Joyriding – stealing a car just for the fun of it – is a signature act of troublemaking teenagers seeking excitement and a chance to show off their bravado. But while car theft is among the most common adolescent crimes, joyriding has a very 20th century feel to it. It is a physical crime involving keys, gears, metal and rubber on asphalt.
Now that young people are more often to be found hanging out in virtual spaces such as social networks and online games, they are testing out new ways to show off. Online, they don’t steal objects but information – including other people’s names.
A particularly high-profile case has recently drawn to a satisfactory conclusion with the stolen Twitter handle @N being returned to its rightful owner, Naoki Hiroshima. But the case reveals a glimpse of the strange underworld of virtual larceny, carried out for lulz, not money.
Some months ago, Hiroshima found that his a thief had gained access to his email and other website accounts. He says the thief then used this access as leverage to extort his @N username. Hiroshima was aware that the username had value and even claims that he was offered $50,000 for it in the past. However, he and many others were surprised at the extraordinary lengths the hacker had gone to to wrest control of it.
What’s in a name?
We usually think of name and reputation being tightly coupled. To steal your good name is to steal your reputation. But on Twitter, name and reputation are separable – and both, for different reason, are targets for thieves.
An account is valuable for its following – the people its reputation has gathered. By hijacking an account, you can get a message out to a particular audience. The Syrian Electronic Army, for example, has been known to take control of high-profile accounts like those run by CNN, The Onion, and FC Barcelona among others. Once in charge, the group sends out messages relating to its agenda, such as: “DON’T FORGET: Al Qaeda is Al CIA da. Funded, armed and controlled.” That way, it can reach audiences of millions, many of whom will not have heard of the SEA before and certainly don’t follow its Twitter account.
Hackers who steal Twitter usernames have very different motivations. They don’t want the account – they have their own account, with their own friends following them. Their interest is in having a cool new username to show off.
Single words are cool, especially something such as @slurp . Indeed, since there are hundreds of millions of active Twitter accounts, most single word names have already been taken, so even random words such as @compacting have cachet.
The trouble is, usernames are not tightly coupled with a user’s profile. A hacker doesn’t always have to go to extreme lengths to detach a user from their username. Once a thief has gained access to someone else’s account, it is relatively easy to change the username. That means that a coveted username is freed for someone else to use.
Early adopters who got in before Twitter was popular were able to take their pick of user names, with many opting for short handles, such as @A, @B or @N. But now they have to work hard to hold onto them. Those who control accounts like these say they get frequent alerts telling them that someone has tried to change their password – a sign that someone is attempting to break into their account.
In it for the #lulz
In September 2012, the Twitter account of Daniel Dennis Jones, with the username @blanket, was hacked. When he logged in, he found that the account hadn’t been touched except that the username had been changed to something obscene.
By following tweets referring to @blanket, he found a black market of stolen Twitter names and was able to follow the conversation, on Twitter, between the new possessor of @blanket and his hacker friends. They were kids, trading and selling stolen names – and giving them to girls they hoped to impress. Their feeds were filled with bragging and put-downs, complaints about school and plans to play Xbox.
Short usernames suchas @blanket, @zone or @violent mark the thieves as people with the knowhow to obtain the illicit ID –- whether they hacked the account themselves or had the connections to barter or buy it. Theirs is not a revolutionary stand; they have little interest in the user whose name they have stolen or the mess they’ve made of that person’s online identity.
Like the joyriding teens on the street, hackers who steal Twitter names may make some money by selling their stolen goods, but their primary goal seems to be status display. They are showing off their daring and know-how to their friends.
But they are rarely caught and when they are, they face limited consequences, such as being frozen out of an account. Jones noted that when his @blanket name was stolen, he was unable to find any mention in Twitter’s documentation that such a thing had happened or what his recourse might be, though clearly it was fairly common occurrence.
From what is known about adolescent car thieves, it seems that risk of punishment is often little deterrence anyway and the same is probably true for Twitter theft. Given that the thrill of doing something illicit and risky is a big part of the appeal, the threat of punishment can even be counterproductive.
It is important, too, to keep in mind the tremendous differences between physical and online consequences. Automotive joyrides too often end in serious accidents and even death for the people involved. The dangers of joyriding on a Twitter username are, for the most part, virtual and impermanent (though it is an upsetting experience for the victim). These are issues we need to think about as we grapple with questions about the desirability of an adolescence spent online.
Judith Donath is affiliated with Harvard University’s Berkman Center for Internet and Society.