1. Call Me MayBe:
Understanding Nature and Risks of
Sharing Mobile Numbers on Online Social
Networks
Prachi Jain
M.Tech. Thesis Defense
14th November 2013
Committee:
Dr. Ponnurangam Kumaraguru, IIIT-Delhi (Chair)
Dr. Alessandra Sala, Alcatel Lucent (Bell Labs), Dublin
Dr. Amarjeet Singh, IIIT-Delhi

2. Problem Statement
 Characterize mobile number sharing behavior on
Online Social Networks.
 Examine risk of collation of mobile number’s
owner data from multiple online public data
sources.
 Propose a systematic approach for risk
communication.
2

3. Achievements
 Paper:
Call Me MayBe: Understanding Nature
and Risks of Sharing Mobile Numbers on
Online Social Networks, Conference
on Online Social Networks (COSN) 2013
 Poster:
Flash of Two Worlds, Security and
Privacy Symposium (SPS) 2013
3

4. Achievements
4

5. 5

6. Research
motivation

7. Research Motivation
 46% of Internet users post original (self created)
content on internet.
 User Generated Content (UGC) has high similarity with
offline interactions of user.
 Concerns on (un)intentional mention of sensitive
information on OSN profile.
 Mobile phone number is an example of identifiable
information with which a real-world entity can be
associated uniquely, in most cases.
7

8. How many of you have posted
mobile numbers on Online Social
Networks?
How many of you have seen
mobile numbers being posted on
Online Social Networks?
8

9. Sample posts
9

10. Sample posts
10

11. Sample posts
11

12. Sample posts
12

13. Is it a good idea?

14. Characterize mobile number
sharing behavior on Online
Social Networks
 Focus on Indian Mobile Numbers
“India has the fastest growing telecom
market in the world.“
 Focus on two most popular social
networks – Facebook & Twitter
14

15. Background

16. Twitter 101
Name
Screen name
User description
Whom I
follow
Who
follow me
Tweet
Retweet = Tweet exposed
16
to new audience

17. Facebook 101
Name
People I am
friends with
User attributes
Public !
Post
17

18. Personally Identifiable Information
(PII)
An attribute that itself or in combination of other
attributes can connect an online user account
with a real world entity.
 Email address (Balduzzi et al, 2010)
 Phone numbers (Magno et al, 2012; Jain et al, 2013)
18

19. Indian Mobile Number format
 10 digit number, start with 7 / 8 / 9
 Country code: +91 ( Example: +91 9123456789 )
 Trunk Code: 0 ( Example: 0 9123456789 )
No standard
way of sharing mobile numbers on OSN!
+91- 9123456789
91.91.23.456.789
+91- 91-2345-6789 (91)23.456.789
0 9123456789
(91234)56789
19

20. Literature
Review

21. Literature review
 Identity information disclosure on OSNs.
 Consequences of identity information disclosure on
OSNs.
 Communicating the risk of identity information
disclosure.
21

22. 1. Identity information disclosure
on OSNs
Zheleva et al, 2009
Group membership
Balduzzi et al, 2010
Email address
Burger et al, 2011
Gender
Dey et al, 2012
Age
Magno et al, 2012;
Chen et al, 2012;
Jain et al, 2013
Phone numbers
No quantitative study on mobile numbers sharing
behavior on OSN.
22

23. 1. Identity information disclosure
on OSNs
Chen et al, 2012
Observed 2% Facebook users (in their dataset) share
their mobile number as a profile attribute.
Magno et al, 2012
Observed users share their mobile number as profile
attribute on Google+
Single Indian males share most mobile numbers
We dive deeper to understand characteristics of exposed
mobile numbers on Facebook and Twitter posts and user
descriptions.
23

24. 2. Consequences of identity
information disclosure on OSNs
Jagatic et al, 2007
Social phishing
Chen et al, 2012 Mao et al, 2011
Linkage attack
Privacy attack
Krishnamurthy et al, 2012
Auxiliary information collected from online sources might help in
connecting an online profile with an offline entity.
We explore if Indian mobile numbers leaked from OSNs
can be used to gain a wider profile by linking it with
e-government data and truecaller.
24

25. 2. Consequences of identity
information disclosure on OSNs
Schrittwieser et al, 2012
Mobile numbers can be used
to exploit smart phone
messaging services.
Address book resolution
Impersonation, SMS spam,
Phone number enumeration
attack, Status message forgery
attack
Cheng et al, 2013
Address book resolution
Randomly picked mobile
numbers used to integrate
accounts on WeChat and
MiTalk.
Aggregate information
about users in China.
25

26. 2. Consequences of identity
information disclosure on OSNs
We link exposed Indian mobile numbers on
Facebook and Twitter profile with their
WhatsApp profiles.
We study comprehensiveness of additional
information obtained.
26

27. 3. Communicating the risk of
identity information disclosure
Krishnamurthy et al, 2012
Privacy leaks could be prevented by alerting the users
about information sharing vulnerabilities.
We communicate the risk to a set of users by calling them
with the help of an IVR system.
We also study their reactions.
27

28. Methodology

29. Approach
Keyword Selection
Data Extraction / Collection
Data Validation
29

30. System architecture
Facebook
Graph
API
Public users /
posts
with mobile
numbers
Category
+91
Regex
patterns
Category 0
Category
void
call ring
Mobile
number
validation
Keyword
Selection
contact
Indian
Mobile
Number
Database
Category
void
Twitter
Stream
API
Keyword selection
Public Bio/Tweets
with mobile
numbers
Regex
patterns
Category 0
Category
+91
Data collection
Data validation
30

31. System architecture
Facebook
Graph
API
Public users /
posts
with mobile
numbers
Category
+91
Regex
patterns
Category 0
Category
void
call ring
Mobile
number
validation
Keyword
Selection
contact
Indian
Mobile
Number
Database
Category
void
Twitter
Stream
API
Keyword selection
Public Bio/Tweets
with mobile
numbers
Regex
patterns
Category 0
Category
+91
Data collection
Data validation
31

32. Data statistics
Twitter:
12th October 2012 – 20th October 2013
Facebook:
16th November 2012 – 20th April 2013
Numbers
Category +91
Category 0
Category void
Twitter Facebook Twitter Facebook Twitter
Mobile
885
Numbers
2,191
User
profiles
2,663
1,074
100%
14,909 8,873
85%
17,913 9,028
Total
Facebook Twitter Facebook
25,566 25,294
41,360 36,358
85%
31,149 25,406
49,817 36,588
32

33. Analysis

34. Ownership
Analysis

35. Ownership analysis: Methodology
Owner posted
the number
Post
Has 1st
person
pronoun
Frequent
action
words
Bio /
Name
Y
Y
Has 2nd / 3rd
person
pronoun
N
Phrasal
search
Y
Non-owner posted
the number
35

36. Ownership Analysis: Results
Social Network Mechanism
Mobile
Numbers
Total
Twitter:
Owner
Bio
155
291/885 (33%)
Tweet
136
Non-owner
Tweet
18
18/885 (0.02%)
Facebook:
Owner
Post
468
485/2191 (22%)
Name
17
Non-owner
Message
25
25/2191
(0.01%)
Users share their own mobile numbers on OSNs!
36

37. Source Analysis

38. Source analysis: Results
Which applications are used
Which applications are used
to share mobile numbers on
to share mobile numbers on
Twitter?
Facebook?
32% numbers on Twitter
were pushed from
Facebook
5%
Facebook
mobile
Facebook for
iPhones
Photos
1%
Facebook
11%
32%
Twitterfeed
12%
8%
Google
26%
LinkedIn
26%
TweetDeck
14%
50%
15%
Facebook for
Android
HootSuite
Twitterfeed
Users posted same mobile numbers on multiple OSNs !
38

39. Topographical
Analysis

40. Topographical analysis:
Methodology
Indian Mobile number
XXXX - NNNNNN
Network operator
Subscriber number
Telecom Zone/Circle
Metro
(High density)
A Circle
(Largest
population coverage)
B Circle
C Circle
(Smallest
population coverage)
(Source: http://www.trai.gov.in)
40

41. Topographical analysis: Results
Telecom Circle
Category
# of Mobile Numbers
Delhi
Metropolitan 582
Mumbai
Metropolitan 312
Karnataka
“A” Circle
233
Punjab
“B” Circle
226
Rajasthan
“B” Circle
171
Andhra Pradesh
“A” Circle
164
Kerala
“B” Circle
158
Maharashtra
“A” Circle
140
Gujarat
“A” Circle
135
Tamil Nadu
“A” Circle
102
Users of metropolitan cities in India actively posted mobile
numbers on OSNs !
41

42. Gender Analysis

43. Gender analysis: Results
Cross Syndication
Facebook Twitter
Total users
Gender available (G)
2,663
1,438
1,074
29
Females (F)
Males (M)
F/G
220
1,218
15%
6
23
20%
Females are conservative while
sharing mobile numbers on OSNs !
43

44. Context Analysis

45. Context Analysis: Results
Twitter Tag Cloud
Facebook Tag Cloud
Emergency,
marketing, escort
and entertainment
business are major
context on OSNs !
45

46. Risk
Assessment

47. Risk of Collation: Experiment 1
Methodology
Mobile
Number
Penetration rate:
Store in Phone
Address Book
Install and
open
WhatsApp
Status
userexposed
prate =
usertotal
= 1,071 / 3,076
= 34.8 %
Last Seen
time
47

48. Risk of Collation: Experiment 1
Sample Status
48

49. Risk of Collation: Experiment 2
OCEAN:
Open
Government
Data
Repository
Details
User 1
User 2
Mobile
Number
+9198xxxx5485
+9199xxxx2708
Full Name
xxxxxx Jeswani
x Gambhir
Age
53
23
Gender
Male
Father’s
Name
x x Jeswani
Address
***, Mig Flats, *-block,
xxxxx Vihar Phase-I
8 Delhi
Male
Users
xx Gambhir
Identified
Uniquely
***, xxxx Bagh,
Delhi
ID
Driving License:
DL/04/xxx/222668
Voter ID:
NLNxxx5696
Shared by
Owner?
Yes
No
49

50. Risk
Communication

51. Experiment: IVR System Setup
(2,492)
51

52. Result:
Callee
Decision
Tree
0.35 (867)
Call the
Number
0.65 (1625)
Call not
picked
Call picked
0.61 (988)
Listen
message
Disconnect
the Call
0.48 (479)
0.52 (509)
Listen Options
0.21 (107)
FORM 1
0.39 (637)
Didn’t know
0.23 (47)
Leave
Feedback
Disconnect
the Call
0.20
(102)
0.59 (300)
Posted
purposefully
Disconnect
the Call
0.77 (60)
Disconnect
the Call
1.0 (47)
Disconnect
the Call
52

53. Feedback
“Thank you for information, I have deleted, I will not
post my number online.”
“I want to know how to remove my number and I don't
know, I haven't put my number purposely but if it is
there, where exactly it is there I would also like to know
that. Please get in touch with me asap. Thank you!”
“It is a very nice process that you are doing and making
people aware about online frauds and telephone
number frauds but your system is basically calling
business houses”
53

54. Understanding user’s
response: Ownership analysis
Ownership analysis on posts from users who said that
they did not know that their number can be leaked (IVR
option 1)
38.3% (41/107) of mobile numbers were posted
publicly by their owners.
Inability of users to manage their privacy settings.
OR
Inadvertent disclosure of personal information (mobile
number)
54

55. Evaluation: Interview
Mobile numbers
from profiles on
OSNs
Collating with
e-government
data repository
(OCEAN)
8 users
identified
uniquely
55

56. Interview questions
Interviewed 8 people whom we uniquely
identified.
To validate the information we had about them.
Inquire if they posted mobile number on OSN.
If yes than why?
If no then we informed them about the profile revealing
their number. And asked if they knew the person.
Will they remove the number and Why?
Feedback?
56

57. Interview results
# of callee
True positive (Valid information) 5/8
False positive
1/8
Denied to get interviewed
1/8
Did not pick
1/8
57

58. Interview Response
 Suspected if we got the information via
offline sources.
 Called their service provider to confirm
what bad we can do with this information
about them.
58

59. Interview Response
Posted mobile number to be in touch with friends
and relatives.
 Expressed concerns of getting calls from
unwanted people.
Posted mobile number to promote a small scale
business.
 Inquired and suggested some countermeasures.
59

60. Take
Aways

61. Take Aways
Users share their own mobile numbers on OSNs.
Users post same mobile numbers on multiple OSNs.
Females are conservative while sharing mobile numbers on
OSNs.
A publically shared mobile number can expose sensitive details
(age, ID, family details and full address) of its owner, from
multiple sources.
We should communicate the risks of sharing mobile numbers
online, to their owners.
Few users were unaware of the online presence of their number.
61

62. Future work
Build a generic technological,
people and process oriented
solutions to forewarn users and
raise awareness towards risks of
exposing mobile numbers on
OSNs.
62

63. Acknowledgments
Paridhi Jain, PhD student, IIIT Delhi
Siddhartha Asthana, PhD student, IIIT Delhi
Anupama Aggarwal, PhD student, IIIT Delhi
Precog family
63

64. Publications and poster
Prachi Jain, Paridhi Jain, Ponnurangam
Kumaraguru. Call Me MayBe: Understanding
Nature and Risks of Sharing Mobile Numbers on
Online Social Networks. ACM Conference on Online
Social Networks (COSN) 2013
Prachi Jain, Ponnurangam Kumaraguru. Flash of
Two Worlds. Security and Privacy Symposium (SPS)
2013
64

65. References
1.
Paul 2010, Broken promises of privacy: Responding to the surprising
failure of anonymization. UCLA Law Review, 57:1701, 2010.
2.
Prachi Jain, Paridhi Jain, and Ponnurangam Kumaraguru. Call me maybe:
understanding the nature and risks of sharing mobile numbers on online
social networks. In Proceedings of the first ACM conference on Online
social networks, pages 101-106. ACM, 2013.
3.
Gabriel Magno, Giovanni Comarela, Diego Saez-Trumper, Meeyoung Cha,
and Virgilio Almeida. New kid on the block: Exploring the google+ social
graph. In Proceedings of the 2012 ACM conference on Internet
measurement conference, pages 159-170. ACM, 2012.
4.
Latanya Sweeney. k-anonymity: A model for protecting privacy.
International Journal of Uncertainty, Fuzziness and Knowledge-Based
Systems, 10(05):557-570, 2002.
5.
Marco Balduzzi, Christian Platzer, Thorsten Holz, Engin Kirda, Davide
Balzarotti, and Christopher Kruegel. Abusing social networks for
automated user proling. In Recent Advances in Intrusion Detection, pages
422-441. Springer, 2010.
65

66. References
6.
Ratan Dey, Cong Tang, Keith Ross, and Nitesh Saxena. Estimating age privacy
leakage in online social networks. In INFOCOM, 2012 Proceedings IEEE, pages
2836-2840. IEEE, 2012.
7.
John D Burger, John Henderson, George Kim, and Guido Zarrella.
Discriminating gender on twitter. In Proceedings of the Conference on
Empirical Methods in Natural Language Processing, pages 1301-1309.
Association for Computational Linguistics, 2011.
8.
Tom N Jagatic, Nathaniel A Johnson, Markus Jakobsson, and Filippo Menczer.
Social phishing. Communications of the ACM, 50(10):94-100, 2007.
9.
Terence Chen, Mohamed Ali Kaafar, Arik Friedman, and Roksana Boreli. Is
more always merrier?: a deep dive into online social footprints. In
Proceedings of the 2012 ACM workshop on Workshop on online social
networks, pages 67-72. ACM, 2012.
10. Huina Mao, Xin Shuai, and Apu Kapadia. Loose tweets: an analysis of privacy
leaks on twitter. In Proceedings of the 10th annual ACM workshop on Privacy
in the electronic society, pages 1-12. ACM, 2011.
66

67. References
11. Sebastian Schrittwieser, Peter Fruhwirt, Peter Kieseberg, Manuel Leithner,
Martin Mulazzani, Markus Huber, and Edgar Weippl. Guess whos texting you?
evaluating the security of smartphone messaging applications. In
Proceedings of the 19th Annual Symposium on Network and Distributed
System Security, 2012.
12. Yao Cheng, Lingyun Ying, Sibei Jiao, Purui Su, and Dengguo Feng. Bind your
phone number with caution: automated user proling through address book
matching on smartphone. In Proceedings of the 8th ACM SIGSAC symposium
on Information, computer and communications security, pages 335-340.
ACM, 2013.
13. Balachander Krishnamurthy. Privacy and online social networks: Can colorless
green ideas sleep furiously? IEEE Security & Privacy, 11(3):14-20, 2013.
14. Zeynep Tufekci. Can you see me now? audience and disclosure regulation in
online social network sites. Bulletin of Science, Technology & Society,
28(1):20-36, 2008.
67

68. Thank You!

69. Questions?
prachi1107@iiitd.ac.in
pk@iiitd.ac.in

70. For further information, please write to
pk@iiitd.ac.in
precog.iiitd.edu.in