English
中文
Deutsch
HomeArticle

Do you think you'll be safe by changing your guise? A single paper has exposed the entire Internet's true nature.

酷玩实验室2026-04-08 09:24
Changing your online identity, creating a fake username, and never revealing your real name. Do you think you can avoid being traced this way?

How many online aliases do you have?

One on Douban, used to rate and complain about bad movies; one on Zhihu, where I occasionally answer some professional questions to pretend to be an expert; and one on Weibo, specifically for posting complaints I don't want my colleagues to see.

You think it's quite safe. After all, the name is made up, the profile picture is randomly chosen, and you've never said where you live or what your name is. Who would bother to investigate you? Even if they really want to, going through thousands of your posts for cross - comparison would cost tens of thousands just in labor costs. (This figure is just a wild guess of mine.)

This sense of security has recently been completely shattered by a research paper.

In February 2026, researchers from the AI giant company Anthropic and the Swiss Federal Institute of Technology in Zurich (ETH Zurich) jointly published a research paper with a title so straightforward it's terrifying: "Large - scale online deanonymization with LLMs."

In plain language: Use AI to match anonymous online users with real people.

How much does it cost? One to four dollars, the price of an Americano.

I. Stripping Off Your Alias

Let's first talk about how this experiment was conducted.

The research team built a fully automated AI system and tested it on three sets of real - world data. The most crucial set was as follows: They collected a batch of anonymous user posts from Hacker News (an information website in the technology field), removed all obvious identity identifiers, deleting names, usernames, and links. Then they let the AI search the internet to see if it could match these anonymous accounts with real - life resumes on LinkedIn.

Result: Out of 338 people, 226 were correctly identified, with a recall rate of 67% and a precision rate of approximately 90%.

What does this mean? For every 10 people the AI identifies, about 9 are correctly identified.

On the same set of data, the traditional method based on structured data matching has a recall rate of 0.1%, almost zero.

In the past, the process of "unmasking" an anonymous user might involve spending several days going through posts, looking for clues, and conducting cross - verifications. It was time - consuming, labor - intensive, and extremely costly. So most people thought they were safe. The researchers call this "practical obscurity." In plain language: You're safe only because it's not cost - effective to investigate you.

This research paper proves that this premise no longer exists.

II. How Does AI "Unmask" You?

You might be curious: A person posts some random things online without writing their name or address. How can AI lock in their real identity?

It relies on the accumulation of all "micro - data."

The researchers broke down the process of AI "unmasking" into four steps, and then the AI detective starts piecing things together online:

Step 1: Extraction. The AI goes through all your posts and extracts "identity signals" from the seemingly random text. Did you mention that you're in biological research? Make a note! Did you use the British spelling "analysing" instead of the American "analyzing"? There's a high probability that you're in the UK or a Commonwealth country. Did you complain that your child is going to school in the fall? Now we know the age range and family situation. These fragmented pieces of information are organized into a semi - structured profile.

Step 2: Search. Convert this profile into a set of mathematical vectors, and then perform a "nearest - neighbor search" in a database of millions of candidates. In essence, it's the same technology as using a search engine to find similar documents. The AI filters out a group of candidates who seem to match from the vast crowd.

Step 3: Inference. This step is the most crucial. The AI puts the profile of the anonymous account and the public information of the candidates side by side and starts to infer: Do both people mention the same obscure academic conference? Do they have unique insights into a niche director? Are their word - using habits highly similar? Traditional methods would hit a dead end at this step. The rule - based system can't understand what it means when "two people talk about Timothée Chalamet using a rooftop scene in different posts." A large language model can.

Step 4: Calibration. The AI assigns a confidence score to each matching result. If it's not sure, it won't act, which ensures a low false - positive rate.

Looking at each of the four steps individually, they all seem like completely normal and legal AI functions: summarizing text, semantic search, content comparison, and credibility scoring. None of the steps are doing anything bad, but when strung together, the "unmasking" assembly line starts running.

One of the researchers, Daniel Paleka, said something very memorable in an interview: "If your security depends on 'no one will spend hours investigating me,' then this model has now collapsed."

Image | The process is roughly like this

III. The More Movies You Talk About, the Easier You Are to Be Recognized

The above experiment might seem far from your own experience. After all, not everyone has both Hacker News and LinkedIn accounts. The research team also conducted several more everyday - life - related tests.

For example, in the Reddit movie community experiment, the researchers collected users' post records from r/movies and several related sub - forums, and then tested whether the AI could link accounts scattered across different sections.

It was found that the likelihood of being recognized is strongly related to the number of movies you've talked about:

  • Users who have only mentioned 1 movie have a 3.1% chance of being recognized (at 90% precision)
  • Those who have mentioned 5 to 9 movies, 8.4%
  • Those who have mentioned more than 10 movies, 48.1%

Nearly half. You just talked about your favorite movies in different sections, and the AI can link all your alternate accounts.

And there's the Anthropic interview experiment. This one is even more extreme. Anthropic previously conducted an internal questionnaire asking employees and external participants how they usually use AI tools. The researchers obtained 125 anonymous responses and then let the AI try to find the real people on the internet based on the response content.

Result: 9 people were successfully identified.

One case is very representative. A respondent mentioned in the questionnaire that "I work in the field of biology, and my research direction is a certain topic," "My background is in physics," and "My supervisor and I are recently discussing the analysis of the impact of a certain phenomenon." With just this information, the AI first locked in a doctoral student at a university in the UK and then cross - verified through records on GitHub repositories and bioRxiv pre - prints. It matched.

Image | A very rigorous and effective AI "unmasking" test case

A 7% recognition rate might not seem high, but these people didn't post anything or use social media. They just casually talked about their work in an anonymous questionnaire and were then targeted.

Co - author Simon Lermen of the paper said:

"Previous methods required structured data, and two datasets with similar formats were needed to match each other. Now AI can start directly from free text and find out who you are all the way. This is a brand - new ability."

IV. Why Safety Guards Can't Stop It

By now, you might be thinking: Aren't AI companies working on safety alignment? Can't they just add safety guards to the models, set rules to refuse to answer, and prevent them from doing bad things?

This is exactly what makes this research paper so disturbing.

It proves one thing: Task decomposition can bypass almost all safety guards.

If you directly ask a large AI model "Help me find out who this user is," it will probably refuse you. But what if you break down this task?

  • "Help me summarize the key information mentioned in this text." A normal request, approved.
  • "Help me convert this information into vector embeddings." A technical operation, approved.
  • "Help me rank these 500 candidates." A common function of recommendation systems, approved.
  • "Help me evaluate whether these two people are the same person." Text comparison, approved.

Each step is harmless, but when these four steps are combined, it's a complete "unmasking" attack.

Relying solely on AI companies to lock their models won't stop this. You can't ban text summarization, semantic search, or similarity ranking. These are the most basic capabilities of large language models.

In 2008, there was a sensational case. Netflix made a batch of anonymous user viewing records public with the intention of holding an algorithm competition. Two researchers used these data to cross - compare with public comments on IMDb, successfully identifying real identities and even their political inclinations.

But at that time, the attackers needed two structured datasets with similar formats. Now? Any text will do. Your short reviews on Douban, answers on Zhihu, complaints on Weibo, or water posts on Tieba. Any free text is an attack surface.

Jacob Hoffman - Andrews, a senior technical expert at the Electronic Frontier Foundation (EFF), said: "Large language models work fast and never get bored. This makes them ideal internet detectives."

Incidentally, a month before the publication of this research, Grok, the chatbot of xAI under Elon Musk, caused an incident: Siri Dahl, an American adult content creator who had used a stage name for 12 years, had her real name and home address directly revealed by Grok during a normal conversation. She later posted on social media, saying that her private information had been re - spread by other AI crawlers and "spread across the entire internet."

What's described in the paper is an academic experiment. In reality, it's already happening.

V. So What?

So what should ordinary people do?

The co - authors of the paper gave some practical suggestions:

For platforms, the most effective short - term measure is to limit data access. Set frequency limits on APIs, detect automated crawlers, and restrict bulk data exports. This won't eliminate the threat, but it can increase the cost of large - scale attacks.

For AI service providers, a refusal - to - answer strategy at the individual request level has limited significance. It's more valuable to monitor the patterns of API calls. If a user first calls the summarization interface, then the embedding interface, and then the ranking interface, this sequence itself is a signal.

For individuals, co - author Joshua Swanson's suggestion is: If you want to post truly sensitive content

该文观点仅代表作者本人,36氪平台仅提供信息存储空间服务。

For media inquiries, interview requests, business collaboration and Recruit global ecological partners, please contact mohaiying@36kr.com.
Partner:startuprad.io

36kr Europe (eu.36kr.com) delivers global business and markets news, data, analysis, and video to the world, dedicated to building value and providing business service for companies’ global expansion.

© 2024 36kr.com. All rights reserved.