“We kill people based on metadata,” said Michael Hayden, former NSA and CIA director, in 2014. But what is it and why should you care about it?
Although it was coined in the 60’s, experts in digital forensics believe that the term “metadata” became public domain until the 21st century, due to the leaks of Edward Snowden. In 2014, Snowden explained that metadata might reveal “who you’re talking to, when you’re talking to someone, or even where you usually travel.”
What is metadata?
Metadata is a part of everyday life. Each file you send or receive has metadata. Metadata reveals information that might be contained in the data — the goal is to make connections and provide context to the data, show relationships, and help understand them. According to specialists in digital forensics from the International Institute of Cyber Security, metadata responds to questions such as:
- Who?
- What?
- Where?
- When?
- Why?
For example, a chocolate bar. The information we find in the wrapper, such as the brand name, the barcode, etc., is metadata. A song’s name, the artist’s name, the music genre, the listening frequency, is also metadata. When someone uses Youtube with automatic playing enabled, the metadata of your previous choices helps determine what will be played next.
In social networks, metadata is used to group posts, track user interests, and help create a context around user data. Imagine sending a selfie, the data reveals the content of the selfie, while metadata can contain location data, time, even the person’s exposure time in front of the camera.
What the metadata reveals about us
In short, metadata reveal too much. Metadata could reveal our innermost personal details, such as political inclinations, health status, financial situation, family relationships, etc.
For example, researchers Deepak Jagdish and Daniel Smilkov developed a tool designed to contextualize email metadata. Analyzing only the information fields From, To, Cc and Timestamp of their emails, researchers were able to make amazing discoveries about their social interactions, relationships, social circle, even their sleep cycles.
They could calculate, for example, how many people they knew in a certain time period, more productive moments of their day, etc.
The long-range surveillance of telephone metadata was demonstrated by Stanford University researchers who found that the National Security Agency’s massive collection of telephone records can provide a lot more learning about the private lives of people that the government wills to admit to. By just getting the number of two people participating in a phone call, the serial number of the phones involved, the time and duration of the calls and possibly the location of each person during the call, the investigators managed to isolate data up to a certain identity.
Although a website is secure, metadata is not protected
The HTTPS protocol indicates that a website is secure, this is a fact that many people know. A somewhat less well-known fact is that, although HTTPS encrypts the content, the site still leaks metadata. Here is a brief explanation:
The content of the Hypertext Transfer Protocol is not encrypted, so it cannot be considered secure by itself, so the information contained may be stolen. The ‘s’ in HTTPS stands for ‘safe’. This protocol was designed to improve privacy on the Internet when sending personal information, which could still be stolen, but this is now more difficult. HTTPS is widely used in sites like Google, Facebook or Twitter, or anywhere else.
To achieve HTTP-to-HTTPS conversion, the website owner must purchase more secure certificates, such as TLS or SSL. These protocols prove that a website is legitimate. The thing is that no one can see the information we send over the Internet, but anyone can intuit the content of the information sent, like guessing that inside an envelope there is a postcard or a letter.
USA, the home of metadata surveillance
The NSA could be the most intrusive and creative metadata spy organization we know.
Political, social and technological organizations have enabled the NSA to raise the levels of metadata collection. Although the Freedom Act of 2015 limited the NSA’s ability to collect phone records and contacts of terrorist activity suspects, in May, the agency revealed a massive increase in the amount of telephone call metadata collected in the report titled “Call Details Logs”, going from 151 million of call logs to 2016 to more than 534 million in 2017. Despite this increase, there were only 40 terrorism suspects in 2017.
At the end of June, the NSA issued a statement announcing that it began a process of erasing these records, as agency officials discovered technical irregularities.
Is there anything we can do?
Unfortunately, specialists in ethical hacking and digital forensics believe that there is no definitive solution to protect our metadata. Maybe, as Henry David Thoreau says, you can begin a new life in the forest, isolated from the world.
Despite this pessimistic statement, there are some useful tips for minimizing risks:
- Do not share information in excess. Remember that every time you share something on the Internet, it will stay there forever
- Install an operating system with multiple security layers (such as Linux)
- Disable the GPS of your devices when not in use
- Disable JavaScript
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.
