that AI can do this at all is a noteworthy result,” Lermen said. “And as AI systems get better, they will likely get better at finding more and more identities.”

In a second experiment, the researchers gathered comments made in 2024 from the r/movies subreddit and at least one of five smaller communities: r/horror, r/MovieSuggestions, r/Letterboxd, r/TrueFilm, and r/MovieDetails. The results showed that the more movies a candidate discussed, the easier it was to identify them. An average of 3.1 percent of users sharing one movie could be identified with a 90 percent precision, and 1.2 percent of them at a 99 percent precision. With five to nine shared movies, 90 percent and 99 percent precision rose to 8.4 percent and 2.5 percent of users, respectively. More than 10 shared movies bumped the percentage to 48.1 percent and 17 percent.

1772651164483.png
Recall at various precision thresholds.

In a third experiment, the researchers took a set of 5,000 Reddit users. The researchers added 5,000 “distraction” identities of Reddit users to the candidate pool. The researchers compared their method to the older Netflix prize attack. They then added to the list of 10,000 candidate profiles 5,000 query distractors comprising users who appear only in a query set, with no true match in the candidate pool.

Compared to a classical baseline that mimics the Netflix prize attack to LLM deanonymization, the latter far outperformed the former.

1772651186145.png

The researchers wrote:

(a) The precision of classical attacks drops very fast, explaining its low recall. In contrast, the precision of LLM-based attacks decays more gracefully as the attacker makes more guesses. (b) The classical attack almost fails completely even at moderately low precision. In contrast, even the simplest LLM attack (Search) achieves non-trivial recall at low precision, and extending it with Reason and Calibrate steps doubles Recall @99% Precision.
The results show that LLMs, while still prone to false positives and other weaknesses, are quickly outstripping more traditional, resource-intensive methods for identifying users online.

The researchers went on to propose mitigations, including for platforms to enforce rate limits on API access to user data, detect automated scraping, and restrict bulk data exports. LLM providers could also monitor for the misuse of their models in deanonymization attacks and build guardrails that make models refuse deanonymization requests.

Of course, another option is for people to dramatically curb their use of social media, or at a minimum, regularly delete posts after a set time threshold.

If LLMs’ success in deanonymizing people improves, the researchers warn, governments could use the techniques to unmask online critics, corporations could assemble customer profiles for “hyper-targeted advertising,” and attackers could build profiles of targets at scale to launch highly personalized social engineering scams.

“Recent advances in LLM capabilities have made it clear that there is an urgent need to rethink various aspects of computer security in the wake of LLM-driven offensive cyber capabilities, the researchers warned. “Our work shows that the same is likely true for privacy as well.”

About the Author...

Dan Goodin

Senior Security Editor
dan.goodin@arstechnica.com
1772651259659.png

Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. A journalist with more than 25 years experience, he has been chronicling the exploits of white-hat, grey-hat and black-hat hackers since 2005 as a reporter for the Associated Press and later, The Register. He has a Bachelors Degree in English from the University of Massachusetts and a Masters of Journalism from UC Berkeley. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Based in San Francisco, Dan can receive encrypted messages over Signal at DanArs.82. You can find him on Mastodon at here and on Bluesky at here.
 
No one is actually using LLM's to "get you"
To be fair, we did with Jake Alley a number of times, but that's simply because the fat gnome is the only person online to use the archaic word "yon" regularly in their writing. He was a terrible writer, but nigger always found a way to force it into a paragraph no matter how small the contribution.
 
But what if someone were to say, lie about living in Colorado and trading securities for a living? What then?

Actually I'm being crazy. No one would ever come up with a fake backstory to use online.
My MOS is 37F btw
 
I don't think it matters. The mob isn't looking for magic to burn you as a witch. A bent candle holder will suffice.

Do you really think they care if people are innocent?
 
All you have to do is lie consistently. Not even about big stuff. If I spend two years repeatedly bringing up my Border Collie named Buster, an LLM is going to assume that's very important to me and start looking for other accounts with a Border Collie named Buster. However, Buster does not exist. Maybe I have a dog. Maybe I even have a Border Collie. But poisoning the data just that tiny bit has made me exponentially more difficult to track.
I used to think poisoning the dataset was necessary, but I think it's even simpler than that. Just deny everything. Not explicitly, because that leads to liability at times. But still, just say you've been accused of being a dozen or so random pseudoanonymous accounts in the past but none of them are you. They're maybe similar but that's coincidence.

Employers can't afford to boot people based on these dumb accusations all the time. The lynch mob can only play this card for a little bit before it's burned out.

I think we've already started to pass the viability of social media canceling. I think we're on the downslope.
 
I used to think poisoning the dataset was necessary, but I think it's even simpler than that. Just deny everything. Not explicitly, because that leads to liability at times. But still, just say you've been accused of being a dozen or so random pseudoanonymous accounts in the past but none of them are you. They're maybe similar but that's coincidence.

Employers can't afford to boot people based on these dumb accusations all the time. The lynch mob can only play this card for a little bit before it's burned out.

I think we've already started to pass the viability of social media canceling. I think we're on the downslope.

Yeah just ignore it. Don’t apologize, don’t admit to anything, just roll your eyes/laugh and move on.

Give an “accusation of being a faggot on the Internet” exactly the derision it deserves. Who tf cares.
 
Yeah just ignore it. Don’t apologize, don’t admit to anything, just roll your eyes/laugh and move on.

Give an “accusation of being a faggot on the Internet” exactly the derision it deserves. Who tf cares.
Agreed.

And the important thing is that there's a price tag on businesses caring about it. They care about it a little and then really stop caring because it becomes expensive to care. Ask Bud Lite and Target.
 
Agreed.

And the important thing is that there's a price tag on businesses caring about it. They care about it a little and then really stop caring because it becomes expensive to care. Ask Bud Lite and Target.

Yes but really don’t fuck around with anything about your employer. Don’t leak confidential information or shit talk them or whatever. If you do, make an entirely new account because they DO care about that stuff lol
 
Yes but really don’t fuck around with anything about your employer. Don’t leak confidential information or shit talk them or whatever. If you do, make an entirely new account because they DO care about that stuff lol
Oh I'm just saying that if my employer ever bumrushes me with "you're that pickle man who says faggot and retard online" I say "prove it" and it dies on the table.
 
Unless one is a journo or blogger or goes on long boomer proclamations on facebook, there wouldn't be a lot of real-name writing style samples to compare to the shitposting dataset ”-nigger” right?


I mean if you didn't make it real easy and give enough away over the years about your town, age, limited edition ferrari color etc.
 
Damn I would be real worried about this if I posted anywhere else at all at any point in the last ten years.

Imagine using "social media" lmfao.
 
Atrás
Top Abajo