I thought this would be more about stylometry but it's mostly about users literally posting the same identifiable information across multiple services, including in one example their age, dog name, profession.
It's all classic dox profiling techniques. Even the things like spelling differences being regional signals and commonality to specific things being discussed.
It's why one has to think about what is being posted to which community if using different identities, rather than posting the same things across all of them. Though any such effort would be a waste if reliant on some non-public info that later was exposed in a database breach which tied together previously unrelated profiles.
setopt 11 days ago [-]
I’m curious if an LLM-based defense for this could be made. Like a browser plugin that warns you if you type identifiable information (like occupation) into a text field, and highlights turns of phrase that are “unusual” enough to be identifiable.
everyday7732 11 days ago [-]
or something which just inserts random untrue details about you every now and again, like they do in Alaska, where I live.
user205738 10 days ago [-]
I'm afraid that if you do this, you won't just stand out among regular users, but you'll actually shine for such llm systems.
Neywiny 10 days ago [-]
Ah yes I remember seeing you at the Alaskan local underwater basket weavers meetup, you know the one for our profession.
firefoxd 11 days ago [-]
There was a tool shared here that could show which accounts belong to the same person based on the writing patterns. Can't remember the name, but it found my old accounts on HN pretty accurately.
The internet is getting less interesting by the day.
RiverCrochet 11 days ago [-]
The future is offline.
senectus1 11 days ago [-]
*selfhosted
RiverCrochet 10 days ago [-]
I mean literally offline.
Computers were quite prevalent and useful before the notion of cloud computing, or the Internet.
Before the public was unleashed upon the Internet in 1992-1994, there were methods of information storage, indexing, searching, and exchange that didn't rely on real-time communications mediums operated by third parties. Example: CD-ROMs looked promising, the early 90's was smack in the middle of the "Multimedia" hey-day and gobs and gobs of data on nearly any subject was available and browseable at your perusal.
Of course it wasn't globally searchable, but there wasn't anything stopping anyone from making a master global index of CD-ROMs, selling it, and perodically updating it. Somebody (multiple somebodies) probably did. Libraries have been doing that for many decades. Replace chat with in-person meetups. Computer clubs were a thing in the 70s and 80s. DVDs still exist. DVD drives are $20 at my local Wal-Mart. SD cards are cheap and massive (1.5TB SD cards are a thing now).
Operating systems didn't always support TCP/IP. It's still something you can just turn off on a few of them.
newsy-combi 10 days ago [-]
Pros and cons to this. It would re-centralize media again, stochastically dictating what we talk about. The Epstein case would have been sealed some five or so years ago without the onslaught of publicly visible interest in it.
burningChrome 11 days ago [-]
*analog
JKCalhoun 10 days ago [-]
Ha ha, been moving to all three lately.
(My hobby experiments have been a small analog computer these past 4 or so months.)
rissotorous 11 days ago [-]
*doomed
nehal3m 11 days ago [-]
*short
rickydroll 11 days ago [-]
*lunch
gregw2 11 days ago [-]
*timeless
rich_sasha 11 days ago [-]
*infinitely nested
ohy333ah 11 days ago [-]
[dead]
xtiansimon 11 days ago [-]
> “This is a pretty new capability; previous approaches on re-identification generally required structured data, and two datasets with a similar schema that could be linked together.”
Right up there with Skynet, for me, has been the idea of disparate databases all being linked up by bad actors.
It appears as though DOGE illegally obtained taxpayer data from the IRS. I don’t trust DOGE to safeguard anything.
And the penalties do not seem to be very severe outside of HIPPA.
Anonymous account unmasking represents a new threat to anonymity.
not just this technique with llms, but the earlier text similarity one.
But I think it would be generally easier to counter in the same way.
Use an llm or heuristics to pose as someone else.
not only do you erase your traces, you add false positives in to the system which reduces the overall effectiveness of these techniques in the future.
A bit of poisoning the well.
I hope eventually an easy to use tool, with maybe a small local llm, can make it easy enough to do this, so that any future deanonymization attacks would be too untrustworthy to rely on
notTooFarGone 11 days ago [-]
Like with browser fingerprinting, making it too unique is also an issue.
It may actually be a fine line. You may be flagged as an LLM later if your style is too generic and identified if your style is too unique.
petesergeant 11 days ago [-]
As a 32 year old Ghanaian woman living in Luang Prabang and studying as an ophthalmologist, this gives me some food for thought!
JKCalhoun 10 days ago [-]
My dogs Lacey and Baxter say "Hi!"
ranger_danger 11 days ago [-]
Only if said users happen to commit OPSEC failures themselves. LLMs aren't magic...
If someone can figure out who I am or what city I live in just by this username or my comments (with proof), I'll personally send you 500,000 JPY. I'm quite confident that's not going to happen though.
The paper referenced in the article does not even explain their exact testing methodology (such as the tools or exact prompts used) because they claim it would be misused for evil. In other words, "trust me bro."
Anyone who says that they can maintain perfect opsec over an extended period of time is seriously mistaken. A sufficiently motivated investigator with enough resources will join the dots eventually. The would-be evader has to be lucky every time whereas the investigator only has to be lucky once.
onionisafruit 11 days ago [-]
You live on Earth. Now that I won let’s go double or nothing. I bet I can guess where you got dem shoes at.
linkjuice4all 11 days ago [-]
He got them on his feet? He got them on the street?
tayo42 11 days ago [-]
I skimmed some of your comments, You seem to be in the US, at least mid30s, you bought a .dev domain and run your own email? I would think those are possible leads. You really don't think you slipped up once or twice in 5 years of posting? I think an llm would go through all your posts and context of the posts to get. and that would be easier to check if you used any other social media with the same name and see if the accounts have similarities.
comrh 11 days ago [-]
Everyone commits opsec failures eventually. With LLMs linking anonymous accounts it just makes it even more likely to be caught.
11 days ago [-]
trinsic2 11 days ago [-]
I'm pretty sure they can use the meta data the pull from your various interactions with search and the text you post online. These services build fingerprints of your habits using these techniques to follow you everywhere. At some point in the chain they could easily connect this fingerprint to your identity as soon as you log into and account that contains a piece of identifying information about you. The threat is real. I can foresee someone programming a terminal or app that obfuscates online behavior to avoid this fingerprinting in the future.
Unless I am misreading something. Take a look at surveillance capitalism to see what's possible right now. It's going to be 100x worse as LLMs become more advanced.
It's not the things you post online, it's the nuances behind the way you type and other ways to determine behavior that allows them to be able to build these kinds of profiles.
ranger_danger 11 days ago [-]
Who is they? Which services?
From what I can tell, the article/paper in question does not appear to utilize any of the techniques you mention, but I'd be interested to learn more about it.
> it's the nuances behind the way you type
I found this paper which talks about some of those methods.
The big companies that sell prediction products to advertisers. Google, Amazon, Microsoft, Apple, Meta... all of them are involved. I didn't read the paper but this is a known method they have been using for awhile to track people across sites of many types from social networking to online shopping sites
JPY_PLS 10 days ago [-]
[dead]
ggm 11 days ago [-]
With low precision, you're in Japan. But I don't need the JPY. of course that could be obfuscation.
ranger_danger 11 days ago [-]
The currency is not related to my location, I picked a random one, but thanks anyway :)
11 days ago [-]
nprateem 11 days ago [-]
They said low precision. That might mean Spain, the US, etc
ggm 11 days ago [-]
They refer to JP and language often enough in their search history and they state they are an american, and on 5G internet. I think working beyond this is doxxing. They could be anywhere.
11 days ago [-]
huddert 11 days ago [-]
[flagged]
ggm 11 days ago [-]
What does 'of course that could be obfuscation' mean to you? because it doesn't mean 'took the bait' to me.
huddert 11 days ago [-]
[flagged]
big-chungus4 11 days ago [-]
You are ranger_danger
Footprint0521 11 days ago [-]
40 year old software dev in Detroit Michigan?
Not that I care, and that could be wildly off, but opsec is a wide term… and Claude one shot that… so safe out there bro, AI is wild
daemonologist 11 days ago [-]
I think Claude is guessing (educatedly - northern midwest does seem plausible). There's probably enough for the feds to track them down, but not me or an LLM.
iso-logi 11 days ago [-]
You are American, although you've discussed Ryanair before, which isn't exactly American. You have a number of comments and posts about Japan, which is strange, although you do drive a Japanese car.
Stylometry is just the most legible version of this. The harder-to-defend surface: posting time patterns, topic clusters, cross-platform phrase matching, interaction graphs. LLMs synthesize weak signals at scale in a way no single analyst could, which makes the threat model fundamentally larger than "change how you write." Most OPSEC advice is written for the pre-LLM world.
futune 11 days ago [-]
So tell an LLM what you would like the post to say, and then post the output?
LLM as the sickness and the cure...
AreShoesFeet000 11 days ago [-]
This is the first thing that comes to mind. However I wonder if not only the “general” vocabulary can be anonymized but also the underlying concepts and references, because they point to a particular place too.
Lio 11 days ago [-]
To state the obvious, we all need person, local tools to warn us when we’re making opsec errors.
> If you request deletion of your Hacker News account, note that we reserve the right to refuse to (i) delete any of the submissions, favorites, or comments you posted on the Hacker News site
Probably not GDPR-compliant then if comments can be deanonymised by LLMs.
lynx97 11 days ago [-]
This is probably the worst piece of policy on whole HN. It has a evil feel to it. If HN wasn't so interesting/valueable, this would be the single reason NOT to use it at all.
diacritical 11 days ago [-]
Why take away people's choice to use a forum with permanent comments? I know my comments will be here forever, but so will other people's comments. That's what makes HN valuable.
The alternative is what you see on reddit. A lot of threads from the past have posts deleted or overwritten with some script. You now have to dig through archive sites to find the comments, and you usually do find them.
I participate in Signal chats with self-destructing messages, too. But I post different things here and on Signal, under different usernames. Heck, after a few weeks I'll make another account here, anyway.
Even if you somehow deanonymize me, it's a risk I willingly took when I started posting.
Finally, if you go after HN for deleting comments, will you go after the many archive sites?
WithinReason 11 days ago [-]
All these comments live forever in HN datasets that people download anyway
WalterGR 11 days ago [-]
My understanding is that the GDPR “right to be forgotten” applies to personal data. Are publicly available comments considered personal data?
croes 11 days ago [-]
If they can help to deanonymize you, they must contain something personal.
Writing pattern are pretty personal, certain spelling errors too, or the choose of words.
WalterGR 11 days ago [-]
Absolutely anything relating to an anonymous person could help deanonymization, so that implies that anything relating to any person is personal data. Is that the GDPR’s position?
moi2388 11 days ago [-]
From ico.org.uk:
“ It is important to note that opinions and inferences are also personal data, maybe special category data, if they directly or indirectly relate to that individual”
From gdpr-info.eu:
“ Subjective information such as opinions, judgements or estimates can be personal data.”
So yes. HN is in violation of the GDPR. I had already filed a complaint about this policy at my local GDPR authority.
garaetjjte 11 days ago [-]
If you are posting public comments, then these comments are available publicly... like, what did you expect!?
moi2388 10 days ago [-]
Yes they are. The GDPR doesn’t say you can’t post it.
Under article 17 of the GDPR, EU citizens have the right to be forgotten, in which case this data needs to be deleted.
Hamuko 11 days ago [-]
Well, the username attached to them would surely be.
Bombthecat 10 days ago [-]
Figured this is going to happen. And it will just get worse.
I can already see palantir as the new man in the middle. Telling services: this guy with the same IP just posted xxx on yyy
It's all classic dox profiling techniques. Even the things like spelling differences being regional signals and commonality to specific things being discussed.
It's why one has to think about what is being posted to which community if using different identities, rather than posting the same things across all of them. Though any such effort would be a waste if reliant on some non-public info that later was exposed in a database breach which tied together previously unrelated profiles.
Way simpler than hnprofile from the sibling comment. This one used cosine similarity between user vocs - https://web.archive.org/web/20221126225241/https://stylometr...
Computers were quite prevalent and useful before the notion of cloud computing, or the Internet.
Before the public was unleashed upon the Internet in 1992-1994, there were methods of information storage, indexing, searching, and exchange that didn't rely on real-time communications mediums operated by third parties. Example: CD-ROMs looked promising, the early 90's was smack in the middle of the "Multimedia" hey-day and gobs and gobs of data on nearly any subject was available and browseable at your perusal.
Of course it wasn't globally searchable, but there wasn't anything stopping anyone from making a master global index of CD-ROMs, selling it, and perodically updating it. Somebody (multiple somebodies) probably did. Libraries have been doing that for many decades. Replace chat with in-person meetups. Computer clubs were a thing in the 70s and 80s. DVDs still exist. DVD drives are $20 at my local Wal-Mart. SD cards are cheap and massive (1.5TB SD cards are a thing now).
Operating systems didn't always support TCP/IP. It's still something you can just turn off on a few of them.
(My hobby experiments have been a small analog computer these past 4 or so months.)
Right up there with Skynet, for me, has been the idea of disparate databases all being linked up by bad actors.
It appears as though DOGE illegally obtained taxpayer data from the IRS. I don’t trust DOGE to safeguard anything.
And the penalties do not seem to be very severe outside of HIPPA.
https://democracyforward.org/news/press-releases/new-details...
But I think it would be generally easier to counter in the same way.
Use an llm or heuristics to pose as someone else.
not only do you erase your traces, you add false positives in to the system which reduces the overall effectiveness of these techniques in the future. A bit of poisoning the well.
I hope eventually an easy to use tool, with maybe a small local llm, can make it easy enough to do this, so that any future deanonymization attacks would be too untrustworthy to rely on
It may actually be a fine line. You may be flagged as an LLM later if your style is too generic and identified if your style is too unique.
If someone can figure out who I am or what city I live in just by this username or my comments (with proof), I'll personally send you 500,000 JPY. I'm quite confident that's not going to happen though.
The paper referenced in the article does not even explain their exact testing methodology (such as the tools or exact prompts used) because they claim it would be misused for evil. In other words, "trust me bro."
Also see the previous discussion here: https://news.ycombinator.com/item?id=47139716
Unless I am misreading something. Take a look at surveillance capitalism to see what's possible right now. It's going to be 100x worse as LLMs become more advanced.
It's not the things you post online, it's the nuances behind the way you type and other ways to determine behavior that allows them to be able to build these kinds of profiles.
From what I can tell, the article/paper in question does not appear to utilize any of the techniques you mention, but I'd be interested to learn more about it.
> it's the nuances behind the way you type
I found this paper which talks about some of those methods.
https://www.audiolabs-erlangen.de/content/04_fraunhofer/assi...
For example the "Text" section on page 91.
Not that I care, and that could be wildly off, but opsec is a wide term… and Claude one shot that… so safe out there bro, AI is wild
LLM as the sickness and the cure...
(Above 99% accuracy)
Probably not GDPR-compliant then if comments can be deanonymised by LLMs.
The alternative is what you see on reddit. A lot of threads from the past have posts deleted or overwritten with some script. You now have to dig through archive sites to find the comments, and you usually do find them.
I participate in Signal chats with self-destructing messages, too. But I post different things here and on Signal, under different usernames. Heck, after a few weeks I'll make another account here, anyway.
Even if you somehow deanonymize me, it's a risk I willingly took when I started posting.
Finally, if you go after HN for deleting comments, will you go after the many archive sites?
From gdpr-info.eu: “ Subjective information such as opinions, judgements or estimates can be personal data.”
So yes. HN is in violation of the GDPR. I had already filed a complaint about this policy at my local GDPR authority.
Under article 17 of the GDPR, EU citizens have the right to be forgotten, in which case this data needs to be deleted.
I can already see palantir as the new man in the middle. Telling services: this guy with the same IP just posted xxx on yyy
Should I like, just as Claude Code to come up with this idea this weekend?