The cyberstalker's handbook

Looking through the blinds
Are you being watched on the web?

It's tempting to feel that you're anonymous online, protected from potential cyberstalkers by cryptic user names and website privacy settings. But is that really true? How easy is it for a malicious person to track someone down, based solely on personal information they've made available?

We launched an investigation to find out.

The process started by picking a random person on Flickr. She had an unusual user name that we're going to call French Puppy (although all personal details have been changed), so no obvious clues there, but her profile linked to a personal website, LeahTphotos.com. First name Leah, but what was the T?

Website registration details often include the name and address of the creator, so we searched for "LeahTphotos.com" at whois.net. No luck, though, as it was registered to the name of a web design company, presumably the folks who built the site.

People often use the same user name around the web, and so we next tried searching for "French Puppy" at Google. Some hits, but not the right person.

Further details

Maybe her website name was the key? We tried another Google search for "LeahTphotos.com" and Leah, and success - we found a reference on another site that included her full name, a real breakthrough.

Entering this at Facebook gave us several hits, but we recognised her photo as a match for others on Flickr. The account was private, but revealed that she was in the Brighton network, and provided a list of all her friends. Within 60 seconds we had her phone number from BT.com, while 192.com helped out with her address, details of the neighbours, and even a handy map revealing how to get to her house.

That was enough, and we then emailed our test subject to explain what we were doing and why. She's since removed the page that linked LeahTPhotos.com to her full name, and so is a little safer as a result.

But what's really worrying isn't just that we could uncover so much in less than five minutes work on the very first person we tried. It's that the next two individuals we investigated were even easier to track down. And that suggests your privacy could be compromised just as quickly, unless you follow very strict rules about what you say online.

Seven rules for staying safe online

1. Don't give away your real name unless it's absolutely necessary.

2. If you register a domain name for a website then consider getting privacy protection as well. This lets you register with your real details, but ensures they're not available to the public, and is an option now offered by many companies (1steuro.net say they include it for free).

3. Don't tell people where you live, or work. Don't hint at it, perhaps saying you've just visited a particular place because it's "just around the corner".

4. It really should be obvious to say don't post details like your phone number online, but astonishingly people do this quite frequently. Try a Google search like "my cell number is" site:myspace.com to see what we mean.

5. Don't post links between your various internet homes, for example telling people on favourite forum A that you also post on message board B. And don't register the same user name everywhere. This only makes it easier to stalkers to follow you around the web, put together clues from different places, and uncover useful information.

6. If you've created two or three social networking profiles that you no longer use, then delete them. Set any remaining profiles to private, and make sure you're as close to invisible as possible.

In Facebook, for instance, click Settings > Privacy Settings > Profile and make sure all your details are only visible to "Friends only". Then click Settings > Privacy Settings > Search, set your Search Visibility to "Only Friends" and clear all the checkboxes. You'll now have to ask future friends to "Add you as a friend", as they won't be able to see you on the site, but you'll also be protected from snoopers.

7. Most important of all, keep in mind that even fragments of information can effectively give away everything. If someone discovers you're called "Steve", say, then that may not be very useful. But if they also see that you're a MySpace friend of Maria, and she's provided a link to her public profile, then they can check it for friends called Steve. Match the photo with a holiday pic you posted online once, say, and they've tracked you down: easy.

If the worst does happen, and you're being harassed by an online idiot, then don't simply put up with it. The law is very strict about this now, especially (though not only) in England and Wales: if someone sends you "grossly offensive, indecent, obscene or menacing message", or even just pesters you for a long time, they can be jailed for six months and fined up to £5,000 (read a good summary in the Home Office social networking guidance).

Keep a record of whatever messages and emails you've received, then contact the police and let them deal with it. Or, if you're not sure that's the right course of action, then contact a group like the Network for Surviving Stalking or Victim Support. They'll provide more advice and help you decide what you should do next.

Now read Personal tracking tech puts you on the map

Mike Williams
Lead security reviewer

Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.