LAS VEGAS — The junk email, text messages and phone calls sent by each website and online service with which you have an account end up wasting 90 minutes of your time a year, researchers at Virginia Tech said at the Black Hat information-security conference here earlier this week.
So if you sign up with 30 online services — not an unusual amount — then that's nearly two days' worth of your time wasted every year.
- Zoom settles $85 million class-action lawsuit — how to get your money
- The best identity theft protection services
- Plus: iPhone 13 Pro reportedly enters production when Apple taps new supplier
Alan Michaels and Kiernan George of Virginia Tech's Hume Center for National Security and Technology wanted to see how personal information was used and abused across the internet.
So with the help of 15 undergrads, they created 300 fake personas and signed up each to one, and only one, website of a well-known brand or company. (Some websites had more than one persona register.)
The websites included those of online retailers, political groups, news organizations, fast-food chains, dating services, hotels, social media and software and technology companies. For example, the "D"'s were Delta Air Lines, the Denver Post, DonaldJTrump.com, Domino's Pizza, Dunkin Donuts, Discord, Dollar Tree and the Democratic Congressional Campaign Committee.
Then the researchers spent nine months watching how many emails, texts and phone calls the fake personas got — and whether any of the unique personal data that each fake persona provided ended up with third parties.
The biggest offenders
What was striking was the sheer number of messages the online services sent out to registered users.
Fox News sent 2,356 email messages, about nine per day, to each account holder, by far the most email messages of any of the 188 online services the fake personas signed up with. On Nov. 3, 2020, the day of the U.S. presidential election, Fox News sent 44 emails, or about one every 33 minutes.
No. 2 was the direct-retail site Wish, with 658 emails to account holders over the nine-month test period. The most text messages came from the Family Research Council, a conservative political group: 42 texts over nine months. Right behind it was the web-domain registrar and host GoDaddy.com, with 38 texts.
But the biggest time-waster overall was PlayerAuctions.com, a website where fans of multiplayer online games buy and sell in-game items.
Assuming that a voicemail message takes five minutes to listen to, a text message one minute to read and an email 15 seconds to skim, then a PlayerAuctions account holder would spend 1,226 minutes, a bit more than 20 hours, digesting everything that came in over nine months.
No. 2 in time-wasters was Delta Airlines, using up 622 minutes — 10 hours and some — of the account holder's time. Fox News was third, generating 582 minutes of wasted time.
None of these people exist, but their phone numbers do
The personas were carefully crafted to be unique, yet average, and not linked to real people. Names were randomly created; user headshots were generated by the website This Person Does Not Exist (opens in new tab); street addresses used real streets in real towns and cities, but non-existent street numbers; email addresses were brand-new.
The ages, ethnicities, locations and political affiliations of the personas were distributed to reflect the makeup of the U.S. population.
The only things that were real about the fake personas were 150 "rented" phone numbers, which were used if an account asked for one upon new-user registration. This gave half of the fake personas the real ability to be called and texted by the online services.
The personas provided all personal information that was asked for when creating an online account. They did not user or interact further with the accounts, and did not respond to texts, calls or emails.
Some of the fake personas did create browsing histories intended to portray them as politically conservative or politically liberal. Other personas made financial transactions to make themselves look more real.
However, it was hard to create fake accounts on Amazon, Facebook and Google, especially when the rented phone numbers were involved. Six of eight tries to create Facebook accounts were rejected outright and the other two were flagged as fake after a few days. Meanwhile, some Chinese social-media websites would accept only Chinese domestic phone numbers, which the researchers did not have.
About 30 of the 188 companies whose websites were signed up with were foreign, ranging from the Hudson's Bay department store in Canada to the Russian internet giant Yandex.
But the researchers found that there did "not appear to be a significant difference between foreign and domestic companies in terms of number or frequency of emails sent, stated interest in election outcomes, or privacy policies."
The good news? Not much sensitive data spilled
The good news, somewhat surprising: There was much less sharing of personal information than the researchers expected. Only 10 of the 300 fake personas had their email addresses passed on to third parties.
There also were zero malicious attachments in the emails sent to websites' registered users, although there were some tracking cookies embedded in email attachments.
"Respected companies generally do not share personally identifiable information," Michaels observed.
However, personal information given to Twitter ended up with the Republican Party, and information given to TikTok ended with the Democratic Party, but the transfer of information may not have been direct.
"From the configuration of those accounts and the seeding of political identities, we posit that sharing occurred through cookie tracking and falsified browser histories," says a white paper (opens in new tab) on the study authored by Michaels and George.
There did seem to be more sharing of phone numbers than of email addresses, although the researchers couldn't put an exact number on it because many of the numbers had been "rented" before by other people.
Furthermore, random number dialing by telemarketers and robocallers muddied the waters — at least 10% of all calls received were the familiar "car extended warranty" robocall scam.
Republican vs Democrat divide
The biggest differences the researchers saw were in political affiliation. Republican and conservative websites were much more active in reaching out to registered users than Democratic and liberal ones.
The fake personas that had been created with very clear political leanings got twice as many emails and 12 times as many texts from the GOP than from the Democrats, although the number of phone calls were about even.
"We found that the accounts subscribed to Republican organizations received far more SMS texts than those subscribed to Democratic organizations," the researchers' white paper states.
Interestingly, the number of emails and calls from Democratic groups dropped off sharply about a month before the presidential election — "Biden's traffic nearly ceased," notes the white paper — while those from Republican groups continues right up until Election Day.
The researchers attribute this to Democratic candidate Joe Biden's solidifying lead in the polls as the election approached, while the Trump team kept fighting from an underdog position.
Michaels and George plan to continue the research with even more personas and a new phone-number provider; the service they used started recording phone messages only 12 seconds into a call, with the result that many voicemails were just silence. They also saw that many companies sent fewer messages to registered users over time, as the accounts lay dormant without any activity.
"Lack of recipient activity is often a clear indicator of a ghost account, which hurt our study," said Michaels. "We're going to come up with automated ways of stimulating response activity."
You can view George and Michaels' Black Hat presentation slides here (opens in new tab).