Online services want your birthdate, creating security risk

Posted at 10:51 AM, Sep 24, 2016

Of all the personal information people tend to give out willy-nilly on the internet, birthdate is perhaps the most ubiquitous.

It's not just Yahoo and Facebook seeking that information. Websites, newsletters, online stores and a plethora of other places want your birthdate - and many services won't let you sign up until you provide it. And it's probably not because they want to send you a gift.

Now, some Yahoo users are finding that they cannot delete or edit this information. In light of a massive breach the internet icon recently disclosed, this could pose a security risk.


Services tend to ask for your birthdate to make sure you're at least 13, as opening the service to younger children would subject it to tighter restrictions on showing ads and collecting personal information.

But the information can also give hackers another piece of information for identity theft. This is why banks tell you not to use your birthday in your user ID and why security experts warn to keep it out of passwords.

Birthdates, while not unique, can help identify you when matched with a name. With enough other information, perhaps shared on a second, third or fourth website, it can be used to sign up for credit cards or apply for loans.


The breach, disclosed Thursday , affected 500 million Yahoo accounts. But many of these accounts likely belong to people who signed up for Yahoo mail in, say, 1998 - then moved on when Google's Gmail came along, while neglecting to delete their Yahoo accounts.

Now, the breach is prompting people to log back in and travel down the memory hole at the sight of their "Yahoo nickname" ("catsinspace2," anyone?). On the way, they may notice their birthdate, stamped there and without a way to change or remove it (you can, however, edit your nickname).

Facebook, which also asks for your birthdate, lets you edit it, after warning you that you can change your birthdate only "a limited number of times." Gmail lets you edit, too.

In an emailed statement, Yahoo said it does not allow users to change their birthdates "as a matter of policy." The reason for this is to comply with a federal child-privacy law imposing a variety of limits and regulations on online services that target kids under 13. By excluding young children, services wouldn't have to go through hoops and seek parental consent.


Many people give their birthdate to companies online without a second thought. Facebook, with 1.7 billion users, is the biggest collector of birthdates, but there's also a whole "mini-industry" around birthday greetings, videos and messages.

The main reason that companies say they need your birthdate is to ensure you are of age. You have to be 18 to look at pornography online, and in the U.S., at least 21 to visit websites marketing alcohol. A Facebook app called Lifestage, meanwhile, is available only to users under 21 (and over 13).

And as mentioned earlier, companies need to ensure their users are at least 13 to avoid triggering the child-privacy law.

Of course, nothing stops you from lying about your age, and companies don't really need your actual birthdate - just your age. But the birthdate and age can help companies target advertising to you better, and sometimes offer you special deals or greetings. Ads help companies make money and, they say, keep the services you use free.


Some security-minded folks get around giving out personal info by typing in a fake birthdate, though this can run afoul of a site's terms of service. Other than that, there is not much individuals can do if they want to use the services.

But there are privacy groups hoping to change this. Marc Rotenberg, executive director of the online privacy watchdog Electronic Privacy Information Center, said companies should develop "privacy-enhancing techniques" that minimize or eliminate the collection of personally identifiable information.

"Asking users security questions based on personal information simply worsens the problem," he said in an email. "Companies should avoid collecting birthdates, (Social Security numbers), mother maiden names. That only creates more vulnerabilities."