Yesterday, I posted the following on infosec.exchange, but thought it might be useful to post it here to remind folks to think about when we should start teaching children about online privacy and “OpSec” (Operations Security):
My 6-year-old grandson (let’s call him “Timmy”) was at our house, and I was teasing him by calling him “Timmy Terrific.
“I’d rather be called TimmyC402,” he told me.
“What’s TimmyC402?” I asked him.
“The C is for my last name and the 402 is for my birthday,” he answered.
“But what is TimmyC402?” I asked again.
“It’s my username on Roblox,” he told me.
So tell me: Is 6 too young to start talking to him about his OpSec?
“Timmy” had created a digital footprint that linked his first name, first initial of his last name, and his date of birth to him. Could that information be collected and used in the future to harass him, or to steal his identity or create a credit report in his name? Could it be used by people to groom him? Years from now, could some school or employer make decisions about him because he was on Roblox at age 6?
So if you are the parent of a young child, or aunt, uncle, or grandparent of a young child, how do you talk to them about protecting their identity information online without terrorizing them about how unsafe the world is?
And if you haven’t talked to them already, do you really know how much personal information they are sharing online? Maybe it’s time to start talking to them?