
Stanford Researchers Find Connecting Metadata With User Names is Simple - zellio
https://threatpost.com/stanford-researchers-find-connecting-metadata-with-user-names-is-simple/103272
======
alexdevkar
Interesting research that seems directionally true, but I wonder if this
overstates the case. The sample set is people who are willing to download an
Android app and share data with Stanford researchers. Those people likely have
more info online than the average person.

~~~
NSA_Research
Hey. One of the authors here. Our data set for this experiment is not the set
of numbers owned by people willing to download the app, but the set of numbers
that they have called and received calls from. This means that a large amount
of the data set is things like spam numbers, voicemail numbers, and customer
service numbers. Its not too hard to figure out that you bank with Bank X if
you are receiving Two Factor Authentication texts from them, for example.

There are potential biases in the data set, but we don't think that they
dramatically affect the results that we are seeing. Your mother probably
receives spam phone calls and reminder texts from airlines just like I do.

~~~
dobbsbob
The article only seems to suggest you matched names to phone numbers by
googling or paying to look them up, I read nothing about meta research of
putting together profiles of people based on data/sms traffic and calls they
received.

A future project you guys should attack Basebands and see what kind of evil
you can do because our govts are already doing it to track us

~~~
NSA_Research
The reporting on our work has been of mixed quality. Check out our actual
blog-post here: [http://webpolicy.org/2013/12/23/metaphone-the-nsas-got-
your-...](http://webpolicy.org/2013/12/23/metaphone-the-nsas-got-your-
number/?utm_source=rss&utm_medium=rss&utm_campaign=metaphone-the-nsas-got-
your-number) for more accurate details.

We used data collected from voluntary users' phone logs as our phone number
data set. This means that if Joe called number X a few weeks ago and then
decided to participate in our study, number X was in our database. We then
used a couple techniques too see how well we could identify who number X
belonged to.

We didn't put together actual profiles of users, though that is a possible
next step. However, I think it is clear that putting together profiles of
users is possible given how easy it is to identify who you are calling and
receiving calls from.

------
malandrew
I'd love to see an analysis of the other 9 they could not match to see what
traits they share in common that make them difficult to analyze.

