Bloggers and online activists who shroud their digital identities may not be as anonymous, or safe, as they believe.
In a proof-of-concept hack called a "Reverse Lookup," security researcher Andy Baio took a random sample of 50 anonymous blogs, and, in less than 30 minutes, revealed the identities — names, addresses, employers and photos — of seven blog authors.
On his website, Waxy.org, Baio explained that lifting the bloggers' veil of anonymity was not a highly technical exploit; all he needed to expose them was Google's simple, free and ubiquitous search engine optimization tool, Google Analytics.
Baio discovered that even when a blogger took all the necessary steps to obfuscate himself by blogging from a different IP address than his other sites and hiding personal information in the domain record, the bloggers often used the same Google Analytics ID across several of their sites, making themselves easily traceable.
"Hundreds of thousands of people can share an IP address on a single server and domain information can be faked, but a shared Google Analytics is solid evidence that both sites are run by the same person," Baio wrote.
Baio detected bloggers' identities by using eWhois, a free service that enables reverse lookups of Google Analytics IDs. This service can be used to suss out so-called "anonymous" users' IDs on non-Google-owned sites as well, including Tubmlr, Typepad and Blogger.
In his hack, Baio uncovered the identity of a member of the Anonymous hacking group, tracing the owner's identity back to a consulting firm. He also discovered the name and home address of a San Diego man speaking out on his blog about Mexican drug cartels. In both cases he notified the blog authors and let them know they are not as anonymous as they think.
"Unmasking an anti-Mac blogger may not be life-changing, but if you're an anonymous blogger writing about Chinese censorship or Mexican drug cartels, the consequences could be dire," he wrote.
If you want to ensure your online anonymity, Baio suggests not using Google Analytics or any other embedded third-party service. He also recommends turning on "domain privacy" with your IP registrar and not sharing IP addresses across different blogs.