AIは数ドルで偽名と実名を数分で結び付けられる
ETH ZurichとAnthropicの研究者は、商用AIモデルを数ドルで利用することで、インターネット上の偽名ユーザーを数分で実在の個人と結びつけられることを実証し、オンライン匿名性の根本的前提に疑問を投げかけている。
キーポイント
低コスト・高速な個人特定手法
商用AIモデルを用いることで、偽名ユーザーを一人あたり数ドル、数分で実在の個人と結びつけられる手法が実証された。
オンライン匿名性への根本的疑問
この手法は、インターネット上での匿名性が保たれるという根本的な前提を揺るがす可能性がある。
実用性の高い脅威
研究は理論的なものではなく、既存の商用AIモデルを用いた実用的な手法を示しており、現実的な脅威として認識される。
研究機関による共同実証
ETH Zurich(チューリッヒ工科大学)とAI企業Anthropicの研究者が共同でこの手法を実証した。
影響分析・編集コメントを表示
影響分析
この研究は、AI技術がプライバシーと匿名性に及ぼす現実的な脅威を具体的に示した点で極めて重要である。オンライン空間の信頼と安全の基盤を再考させ、AIの倫理的利用と規制に関する議論を加速させる可能性が高い。
編集コメント
「匿名性は幻想かもしれない」という衝撃的な実証結果は、AIの進化がもたらす負の側面を如実に示しており、技術開発と社会規範のバランスを考える上で重要な論点を提供している。

ETH ZurichとAnthropicの研究者らは、擬似名(偽名)のインターネットユーザーが、商用利用可能なAIモデルを用いて一人当たりわずか数ドルで特定可能であることを実証しました。この結果は、オンライン匿名性に関する根本的な前提を揺るがすものです。
この記事「AIはわずか数ドルで数分以内に偽のオンラインネームを実在の個人と結びつけられる」は、The Decoderで最初に公開されました。
原文を表示
Researchers from ETH Zurich and Anthropic show that pseudonymous internet users can be identified using off-the-shelf AI models for just a few dollars per person. The findings challenge basic assumptions about online anonymity.
Anyone who posts online under a pseudonym (hopefully) knows their identity could theoretically be uncovered. But most people assume nobody would bother putting in the effort.
A new study suggests that assumption no longer holds. According to the researchers, large language models can now match pseudonymous online profiles to real people fully automatically, for one to four dollars per profile and in minutes rather than hours.
The key insight isn't that AI is better than a human investigator. It picks up on the same clues an experienced analyst would spot: professional details, interests, and casual mentions of where someone lives or how they live. But what would take a person hours, the language model knocks out in minutes. That fundamentally changes the threat landscape.
Two-thirds of Hacker News users correctly identified
In a central experiment, an AI agent received only a summary of anonymous posts from the tech platform Hacker News, then independently searched the web to find the real identity behind them. Directly identifying information like names or links had been stripped out beforehand to make the attack non-trivial. The result: the agent correctly matched about two-thirds of 338 profiles, with a false positive rate of only around ten percent.
The researchers also tested the attack on the Anthropic Interviewer Dataset, a publicly available collection of 125 partially redacted interview transcripts with scientists. Despite the redactions, the AI agent correctly identified at least 9 out of 33 people analyzed, without using any special tricks to bypass safety mechanisms.
How the pipeline turns forum posts into real names
To systematically study the process, the researchers broke de-anonymization down into four stages. First, a language model reads a user's posts and distills a profile: profession, location, hobbies, political views, everything that can be picked up between the lines.
Those attributes are then compared against a database of candidate profiles, similar to a search engine looking for the best matches. In the third step, a more powerful model checks the top candidates individually and picks the most likely match. Finally, the system evaluates its own confidence and, when in doubt, declines to make a call.
The difference from previous methods is fundamental. The well-known Netflix Prize attack from 2008, where researchers matched anonymized movie ratings with public profiles, required cleanly structured data: numbers, ratings, and timestamps. The new method works directly with the messy, unstructured natural language found in forums and comment sections.
More posts mean easier identification
The researchers tested their approach across three scenarios. When matching Hacker News accounts with LinkedIn profiles in a pool of roughly 89,000 candidates, the pipeline identified just under half of all users with 99 percent accuracy. The traditional method managed 0.1 percent.
A clear pattern showed up among Reddit users across different movie communities: the more movies someone had discussed in both communities, the easier it was to match them. Nearly half of users with ten or more shared movie titles were correctly identified; with just one shared movie, the rate dropped to about three percent.
In the third scenario, the researchers split individual Reddit users' comment histories into two halves, one year apart, and tried to match the halves to each other. About two-thirds of users were correctly matched, compared to less than one percent with the traditional approach.
When the language model got more compute time to reason, hit rates climbed further. Even with one million candidates, the attack could still succeed in roughly 35 to 45 percent of cases depending on the scenario, according to the researchers' extrapolation.
Effective countermeasures are hard to find
The researchers paint a grim picture of the consequences. State actors could unmask pseudonymous accounts of dissidents or journalists. Companies could link anonymous forum posts to customer profiles. Criminals could launch tailored fraud campaigns at scale.
Against that backdrop, it becomes clearer why Anthropic is pushing back so hard against AI-powered mass surveillance in its dispute with the Pentagon.
Possible countermeasures like restricting access to user data or detecting automated scraping could make attacks harder. But the researchers are pessimistic: their pipeline is just a sequence of seemingly harmless steps like summarizing, searching, and sorting that are nearly impossible to tell apart from legitimate use.
In a test using data from a Steam profile, GPT-5 Pro refused to search, citing impermissible de-anonymization. Anthropic's Claude also rejected the request. Deepseek and Manus.ai, on the other hand, were willing to search but didn't turn up any useful results.
"Users who post under persistent usernames should assume that adversaries can link their accounts to real identities or to each other, and that the probability rises with each piece of micro-data they post," the researchers write.
The study was approved by the ETH Zurich ethics committee. The researchers are not releasing their attack code or processed datasets, and they are not disclosing any identities.
関連記事
今日のまとめ
AI日報で今日の重要ニュースをまとめ読み