What Can Government Security Agencies Tell From Your Phone’s Metadata?

Dann Albright 02-02-2015

We talk a lot about metadata Avoiding Internet Surveillance: The Complete Guide Internet surveillance continues to be a hot topic so we've produced this comprehensive resource on why it's such a big deal, who's behind it, whether you can completely avoid it, and more. Read More , especially since the revelations about how much of it the NSA is collecting. For the most part, it doesn’t sound that bad that they’re able to see those things—if they can see when you made a call, but can’t hear what you said, is it such a big deal?


What Is Metadata?

Before we get started, let’s set the groundwork and make sure we know exactly what metadata is. As you might gather from the name, it’s data about data—information about information. What this means in practice is widely varied, but the important thing is that it doesn’t contain the content of your messages. The things that you say in a call or a text are not recorded in the metadata.


So what is it? On a call, the phone number that you call, the unique serial number of the phone that you call, the time and duration of the call, and the location of each of the callers is encoded in the metadata. What about the metadata from email What Can You Learn From An Email Header (Metadata)? Did you ever get an e-mail and really wondered where it came from? Who sent it? How could they have known who you are? Surprisingly a lot of that information can be from from the... Read More ? The sender’s and receiver’s names and email addresses, server transfer information, date and timezone details, the subject of the email, the read receipt status, and information about the mail client are all encoded in the metadata. Even your tweets contain metadata.

So as you can see, although there’s no content being recorded, there’s still quite a bit of information that can be seen from these details (The Guardian posted a great interactive page on metadata that will give you a few more details). So what, exactly, could an intelligence agency gather from this sort of information?

A Case Study

Naked Security, Sophos’ blog, reported a fascinating experiment done with some metadata late last year. A Dutch man allowed a researcher to install a data-collecting app on his phone to collect various types of metadata for a week. This is important—it was just metadata. No content. Just the sorts of things that governments around the world could easily obtain.


What did the researchers figure out? The man’s age, the fact that he’s a recent graduate, that he worked long hours and had a long train commute, that he continued to work late into the evening, that he’s into sports (especially cycling), that he reads Scandinavian thrillers, that he has a girlfriend, that he’s probably a Christian, that he probably identifies with the Green Left party of the Netherlands, that he’s interested in technology and privacy, and a lot of details about his job: that he was a lawyer, where he worked, what sorts of law he dealt with, who in the government he was in contact with, and some of his professional interests.


Oh, and they were able to guess the password to his Twitter, Google, and Amazon accounts by combining the information they got from his metadata with information released after the Adobe hack.

Perhaps most terrifyingly, the researchers stated that the methods and tools that they used were significantly less sophisticated than those that could be put to use by an intelligence agency. Metadata is starting to seem like a pretty big deal now, isn’t it?


Of course, having researchers be able to do this in the lab and actually having a government agency put it into practice are quite different.

Real-World Examples with Real-World Consequences

Careers—if not lives—can be ruined by metadata. Just ask David Petraeus. You may remember Petraeus as a highly decorated, highly respected four-star general who ran US and NATO forces operations in Afghanistan as the Commander of United States Central Command. In 2011, the was unanimously confirmed as the Director of the CIA, but he stepped down in disgrace in 2012. Why? Metadata.


You can read the whole timeline, but the short version is this: Petraeus was engaging in an extramarital affair with another member of the Army, Paula Broadwell. Broadwell sent a few threatening emails to a friend of the Petraeus family—and it could have ended there. But the FBI used metadata to track login information from hotels and cross-referenced that data with guest lists, eventually revealing Broadwell as the source of the emails and leading to the revelation of Petraeus’s affair and his subsequent resignation.


Much of the metadata that led to the discovery of the affair didn’t even come from sent emails—Petraeus and Broadwell communicated by signing into the same email account and saving drafts that the other would then read. Just the login metadata was enough to clue investigators in.

Think that four-star generals are at risk, but common citizens aren’t producing valuable metadata? Tell that to protestors in Ukraine who received text messages saying “Dear Subscriber, you are registered as a participant in a mass disturbance.” In a country that’s going through political and military turmoil, would you want your cell phone records telling the government that you had been at the site of a demonstration?

What Can You Do to Protect Yourself?

Unfortunately, short of turning your phone off and only using it when you absolutely need to, there’s not a whole lot you can do. Location information, for example, is impossible to get rid of—your phone is constantly connecting to cell towers to get a strong signal, and the connection to that tower is recorded. And when you call someone, the routing information (your phone and theirs) needs to be visible at some point, or else the cell network won’t know where to direct the call.

We’ve given you plenty of tips for protecting the content of your messages—you can use an encrypted messaging app 6 Secure iOS Messaging Apps That Take Privacy Very Seriously Don't fancy your messages being read by unwanted parties? Get a secure messaging app and worry no more. Read More , even encrypt your calls 3 Ways To Make Your Smartphone Communications More Secure Total privacy! Or so we think, as our words and information went flying through the air. Not so: First it's word of warrantless wiretapping, then it's word of newspapers, lawyers, insurers and more hacking your... Read More —but if you’re concerned about metadata, your best bet is to not give the NSA (or whichever government agency you’re worried about) a large amount of data to work with. How can you keep their records to a minimum? Using a burner phone Sick of the NSA Tracking You? Burn Them with a Burner Phone Sick of the NSA tracking you using your phone's positioning coordinates? Prepaid phones known colloquially as "burners" can provide you with partial privacy. Read More , using multiple phones, changing numbers often, and using different email addresses will make it more difficult to tie specific pieces of information to you.



Beyond this, your best bet is to take political action—join campaigns for privacy Lessons Learned From Don't Spy On Us: Your Guide To Internet Privacy Read More , push companies to be transparent about what they’re doing with your data, and vote with your wallet. Metadata is always going to be out there, but companies’ willingness to hand it over to the government is something we might be able to change.

Are you concerned about the government getting their hands on your metadata? Have you taken any precautions to maintain your privacy? What other strategies have you heard of for keeping your metadata private? Share your thoughts below!

Image credits: Funny concept with theatrical mask via Shutterstock, United States Navy via Wikimedia Commons.

Related topics: Metadata, Online Privacy, Smartphone Security.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Steven
    February 11, 2015 at 3:21 pm

    Dear Dann

    Since the passage of the "Patriot Act" the "THIN" line between privacy
    and safety and/or security has been ERASED...!

    • Dann Albright
      February 11, 2015 at 8:21 pm

      Yes, the PATRIOT Act put a big dent in privacy. I'm not familiar with which specific types of intelligence gathering were made legal by that Act, as it's a very large and complicated one, but it seems to have kicked off a lot of privacy-destroying activities. Maybe some day we'll be loud enough to have it repealed!

  2. dragonmouth
    February 2, 2015 at 1:01 pm

    Does anybody out there in userland still believe in the quaint concept of "The Home of the Free"???

    • Dann Albright
      February 2, 2015 at 2:19 pm

      Isn't is "the land of the free"? And "the home of the brave"? :-)

      A few of us still do, I think . . . which is why we're trying to be as vocal as possible. My guess is that there are plenty of people out there who still believe in it, but don't have any idea how much surveillance is actually going on.