Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Large-scale online deanonymization with LLMs

Simon Lermen, Daniel Paleka, Joshua Swanson, Michael Aerni, Nicholas Carlini, Florian Tramèr

TL;DR

This work shows that large language models with web access can automate deanonymization of pseudonymous online profiles at scale by extracting identity-relevant signals from unstructured text, searching across vast candidate pools via embeddings, and performing multi-stage reasoning with calibrated confidence. The authors introduce the ESRC framework (Extract, Search, Reason, Calibrate) to modularize deanonymization and enable rigorous ablations, and they validate their approach across three settings: cross-platform profile linking (Hacker News to LinkedIn), cross-community Reddit matching, and temporally split Reddit profiles. Across these settings, LLM-based methods substantially outperform Narayanan-style baselines, achieving recall up to 68.3% at 90% precision and demonstrating robustness to large candidate pools and rare matchability. The results underscore significant privacy risks associated with pseudonymous participation and encourage rethinking privacy guarantees, platform policies, and potential mitigations in the era of accessible LLM-powered deanonymization. The work also discusses ethical considerations, limitations, and avenues for future defenses and evaluative frameworks at scale.

Abstract

We show that large language models can be used to perform at-scale deanonymization. With full Internet access, our agent can re-identify Hacker News users and Anthropic Interviewer participants at high precision, given pseudonymous online profiles and conversations alone, matching what would take hours for a dedicated human investigator. We then design attacks for the closed-world setting. Given two databases of pseudonymous individuals, each containing unstructured text written by or about that individual, we implement a scalable attack pipeline that uses LLMs to: (1) extract identity-relevant features, (2) search for candidate matches via semantic embeddings, and (3) reason over top candidates to verify matches and reduce false positives. Compared to prior deanonymization work (e.g., on the Netflix prize) that required structured data or manual feature engineering, our approach works directly on raw user content across arbitrary platforms. We construct three datasets with known ground-truth data to evaluate our attacks. The first links Hacker News to LinkedIn profiles, using cross-platform references that appear in the profiles. Our second dataset matches users across Reddit movie discussion communities; and the third splits a single user's Reddit history in time to create two pseudonymous profiles to be matched. In each setting, LLM-based methods substantially outperform classical baselines, achieving up to 68% recall at 90% precision compared to near 0% for the best non-LLM method. Our results show that the practical obscurity protecting pseudonymous users online no longer holds and that threat models for online privacy need to be reconsidered.

Large-scale online deanonymization with LLMs

TL;DR

This work shows that large language models with web access can automate deanonymization of pseudonymous online profiles at scale by extracting identity-relevant signals from unstructured text, searching across vast candidate pools via embeddings, and performing multi-stage reasoning with calibrated confidence. The authors introduce the ESRC framework (Extract, Search, Reason, Calibrate) to modularize deanonymization and enable rigorous ablations, and they validate their approach across three settings: cross-platform profile linking (Hacker News to LinkedIn), cross-community Reddit matching, and temporally split Reddit profiles. Across these settings, LLM-based methods substantially outperform Narayanan-style baselines, achieving recall up to 68.3% at 90% precision and demonstrating robustness to large candidate pools and rare matchability. The results underscore significant privacy risks associated with pseudonymous participation and encourage rethinking privacy guarantees, platform policies, and potential mitigations in the era of accessible LLM-powered deanonymization. The work also discusses ethical considerations, limitations, and avenues for future defenses and evaluative frameworks at scale.

Abstract

We show that large language models can be used to perform at-scale deanonymization. With full Internet access, our agent can re-identify Hacker News users and Anthropic Interviewer participants at high precision, given pseudonymous online profiles and conversations alone, matching what would take hours for a dedicated human investigator. We then design attacks for the closed-world setting. Given two databases of pseudonymous individuals, each containing unstructured text written by or about that individual, we implement a scalable attack pipeline that uses LLMs to: (1) extract identity-relevant features, (2) search for candidate matches via semantic embeddings, and (3) reason over top candidates to verify matches and reduce false positives. Compared to prior deanonymization work (e.g., on the Netflix prize) that required structured data or manual feature engineering, our approach works directly on raw user content across arbitrary platforms. We construct three datasets with known ground-truth data to evaluate our attacks. The first links Hacker News to LinkedIn profiles, using cross-platform references that appear in the profiles. Our second dataset matches users across Reddit movie discussion communities; and the third splits a single user's Reddit history in time to create two pseudonymous profiles to be matched. In each setting, LLM-based methods substantially outperform classical baselines, achieving up to 68% recall at 90% precision compared to near 0% for the best non-LLM method. Our results show that the practical obscurity protecting pseudonymous users online no longer holds and that threat models for online privacy need to be reconsidered.
Paper Structure (105 sections, 8 equations, 10 figures, 6 tables, 1 algorithm)

This paper contains 105 sections, 8 equations, 10 figures, 6 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Our contributions.
  3. Implications.
  4. LLM agents can autonomously re-identify anonymous online profiles
  5. Results
  6. Hacker News $\to$ LinkedIn.
  7. Anthropic Interviewer transcripts.
  8. Limitations of the agentic approach.
  9. A framework for scalable deanonymization with LLMs
  10. Threat model
  11. Attacker goal.
  12. Controlling deanonymization difficulty.
  13. The ESRC deanonymization framework
  14. Experimental Setup
  15. Linking profiles across platforms: Hacker News and LinkedIn
  16. ...and 90 more sections

Figures (10)

  • Figure 1: End-to-end deanonymization from a single interview transcript from anthropic2025interviewer (details altered to protect the subject's identity). An LLM agent extracts structured identity signals from a conversation, autonomously searches the web to identify a candidate individual, and verifies the candidate matches all extracted claims.
  • Figure 2: Overview of our framework for large-scale deanonymization. Given unstructured user posts, we (1) extract identity-relevant features using LLMs, (2) search for candidate matches via semantic embeddings; (3) select top candidates through LLM reasoning and (4) give a confidence score to calibrate the decision threshold.
  • Figure 3: LinkedIn to Hacker News matching. (a) Precision-recall curves comparing methods: LLM-based embeddings outperform the Netflix Prize attack baseline, and LLM selection from the top-100 candidates further improves performance. (b) Matching recall @90%precision by candidate pool size. Dashed lines show log-linear extrapolation to larger pools.
  • Figure 4: (a) Precision-recall curves comparing methods for Reddit movie matching. LLM reasoning outperforms both the embedding gap baseline and the Netflix Prize attack. (b) Recall at precision thresholds by number of shared movies, using GPT-5.2 high reasoning. Users who share more movies are substantially easier to identify. See \ref{['tab:recall_by_shared_movies']} for detailed breakdown.
  • Figure 5: Two-stage matching of movie reviews with simplified synthetic user profiles. The first LLM selects from top-K embedding similarity candidates; the second LLM verifies the selected match using full profile text. Bold text highlights profile details used by the LLM.
  • ...and 5 more figures