There have been thousands of articles about the Equifax breach recently, but very few have discussed the deeper reasons why information that used to be common knowledge has become so critical to online safety and security. This blog post from AgileBits, makers of 1Password, is a great primer on why certain information is now considered sensitive. It all boils down to the fact that banks have adopted identifiers (such as Social Security Numbers) as secrets and “identifiers are bad secrets.” To illustrate the point, the author includes a fun clip from Monty Python’s Flying Circus, the famous “Bruces Sketch.”
There might be a lot of Bruce’s in the room, but there are probably not two with the same birthday and definitely not two with the same Social Security Number (SSN). So the name Bruce can’t be used as an identifier. Bruce + SSN used to be ok, but became a secret when banks began to use them for telephone banking. Bruce + birthday is not great, but add Bruce’s address and that should be unique. However, it is not a secret because Bruce’s birthday can be found on his Facebook page and his address is probably 1,000 places online. Identifiers are clearly bad secrets.
The Equifax breach has brought the problem to a head by speeding up the process of demonstrating that identifiers are bad secrets because for hundreds of thousands of people those identifiers are now public information (for hackers). The solutions are complicated and while many people think they don’t have any “secrets” and ask themselves “Why would a hacker possibly be interested in my boring family photos?” The deeper issue is the increasing interconnectedness of online and physical identities. For a deep dive into how to protect yourself online, see my recent series, “Online Security.”
AgileBits is certainly doing their part to help people keep track of the real secrets: passwords, credit card numbers, driver’s licenses, passports, etc., but a kept secret is only as good as the privacy of the place it is stored such as a smartphone or computer. For more information on this part of the problem, take a look at Apple’s excellent new website on privacy. It presents a clear picture of how closely related secrecy and privacy really are.