Analysis Of Volunteer's Metadata Stream Reveals His Life In Detail, Allows Passwords To Be Guessed
from the not-"just"-metadata dept
Three years ago, Techdirt wrote about how German politician Malte Spitz obtained six months’ worth of basic geolocation data for his mobile phone. He then gave this to the German newspaper Die Zeit, which produced a great visualization of his travels during this time. That showed clearly how much was revealed from such basic data. Since then, of course, metadata has assumed an even greater importance, as it has emerged that the NSA routinely gathers huge quantities of it about innocent citizens. More chillingly, we also know that people are killed purely because of their metadata. But what exactly does metadata show about us?
We now have a better idea thanks to the generosity of Ton Siedsma from Holland. He has allowed researchers to access not just the geolocation data of his mobile phone, but all of its metadata:
From one week of logs, we were able to attach a timestamp to 15,000 records. Each time Ton’s phone made a connection with a communications tower and each time he sent an e-mail or visited a website, we could see when this occurred and where he was at that moment, down to a few metres. We were able to infer a social network based on his phone and e-mail traffic. Using his browser data, we were able to see the sites he visited and the searches he made. And we could see the subject, sender and recipient of every one of his e-mails.
That’s very similar to the sort of thing governments around the world are now routinely demanding. Here’s what the researchers were able to find out about various aspects of his life as a result. The basics:
Ton is a recent graduate in his early twenties. He receives e-mails about student housing and part-time jobs, which can be concluded from the subject lines and the senders. He works long hours, in part because of his lengthy train commute. He often doesn?t get home until eight o’clock in the evening. Once home, he continues to work until late.
Based on the data, it is quite clear that Ton works as a lawyer for the digital rights organisation Bits of Freedom. He deals mainly with international trade agreements, and maintains contact with the Ministry of Foreign Affairs and a few Members of Parliament about this issue. He follows the decision-making of the European Union closely. He is also interested in the methods of investigation employed by police and intelligence agencies. This also explains his interest in news reports about hacking and rounded-up child pornography rings.
His social networks:
From a social network analysis based on Ton’s e-mail traffic, it is possible for us to discern different groups to which he belongs. These clusters are formed by his three e-mail accounts. It may be the case that the groups would look a bit different if we were also to use the metadata from his phone. However, we agreed to not perform any additional investigation, such as actively attempting to discover the identity of the user of a particular number, so as to protect the privacy of those in Ton?s network.
There is much more of this in the post, and it’s well-worth reading the whole thing to see just how much the researchers were able to find out. But it gets even more interesting — and troubling — when they move beyond this passive analysis of metadata to using this information to break into accounts:
The analysts from the Belgian iMinds compared Ton’s data with a file containing leaked passwords. In early November, Adobe (the company behind the Acrobat PDF reader, Photoshop and Flash Player) announced that a file containing 150 million user names and passwords had been hacked. While the passwords were encrypted, the password hints were not. The analysts could see that some users had the same password as Ton, and their password hints were known to be ‘punk metal’, ‘astrolux’ and ‘another day in paradise’. ?This quickly led us to Ton Siedsma’s favourite band, Strung Out, and the password “strungout”,’ the analysts write.
With this password, they were able to access Ton’s Twitter, Google and Amazon accounts. The analysts provided a screenshot of the direct messages on Twitter which are normally protected, meaning that they could see with whom Ton communicated in confidence. They also showed a few settings of his Google account. And they could order items using Ton’s Amazon account — something which they didn’t actually do. The analysts simply wanted to show how easy it is to access highly sensitive data with just a little information.
That gives a hint of the havoc that government agencies with access to your metadata could wreak on your life — not only reading the contents of your emails, but also possibly accessing ecommerce or even bank accounts. We should be grateful to Siedsma for having the courage to hand over this intimate data, and for reminding us yet again why it is wrong to call it “just” metadata.