What Can Government Security Agencies Tell From Your Phone’s Metadata?
We talk a lot about metadata , especially since the revelations about how much of it the NSA is collecting. For the most part, it doesn’t sound that bad that they’re able to see those things—if they can see when you made a call, but can’t hear what you said, is it such a big deal?
What Is Metadata?
Before we get started, let’s set the groundwork and make sure we know exactly what metadata is. As you might gather from the name, it’s data about data—information about information. What this means in practice is widely varied, but the important thing is that it doesn’t contain the content of your messages. The things that you say in a call or a text are not recorded in the metadata.
So what is it? On a call, the phone number that you call, the unique serial number of the phone that you call, the time and duration of the call, and the location of each of the callers is encoded in the metadata. What about the metadata from email ? The sender’s and receiver’s names and email addresses, server transfer information, date and timezone details, the subject of the email, the read receipt status, and information about the mail client are all encoded in the metadata. Even your tweets contain metadata.
So as you can see, although there’s no content being recorded, there’s still quite a bit of information that can be seen from these details (The Guardian posted a great interactive page on metadata that will give you a few more details). So what, exactly, could an intelligence agency gather from this sort of information?
A Case Study
Naked Security, Sophos’ blog, reported a fascinating experiment done with some metadata late last year. A Dutch man allowed a researcher to install a data-collecting app on his phone to collect various types of metadata for a week. This is important—it was just metadata. No content. Just the sorts of things that governments around the world could easily obtain.
What did the researchers figure out? The man’s age, the fact that he’s a recent graduate, that he worked long hours and had a long train commute, that he continued to work late into the evening, that he’s into sports (especially cycling), that he reads Scandinavian thrillers, that he has a girlfriend, that he’s probably a Christian, that he probably identifies with the Green Left party of the Netherlands, that he’s interested in technology and privacy, and a lot of details about his job: that he was a lawyer, where he worked, what sorts of law he dealt with, who in the government he was in contact with, and some of his professional interests.
Oh, and they were able to guess the password to his Twitter, Google, and Amazon accounts by combining the information they got from his metadata with information released after the Adobe hack.
Perhaps most terrifyingly, the researchers stated that the methods and tools that they used were significantly less sophisticated than those that could be put to use by an intelligence agency. Metadata is starting to seem like a pretty big deal now, isn’t it?
Of course, having researchers be able to do this in the lab and actually having a government agency put it into practice are quite different.
Real-World Examples with Real-World Consequences
Careers—if not lives—can be ruined by metadata. Just ask David Petraeus. You may remember Petraeus as a highly decorated, highly respected four-star general who ran US and NATO forces operations in Afghanistan as the Commander of United States Central Command. In 2011, the was unanimously confirmed as the Director of the CIA, but he stepped down in disgrace in 2012. Why? Metadata.
You can read the whole timeline, but the short version is this: Petraeus was engaging in an extramarital affair with another member of the Army, Paula Broadwell. Broadwell sent a few threatening emails to a friend of the Petraeus family—and it could have ended there. But the FBI used metadata to track login information from hotels and cross-referenced that data with guest lists, eventually revealing Broadwell as the source of the emails and leading to the revelation of Petraeus’s affair and his subsequent resignation.
Much of the metadata that led to the discovery of the affair didn’t even come from sent emails—Petraeus and Broadwell communicated by signing into the same email account and saving drafts that the other would then read. Just the login metadata was enough to clue investigators in.
Think that four-star generals are at risk, but common citizens aren’t producing valuable metadata? Tell that to protestors in Ukraine who received text messages saying “Dear Subscriber, you are registered as a participant in a mass disturbance.” In a country that’s going through political and military turmoil, would you want your cell phone records telling the government that you had been at the site of a demonstration?
What Can You Do to Protect Yourself?
Unfortunately, short of turning your phone off and only using it when you absolutely need to, there’s not a whole lot you can do. Location information, for example, is impossible to get rid of—your phone is constantly connecting to cell towers to get a strong signal, and the connection to that tower is recorded. And when you call someone, the routing information (your phone and theirs) needs to be visible at some point, or else the cell network won’t know where to direct the call.
We’ve given you plenty of tips for protecting the content of your messages—you can use an encrypted messaging app , even encrypt your calls —but if you’re concerned about metadata, your best bet is to not give the NSA (or whichever government agency you’re worried about) a large amount of data to work with. How can you keep their records to a minimum? Using a burner phone , using multiple phones, changing numbers often, and using different email addresses will make it more difficult to tie specific pieces of information to you.
Beyond this, your best bet is to take political action—join campaigns for privacy , push companies to be transparent about what they’re doing with your data, and vote with your wallet. Metadata is always going to be out there, but companies’ willingness to hand it over to the government is something we might be able to change.
Are you concerned about the government getting their hands on your metadata? Have you taken any precautions to maintain your privacy? What other strategies have you heard of for keeping your metadata private? Share your thoughts below!