The High-School Profiling Attack: How Online Privacy Laws Can Actually Increase Minors' Risk

Lawmakers, children's advocacy groups and mod- ern society at large recognize the importance of protecting the Internet privacy of minors (under 18 years of age). Online Social Networks, in particular, take precautions to prevent third parties from using their services to discover and profile min ors. These precautions include banning young children from joining, not listing minors when searching for users by high school or city, and displaying only minimal information in registered minors' public profiles, no matter how they configure their privacy settings. In this paper we show how an attacker, with modest crawl- ing and computational resources, and employing simple data mining heuristics, can circumvent these precautions and create extensive profiles of tens of thousands of minors in a targete d geographical area. In particular, using Facebook and for a given target high school, we construct an attack that finds most of t he students in the school, and for each discovered student infers a profile that includes significantly more information than i s available in a registered minor's public profile. An attacke r could use such profiles for many nefarious purposes, includi ng selling the profiles to data brokers, large-scale automated spear- phishing attacks on minors, as well as physical safety attacks such as stalking, kidnapping and arranging meetings for sexual abuse. Ironically, the Children's Online Privacy Protection Act (COPPA), a law designed to protect the privacy of children, indirectly facilitates the attack. In order to bypass restr ictions put in place due to the COPPA law, some children lie about their ages when registering, which not only increases the exposure for themselves but also for their non-lying friends. Our analysis strongly suggests there would be significantly less privacy leakage in a world without the COPPA law. I. I NTRODUCTION

[1]  Aaron Smith,et al.  Teens, Kindness and Cruelty on Social Network Sites , 2011 .

[2]  Leyla Bilge,et al.  All your contacts are belong to us: automated identity theft attacks on social networks , 2009, WWW '09.

[3]  Zhenyu Liu,et al.  Inferring Privacy Information from Social Networks , 2006, ISI.

[4]  Lei Li,et al.  Inferring privacy information via social relations , 2008, 2008 IEEE 24th International Conference on Data Engineering Workshop.

[5]  Behram F. T. Mistree,et al.  Gaydar: Facebook Friendships Expose Sexual Orientation , 2009, First Monday.

[6]  Lise Getoor,et al.  Collective Classification in Network Data , 2008, AI Mag..

[7]  Danah Boyd,et al.  Why parents help their children lie to Facebook about age: Unintended consequences of the 'Children's Online Privacy Protection Act' , 2011, First Monday.

[8]  Piotr Indyk,et al.  Enhanced hypertext categorization using hyperlinks , 1998, SIGMOD '98.

[9]  David M. Nicol,et al.  unFriendly: Multi-party Privacy Risks in Social Networks , 2010, Privacy Enhancing Technologies.

[10]  Keith W. Ross,et al.  Estimating age privacy leakage in online social networks , 2012, 2012 Proceedings IEEE INFOCOM.

[11]  S. Livingstone,et al.  Social networking, age and privacy , 2011 .

[12]  Calton Pu,et al.  Reverse Social Engineering Attacks in Online Social Networks , 2011, DIMVA.

[13]  Lise Getoor,et al.  To join or not to join: the illusion of privacy in social networks with mixed public and private user profiles , 2009, WWW '09.

[14]  Justine Becker Measuring privacy risk in online social networks , 2009 .

[15]  Christopher Krügel,et al.  Abusing Social Networks for Automated User Profiling , 2010, RAID.

[16]  Konstantin Beznosov,et al.  The socialbot network: when bots socialize for fame and money , 2011, ACSAC '11.

[17]  Keith W. Ross,et al.  What's in a Name: A Study of Names, Gender Inference, and Gender Behavior in Facebook , 2011, DASFAA Workshops.

[18]  Aaron Smith,et al.  Social Media & Mobile Internet Use among Teens and Young Adults. Millennials. , 2010 .

[19]  Krishna P. Gummadi,et al.  You are who you know: inferring user profiles in online social networks , 2010, WSDM '10.

[20]  Walid Dabbous,et al.  I know where you are and what you are sharing: exploiting P2P communications to invade users' privacy , 2011, IMC '11.