: Surveys and/or games of the "which $FOO are you" tying concepts or phrases to your personal information -- DoB, name, postal code, etc. -- are data exfiltration devices.

It only takes 33 bits to uniquely identify a given person, and with your DoB (100 * 12 * 31) postal code (10), and first initial of your name (26), you've already given up *at least* 20 bits, quite possibly more.



Also: you've also almost certainly incidentally given up numerous bits by virtue of the social network / website you're on, and/or whom you're following.

So, say, if you (or someonne within your circle) ARE being sniffed out, some investigator might already have an idea that you're within, say, the 100,000 core users of Mastodon, or the 1,000 followers of some large profile. At which point another 20 bits of ID is gravy.

Show thread

@dredmorbius this is why it's good to lie about yourself as much as reasonably possible online

@popefucker I lie to myself offline as much as possible too, just to cover all bases.

@popefucker More seriously: I leak bits like mad just by my interests and such, though I attempt misdirection through pseudonyms and related stuff.

Not that I think I'm in the least APT secure. Or even BIT secure.

(Beginner intermittant threat.)

@dredmorbius I try pretty hard not to leak but I'm sure a smart detective could get me in a couple days no problem

@dredmorbius depends what nym they start from. Here, I could be identified in minutes

@dredmorbius Minor nit: the number of bits represented by any of those pieces of information is the negative base 2 logarithm of its probability given the attacker's prior beliefs about you. If they already think you're in your early 20s and your birth year confirms that, the year gives more like 2 bits of information, not 6.6. Even if everyone has an even likelihood, birth dates are not evenly distributed, too.

@dredmorbius Likewise, if they know you're American, then knowing the first letter of your last name is X gives a whopping 12 bits of information, while knowing it's S only gives 3.2 bits.

@dredmorbius The way to look at this is: you need X bits to uniquely identify someone, and you can stop collecting info as soon as you collect that many bits. Which means that the number of bits contributed by a piece of information can't be the same no matter who the person is, because people vary in the rarity of various identifying aspects.

Observations also aren't independent of one another, so the number of bits an observation contributes is also dependent on what you already know.

Sign in to participate in the conversation
mastodon.cloud

Everyone is welcome as long as you follow our code of conduct! Thank you. Mastodon.cloud is maintained by Sujitech, LLC.