Why the “Number Game” isn’t secret at all

Posted on Updated on

In short: humans are very bad at generating random numbers and obscuring themselves from set theory analysis.

Today, the “Number Game” swept Twitter, Facebook, and other social media. The premise is simple: privately message an individual a number, and they will publicly post their thoughts about you to that number.

Secrecy, then, relies on two pieces of information. First, it requires that the recipient party not divulge the name of the party providing the pre-shared numeric key. Second, it relies on each key existing as a nonce, as any additional use of the same key is compromised to prior parties.

Unfortunately, as I discovered just by trawling my own timeline, many people failed to provide this second guarantee (affording false positives, such as 666). The higher the information entropy of the number selected and reused, the more likely it was selected by a single party.

This has several interesting ramifications. First, it means every identifiable key shared more than once is unmasked to all other recipients. Each recipient will know what the others have said about you.

Second, message passing for this “game” on Twitter is handled by direct message. Because this requires the recipient be following the sending party, there is a public record of a small pool of candidates for every key. By performing set intersection upon each reuse, each participant’s followers whittle the candidates down until there exists one (and only one) party who could have shared the original key. Add any metadata provided by the message text itself (such as, “this person’s art…”), and this whittles down even faster.

While this game may be “cute” and “fun”, I do not advise playing. It does not work as advertised. If you continue to do so, please be aware that you are publicly speaking about someone to your audience with dubious, trivially breakable secrecy.

The fact this is so noisy is a matter to address separately. And, accidentally presciently, I addressed my thoughts on this yesterday. I intend to filter these messages and continue on my merry way. I couldn’t ask for better data to test my new tools against, so collectively, thank you!

But, as many other people do not have this luxury: please be considerate to your audiences. Twitter is broadcasting these to everyone who follows you, many of whom desire timely, relevant information. Filling their channels with noise is not generally appreciated.

Now, if you’ll excuse me, I’m going to go try lucky number 8. 8 hours of sleep, that is.



2 thoughts on “Why the “Number Game” isn’t secret at all

    Wogan said:
    May 16, 2014 at 2:59 am

    It’s still a positive movement, though. It’s given people a way to feel safe about prompting others for feedback, and from what I’ve seen it’s mostly positive. I agree that it’s not as secure as it seems, but I disagree with the notion that we need security at all. This sort of open, supportive sharing should be the norm, not an event.

      goldkin responded:
      May 16, 2014 at 3:49 am

      Yes. And on that premise alone, I think it’s nifty to see people speaking openly about how they, typically, care very much for one another in ways that they do not normally express.

      The trouble is predicating it on a false pretense of secrecy. I think it could work if two things were strengthened here:

      1. If it were supported as its own system. This is not dissimilar from providing an Ask Box for Twitter, and as with how it’s used on Tumblr, that would be a very useful feature.
      2. That any public number generated is cryptographically random and used only once.

      I think the best possible hope out of this is someone (read: Twitter) recognizes they should write a tool that supports this. Done properly, I’d definitely consider using it myself.

Leave a Reply to goldkin Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s