Lessons from a Cybersecurity Mom

It’s a pretty normal weeknight evening at our house. Logan, our 14 year-old, is on the couch playing Minecraft. She’s building what looks like a hundred-story mansion made of glass and gold, trading resources with other online players to complete her project. Logan’s younger brother Rex, who’s in second grade, is creating virtual robots on his Leap Pad, his little sister Nadine, in kindergarten, is waiting patiently for a turn. Or at least, that’s what it looks like from the Internet’s perspective.

In reality, our oldest isn’t named Logan, and she isn’t 14. Same with Rex — that’s not his real name, and he’s not in second grade. Nadine doesn’t even exist (but you might’ve gathered that by the fact that a kindergartner was waiting patiently for a Leap Pad). These are all pseudonyms used by our children to protect their personal information online.

So in this case, I’m obligated to teach them how to take their own protective measures.

Educational technology pervades deeply into domestic life. Games are online, and learning resources are connected via the Internet. Even the most Luddite parent will soon realize that homework often happens online, and elementary school computer labs aren’t self-contained. Given the reality of our kids’ online lives, how do we best protect them? That question has become even more important recently, as the latest high-level breaches of children’s personal data often include not just names, but photos, answers to security questions, instant message conversations, and other deeply personal information.

My suggestion as a parent and cybersecurity expert: lie. Yes, lying runs counter to the normal parenting paradigm that we should always — always! — teach our kids to tell the truth. But given the spread of sensitive information online — whether by voluntary submission or unintended breach — my responsibilities as a parent are more complicated than that. I don’t know whether or not the Leap Pad is storing Rex’s sensitive data, and I don’t have any control over how they treat that data (whether or not it’s encrypted, for example). I don’t know whom Logan might be talking to in the Minecraft world. So in this case, I’m obligated to teach them how to take their own protective measures.

Kids' tech encourages so much personal data sharing. For their personal protection, we need to teach them to take a step back and ask not only “why?” but “what happens if my information is exposed?”

But I don’t want to approach the topic as boldly with the kids as I do here. I don’t want “lie to protect your personal information online” to turn into “lie to protect yourself at any time.” Logan may consider the fact that she didn’t finish her book report to be personally sensitive information, but it’s not going to affect her safety or future credit rating. (It will, however, affect what she’s doing this weekend.)

Instead, before the kids connect a new device or create a new online account, we ask them to create an “online secret identity,” like a spy. The new identity should be close enough to their own that the educational content is appropriate — if the identity of “Rex” is 16 years old, the math games will be too difficult and my actual child won’t benefit — but these synthetic identities should never use their real names, ages, birthdates, names of pets, or any other personally identifiable information. We talk about it over dinner, creating a backstory, so that in the rush to connect a new gadget, no personal information leaks out. Kids' tech encourages so much personal data sharing. For their personal protection, we need to teach them to take a step back and ask not only “why?” but “what happens if my information is exposed?” I don’t want to frighten the kids away from connecting online (although given the allure, that might not be possible), but I want to enable them to make good decisions and protect themselves as they venture out into the online world. And then when they see me log into my Pinterest account as Larry, a 44 year-old accountant from Cleveland, they’ll know that I too have a secret online identity.

Jamie Winterton is the Director of Strategy for ASU’s Global Security Initiative, where she specializes in creating novel solutions for multifaceted and disparate problem spaces that relate to global security. She is a Future Tense Fellow at New America.

This post is part of Humans of Cybersecurity, a dedicated section on Context that celebrates stories of the people and ideas that are are changing our digital lives. It is part of New America’s Women in Cybersecurity Project, which seeks to dramatically increase the representation of women in the cybersecurity/information security field by fostering strategic partnerships with industry leaders, producing cutting-edge workforce research, and championing women’s voices in media. This is a project of New America’s broader Cybersecurity Initiative, which aims to clarify and connect the often disjointed debates and policies that surround the security of our networks.