Use & Abuse of Personal Information

Researchers at the Virginia Tech National Security Institute (VTNSI) are running a project called Use & Abuse (U&A) of Personal Information (PI), which explores how PI propagates across the Internet when used in online transactions. They will continue this project through the data collection and analysis phases.

Funded by the CCI Hub

Project Investigators

Principal Investigator (PI): Alan Michaels, Director, Virginia Tech National Security Institute (VTNSI) Spectrum Dominance Division

Co-PI: Madison Boswell, Project Manager, VTNSI Project Management Office

Rationale and Background

On a daily basis, consumers are inundated by a wide array of digital content, some of which is requested, but often, it’s material that was not deliberately sought. 

Researchers formed a multi-disciplinary Use & Abuse research team to find out how that content is delivered.

They found that a single transaction can be traced as the source of a variety of subsequent traffic. Key elements of this personal information included name, email, a live phone number that supported phone calls and texts, and demographics representative of national averages.

VTNSI has run this multidisciplinary project since 2020. Read more about the previous work.

Methodology

Researchers will extend the original small-scale experiment from a manually constructed set of 300 identities to a more comprehensive automated set of 100,000 fake identities to be shared with second parties in one-time online transactions.

Fake IDs are sculpted and assigned to a variety of research questions before performing one-time online transactions. 

Results of those interactions are aggregated by an enterprise-scale open-source collection engine designed and built by students. This engine transforms incoming emails, SMS texts, and voicemails into labeled datasets to support analysis and comparison of PI sharing behaviors and cybersecurity characteristics of the online transaction (passwords, spam, malware). 

Of particular interest are cross-site sharing behaviors (attributable due to one-time interactions) and root sources of spam/malicious content. 

Projected Outcomes

This project creates a workforce pipeline trained in open-source intelligence; incoming students are mentored both by the faculty advisor and a group of more experienced students who have been previously engaged in the project.

Students can gain 2 to 3 years of hands-on experience solving a real-world problem, interact with sponsors directly, and be presented with job opportunities. 

With 15 majors represented in the current student group, researchers look  to further scale the level of multidisciplinary approaches to this real-world Open Source Intelligence (OSINT) problem.

Longer term targets include publication of the results (largely beginning in 2024, continuing through 2025) from analyzed data content, full automation for U&A tools, and creation of a public dashboard that highlights PI sharing behaviors in real-time. 

Milestones include:

• Extension of the student-developed Account Interaction Engine.
• A student-led alpha test of the system, followed by a full-scale signup event. 
• Hosting a fully-functional, internet-facing “honeypot” site (fake bank website). 
• Continued development of tools for data analysis.
• Secured external funding for the remainder of the U&A experiment.