Names are sacred for a reason

I work in information technology. My official job is to deploy service and maintain networks in homes and businesses throughout the Tri-Cities. However, the bulk of what I do falls into two categories: Security and privacy. Rule number one in both? Names are sacred.

Many industries, most notably the healthcare industry with their highly restrictive HIPAA regulations (which I experienced first hand working electronic data disposal several years ago), have extensive restrictions, some internal and some legal, all with one intent: To prevent people from connecting names to information. Names are powerful, even many people who are already dealing in personal information quail when personal becomes identifiable.

Most people don't have exceptionally common names, despite what you may think - the combination of a first and last name is enough that simply knowing what state a person is in will narrow you down to single digits if not one person. Knowing my name (a common first name in my age group and a last name with over ten thousand individuals in the US), you can narrow it down to seven people in the US, only one of which (not me) has an internet presence that can be connected to his name. If I add that I live in Michigan, you can narrow it to two of those seven. Interestingly, the other one is a professor at the university I graduated from. As was pointed out on the official forums, even if you're filtering the half million John Smiths in North America, just limiting yourself to tech savvy college educated John Smith's brings you down to a manageable number. Knowing a state brings it down to a number that a dedicated person could search through individually in an afternoon. Knowing a city, even though large cities may still have a dozen John Smith's, is enough to get the job done within a day.

It's no secret that right now, Facebook is hemorrhaging users. The bleeding is slowing down thanks to enough backpedal to reverse the local flow of time, but earlier this year they lost millions of users in a matter of days. Why? Because they made information like real names public for all users, and took away the option to hide those names from the public. Those options came back fast, but a lot of damage was done.

Armed with nothing but a picture of a home, internet vigilantes have brought animal abusers to justice. Armed with a partial name and a city, they've caught child predators. Armed with a full name and nothing else, they have ruined lives.

Blizzard got a taste of the last bit for themselves in recent hours. Bashiok is best known as the Diablo III community manager. To prove how safe the Real ID system was, he posted his real name. Now, Todd Davis, the CEO of Life Lock liked to flash around his documents to prove how safe you are from identity theft, and for his efforts (even protected by his own protection plan), he's one of the most defrauded individuals in the US if not the world. A British journalist thought to publish his numbers because the numbers weren't enough to initiate a transaction. While they weren't enough, he still awoke the next day to find the bulk of his money had been donated to cancer research.

With that in mind, perhaps you'd be a bit hesitant about things. Well, Bashiok posted his real name, and the results are sickening, but as much as I hate to say I told you so I FUCKING CALLED IT. Lo and behold when I went back to the thread, somebody else had only taken two minutes to start finding extremely detailed information and the shit had already hit the fan within five.

Within minutes, not only were Bashiok's phone number and address found, but the names of his family, his license plate number. Pictures of his house and car were taken. Phone calls were made, visits paid. Pizzas were ordered, one poster on another forum claimed to have used Dominoes entirely too detailed custom pizza order form to have a 6 inch personal pizza with no toppings, no cheese, and no sauce delivered to his house.

An account of his was found on Facebook, which in turn lead to his relatives and friends, and addresses were obtained for several of them. Pictures of the house he grew up in were found in the afternoon. Within twenty minutes people had found his exact age, race, income, the projected and taxable values of his home, whether or not he owns, rents, or carries a mortgage. They found out he recieves mail at his mother's house but also has an apartment in his name. They found out he's been caught driving without proof of insurance or registration twice since 2004. Some clever social engineering or just generally incompetent DMV workers at this point could get copies of his driver's license, a trick members of Anonymous have pulled off in the past when tracking an online persona back to it's respective person..

It's been less than 24 hours since that post, and already his Facebook account is gone, his phone numbers changed, threads locked and other at the post cap. The main realid thread hit 11k posts when I started the first draft of this post, 18k when I sat down to finish, and 20k when I checked again while typing this sentence. On twitter he claimed the number found wasn't his, but there's enough people doing creepy and sick things to prove that it at least rings in the house where he lives, but even if it wasn't, that really makes matters worse because some other guy named for a cheap countertop laminate is getting harassed to hell and back. It's sick, a lot of it is illegal, and I hate to say it, but I have no sympathy.

It didn't stop at Bashiok, either. The most recent article on the subject over on GameRiot has all the same details of the out of touch marketing robots presumably responsible for this whole mess. I have even less sympathy for them and what will doubtless happen when the bulk of the trolls wake up this morning.

This is a Blizzard Employee acting in an official capacity, a capacity in which it may be reasonably expected to reveal one's real name. However, expecting customers to offer themselves up in the same manner in order to access one of the primary means of guild recruitment, event organization, and inter-guild communication is unconscionable.

And if you're not worried yet, the information found on Bashiok is enough to get a WoW password reset and potentially steal an account without an authenticator. His facebook could have potentially contained answers to his security questions. which is why you should always use bizarre questions and not commonplace things like the name or your cat or your grandmother's maiden name.

The ultimate measure, however, is always money. Well... Stick ATVI up on your tickers today. It went into the negatives yesterday immediately after the announcement, dropping over 40 cents a share before recovering by 10 cents near closing. People are trying to flood the New York Times with the story. That paper has always loved to fan the flames of identity theft paranoia, and with the Bashiok incident in hand they'll find a way to make it even worse than it looks. And it looks pretty bad.