Privacy and social media investigation: how I tracked down an entire family from one tweet

Last Saturday I presented to students taking part in the brilliant Young Journalist Academy.

The topic was “New Media” (not my title) and the primary aim was to get them up and running with their own blog and learn to publish online.

However, I also knew it would be the perfect opportunity to gauge just how aware a group of bright, 16 and 17-year-olds were on the issues of web privacy and of just how easy it is to track down information about people online.

The case study I included shocked them, especially when it came to Facebook privacy.

I won’t be publishing it online in order to protect the identity of the individuals involved. However, I have been asked to explain the process I went through to obtain the information that I did. This is the purpose of this post.

It frightens me how simple it was to get all that I did.

Step 1
I chose a few keywords “gunfire, shot, attack, missile” and ran them through Twitter search. Most of what I get back is utter rubbish. However, a few genuine tweets shine out. One in particular is particularly interesting: it references the first name of a person and says they were coming under attack. It also uses some army jargon that seems genuine.

Step 2
I check the Twitter profile of the tweet. It provides me with what looked like the real name of the person tweeting, a profile picture, the town they live in and a profile description which connects them to the US military.

Step 3
I use Google to search for their full name and the town in which they live. This brings up two results on White Pages. One of these is associated with a person who had the same first name as the person mentioned in the original tweet. It looks like I may now have their home address and phone number (I haven’t called to check though).

Step 4
I use Google again to search for the full name of the person mentioned in the tweet and find a Linkedin profile that matches the name and location. It also provides a military job title that makes perfect sense in the context of the tweet.

Step 5
I conduct a number of Google searches that include the name of the person mentioned in the tweet, their location and their job title in an attempt to find out more information about where they might be.

This is not so easy, but thanks to a local military historian and an interview with someone else on a military history website I can make a very good guess at the regiment they serve in and where they are currently stationed. I imagine if I hadn’t come to this topic cold, I could find more ways to search or, indeed, could make a few useful phonecalls at this point…

Step 6
Google again. This time I search for both the name of the person in the tweet and the name of the tweeter. This brings up a profile on the website of a small business.

The “About Us” section has an entry about the tweeter. They are a member of staff. There is a profile picture (the same one used on Twitter), job title and some friendly information about them confirming: that they are married to the person mentioned in the tweet, how long they have been married, the names of their children, their email address and the organisations that they volunteer with in their spare time.

Step 7
I Google (again) the name of an organisation I now know the group the couple volunteer for. It has a public Facebook page. One scan for the tweeter’s first name on that page uncovers comments left by a Facebook profile that the couple share.

Step 8
Clicking onto the couple’s Facebook profile reveals that they must have Facebook’s recommended privacy settings. This means that all their past profile pictures are publicly visible. So, I now have a lovely family photo to go with the names of the couple and their children.

Step 9
The couple have also been fantastically diligent with linking up with family members on Facebook. This means I now also get to see a list of profiles for the extended family. I learn the maiden name of the wife. It also turns out her mother has no privacy settings on her profile at all – her wall and all her photos are available to browse.

However, I don’t browse them.

I’ve gone from one tweet to knowing an entire family’s names, location, address, contact details, what they look like, how they are connected to the military and, potentially, where a part of the US army is coming under fire.

I stop there because I am already completely freaked out by just how far I’ve already got from a few Google searches.

It’s easy to say it’s incumbent on the individual to protect their own privacy, but it’s hard to see how we can always stop this type of jigsaw identification of people online. Sometimes people are mentioned online without them even knowing. Certainly having stricter default Facebook privacy settings would help, but it’s not the only answer.

The PCC has started to issue guidelines to journalists about how they use information from social media profiles in their stories and anything obtained online is still subject to the “public interest” test. However, the “reasonable expectation of privacy” guidance doesn’t feel that well tested yet – especially when you can easily build up a picture of someone from fragments from numerous public websites. I’d be interested to get some more information about the law in this area.

Even if it had, I am sure there are those who would still be interested in using this type of technique for their own purposes and would not feel bound by any ethical code…

37 thoughts on “Privacy and social media investigation: how I tracked down an entire family from one tweet

  1. Pingback: Joanna Geary: Privacy and social media investigation: how I tracked down an entire family from one tweet « Anise Kirkpatrick

  2. It used to take weeks what it just took a stalker a few hours. If someone wants to find something, they will. Scary that someone can find you, yes, but I have good faith in humanity that I will not wind up a statistic. Until I do.

  3. Pingback: Twitted by _andy_thompson_

  4. I pulled a similar trick during a presentation (like yours, on social media and privacy) I gave @ socialcamp Memphis a few years back. My method was simpler. Look up a twitter profile, grab the URL from the bio, do a Whois on a site like dnsstuff.com and with a bit of luck you get a full mailing address with current phone number. I then asked the participant who’s twitter bio I used to confirm the address.

  5. [Identifying details removed since the person in question apologised, but the process is still relevant/interesting.]

    My friend H was being bullied online. She’d report it, but the culprit would just set up new accounts whenever they got shut down. My friend was at her wits end, so I said I’d look into it.

    The profile of the latest bully-account was deliberately stripped down with no identifying information.

    But since the bully had waited less than 24 hours before using it to be mean to people. The Google cache still gave me some of the info she’d used to set it up, including her AIM name.

    Googling her AIM name gave me her old blog which also listed her (fairly common) real name and a link to a defunct website.

    Putting the defunct website into archive.org gave me a pic of her and her friend and, even better, her friend’s highly unusual name.

    Searching the friend on Facebook took me to the culprit’s own Facebook profile and from there to her live in boyfriend’s profile.

    The boyfriend linked to his own blog and from there to his professional website.

    Doing a whois on the website gave me their home address and telephone number.

    H called her and told her to knock it off.

    She did.

  6. Fascinating!

    However, I often feel that when talking about privacy, people tend to overlook the other side of this: the benefits of the connected society.

    For one, in return for letting strangers browse through wall posts, people get an amazingly useful website free of charge. The utility of Facebook et al is indisputable and the sheer numbers who visit there daily are the best proof of that.

    Secondly, people are way easier to find for sinister purposes, but the same goes for benign, productive endeavours. For instance, my wife and I just launched a start-up gaming magazine, for which we write most of the content ourselves. We had absolutely no connections in the global gaming industry before starting up. We’re now working on our second issue and we already have made contact and solicited contributions from artists, critics and developers, people who we previously would have never had a chance of reaching. All their contact details were acquired through a process similar to the one you describe. Not one of those people has complained or expressed shock about how we found them. They are all very positive and happy to participate.

    Thirdly, and this is purely an inference from what my gut feeling is rather than solid fact, I think that if somebody was hell bent on causing harm to somebody else, a lack of Facebook page, say, would probably make things more difficult, but not impossible.

    All of which is not to say that I think privacy is irrelevant. But I often find the discussion of it skewed to the one extreme.

    Also, when on the topic of privacy, there is a very good free interactive novel/game by Christine Love called Don’t take it personally, babe, it just ain’t your story, which is well worth the couple of hours it takes to play through.

  7. Pingback: One Man and His Blog

  8. Pingback: Online privacy needs more visibility and examples : All New Musings

  9. Thanks Joana for this post. While ago, I did a similar experience, much simpler, with a friend, computer engineer. Simply by googling her name, I could learn she had wanted to set up import business, to have fostered child, to rent a house she had bought and I know where the house was etc… just while chatting with her and I am not a journalist, just slightly more at ease with Google search.
    I am an internet lawyer and my ‘hobby’ or voluntary activity is online safety and anti-cyberbullying. I have launched the FlyAKite initiative to raise awareness and education withing young users and parents/educators. I sometimes believe parents can be more in danger as less tech savvy. Many parents reveal from too much and don’t realise the jigsaw puzzle effect of spread data aggregated by Google.
    I am hoping you and Jeroen Schouten and others could join us to Fly A Kite to let everyone know what is possible and how to keep safer. Risk is everywhere, it needs to be kept in mind.

  10. Pingback: Privacy and social media investigation: how I tracked down an entire family from one tweet | Joanna Geary | Defining New Media | Scoop.it

  11. Pingback: Nine Degrees of Separation: How Easily Your Personal Info Can Be Found Online

  12. Pingback: Nine Degrees of Separation: How Easily Your Personal Info Can Be Found Online - Techland - TIME.com

  13. Hi Joanna,

    Thank you for sharing your story. I’m sure you felt uncomfortable as you dug deeper and deeper into this family’s online life, but you’ve illustrated an important point about living in the digital age.

    It is becoming more and more difficult to manage the information about each of us online. Between self-published info on social media websites to people-search databases, which scrape the information from public records, it is painfully easy to find info on practically anyone.

    At Reputation.com, we’ve been working on tools to help people regain control over their online data. One big problem we’ve discovered is that most web companies don’t make any effort to protect user data. People need to realize that they aren’t a customer of Facebook, they’re the product.

    Hopefully, as stories like this illuminate the importance of online reputation management and privacy protection, people will take more proactive steps to protect their identities online.

    Thanks again,
    Rob Frappier
    Community Manager
    Reputation.com

  14. For years, I’ve been getting forwarded emails from older family members and their friends with headers & relay information attached…

    I demonstrated that I could get a street address in under 6 steps starting with the 1st IP shown; I got several ‘well, I have nothing to hide’ notes and several ‘That doesn’t scare me’ responses. Fascinating behavior from people who are completely oblivious to the carrier & personal information contained in emails, aside from the rascist jokes and blatant display of inappropriate content that they feel should be circulated amongst their friends, their friends’ children, etc., all w/o taking the tiny (but apparently terribly time-consuming & technical) step of selecting & erasing all the forwarding information.
    Several lawyers, several judges, doctors, police, university professors and therapists were contained on the email I received and replied to — a very rascist & religiously intolerant set of cartoons– none of them seemed to understand the implications, professional or personal, that identifiable email info, IP addresses and inflammatory content could present.
    Disbarred? Banned from the bench? Being forced to recuse themselves from a case due to demonstrable personal beliefs? Being denied federal research funding due to obviously prejudiced personal beliefs? It doesn’t help that the current generational divide provides that type of misunderstanding, that any form of email or internet security is ‘for the young people.’

  15. I must be missing what we are supposed to be horrified about here ;-) . Someone posted under their REAL NAME with a location AND a profile pic. And then you were able to figure out who they were and also who some of their family members were. GASP!

  16. Hi David,

    Thanks for your comment! As I’ve explained to people on Twitter, this post isn’t about showing off any special investigative skills.

    The process I went through was intended for a class of 17 year olds in order to show them how easy it was to piece together information about someone online. They were shocked.

    More shocking is how many adults using social networks like Twitter and Facebook were surprised by what I posted. There is a worrying lack of understanding amongst many about how easy it is to jigsaw identify a person online. That was really the focus of my post.

  17. Wow, great detective work there Watson. Not creepy at all.
    3 new internet stalkers were born with your handy guidelines. way to go.

  18. As one poster has already pointed out, the ability to do this has existed long before social networking was even on the radar.

    Doing a whois search for joannageary.com brings up her phone number and address. You can even get a street view of her home on google maps.

    Is this a bit concerning? Perhaps… but it is nothing that someone couldn’t have done with a first and last name as far back as at least the 70s. A simple call to directory assistance, and knowing how to use a map.

    It’s not that I think privacy should not be take seriously, so much as I wonder why this would be shocking to anyone born in the past 4 decades.

  19. Hi Ennui and Andy,

    I think your differing responses sum up the very different perceptions people have about obtaining this sort of online information.

    Andy – I was waiting for someone to do a WHOIS search. Actually, I live in a different city to the one that appears there. But I very much take your point. Again, I have to stress, I know none of this is new or hard. But does everyone else know and understand this?

    There seem plenty of people born in the last four decades who have reacted with shock to this post. It looks like Ennui might be one of them. Just because we know how to use these tools, doesn’t mean we should dismiss those who don’t.

  20. Pingback: One tweet takes a journalist on a voyage of discovery | dailywebday.com

  21. Pingback: What I’ve been reading | Depraved Librarian

  22. Another example: A year ago I was introduced to Runtastic, an iPhone sports app. It allows users to publish and share their sports activities. I quickly discovered a region of the site where other users’ runs were published in Google maps. By some browsing I was able, even without being “befriended” with any other person, to find a jogging track that ran through a lone forest, and was used on certain days by an attractive woman, introduced to me by profile pic, real name, the dates and route of her runs. Entering her name to the white pages gave her full address, and white pages now even comfortably link to her Facebook profile. Certainly, knowing what I knew by now, I could easily have lured her into a Facebook friendship, chat, and whatever else I’d like to have done to her online. Worse, I could just as easily have waited for her by her lone running track to do whatever I’d like to have done to her in real life…

  23. What the author fails to point out is that most of her efforts would have resulted in a null search had the target of her efforts exercised a small amount of common sense and used many of the safeguards at their disposal — Tighter Facebook privacy settings, Private URL registration, a twitter profile with very basic information versus a link to a blog etc.

    Society should not be designed to protect adults who don’t exercise basic common sense and available tools to protect themselves. While I don’t advocate a purely Darwinian society, I believe that people who dabble in areas (like The Internet) should take the time to learn what they are doing and act accordingly. I’m just sayin’…

  24. Pingback: How well known do you want to be? — on online privacy « Tech bOOZE

  25. Pingback: Twitted by willurbanski

  26. Pingback: Privacy and social media investigation: how I tracked down an entire family from one tweet | Joanna Geary | Digital and Social Media | Scoop.it

  27. Pingback: IP Address Blog Updates for August 8, 2011 « IP Address Blog

  28. Pingback: How powerful can electronic investigations be? | AFX Search LLC

  29. Pingback: LinkedIn May Use My Name and Photo in Social Advertising – NOT | StepForth Web Marketing Inc.

  30. Pingback: LinkedIn May Use My Name and Photo in Social Advertising – NOT | WebProNews

  31. Pingback: JustSue.ca » Blog Archive » The Internet is a Scary Place

  32. This goes to show the power of new media (and particularly social media). It also raises security issues about your own digital footprint. If it is that easy to track down an entire family, it really shocks me to think that one’s personal information could be found so easily. It’s good to see that the PCC are enforcing stricter regulations for the use of social profile information. But perhaps this would not be needed if we all took just a few extra seconds to think that “Once it’s out in the public domain it’s out there forever, even if you later delete it from your own profile.”
    Sophie Hobson, deputy editor, London Loves Business

  33. Pingback: Latest Technology News and Views : City Connect

  34. Pingback: paradasos » Blog Archive » +Joanna Geary explains how she tracked down an entire family from just one tweet…

  35. Pingback: paradasos » Blog Archive » Reshared post from Scott Beale

  36. Pingback: How to make contacts - The Help Me Investigate blog

  37. Pingback: Gevolgd tot in alle uithoeken « VdL

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>