Shortly before the EU Referendum, myself and a group of regular users who, let us say were less than sympathetic to the BBC view of the World, were chased off the BBC Have-your-Say message board by trolls who threatened to dox us. Nothing overt but enough information was provided in replies to indicate they knew where you lived and the names of any family members. Despite this being a serious breach of the site’s terms and conditions and an indication of a certain security issue, none of these trolls appeared to have their accounts suspended.
Anyway, last week, for a laugh, I decided to resurrect my BBC account by changing the display name from its original name of “Shaunie Babes” to “Going Postal”. Bear in mind only the display name was changed and my login email address remained the same. Only the display name is visible, all other personal information is known only to BBC admin staff.
So after six months without logging in I posted this:
Imagine then my surprise when I received the following reply just 12 minutes later:
A similar reply 18 months ago mentioned the first names of all the over 18s living in my house. This prompted me to stop contributing.
This raises three key questions:
Question One – How did a random user manage to link the name “Going Postal” to a name I hadn’t posted under for 18 months ? “Going Postal” had only been created minutes before.
Question Two – How was someone figuring out my real name from the words “Going Postal” and looking for it on the electoral roll?
Question Three – Why were they under the impression I was registered to vote at two locations?
Well the answer to the first question is easy. They have a copy of the BBC database of online users. Except it can’t be a copy as they spotted a change only a few minutes old. So they have real-time access to the BBC database of online users
Now the answer to the second question is also easy and follows on from the first. If they have access to the BBC database of online users they’ll also have access to the login email addresses and Facebook names used to sign in. This will get you the user’s name with which you can check with the national electoral roll. Therefore the person trolling me had access to an electronic copy.
Now the third question is where they gave the game away as to who was responsible. Just searching for a name on the electoral roll will bring up dozens of matches, therefore they have to have a rough idea of their location in order to dox someone. This you get via the posting IP. This is where they slipped up. I was being very naughty and posting at work. They saw two different IP addresses from different ISPs, put two and two together and got three.
So what then do we know about this troll ?
They have access to the BBC online database.
They have access to the electoral roll.
They have access to IP addresses of visitors.
A serious security issue, I’m sure you’ll agree. So being a good public citizen I went on the Information Commissioner’s website to report this matter and was informed I had to contact the source of any potential breach of my data first.
Well the people who moderate the BBC Have Your Say service are Capita. The people who look after the BBC online accounts are Capita. The people who look after BBC licensing are Capita. And in a bizarre coincidence they all share the same building…….
Owen “Columbo” Jones