With the launch of our companion site, privacy.do, we are rerunning the EXPOSED! series 'Orwell's Blueprint' that provides the background on how our privacy is being stolen in 'plain sight'! This week, we revisit the final chapter, no 7...
In previous chapetrs of Orwell's Blueprint we have covered how you are tracked and also exposed some data brokers. However, what most people don't realize is just how much trouble metadata can get you in to.
Metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content
~ Stewart Baker — former NSA General Counsel
Metadata is extraordinarily intrusive. As an analyst, I would prefer to be looking at metadata than looking at content, because it's quicker and easier, and it doesn't lie.
~ Edward Snowden
Let's first understand what metadata is and why it is so potential harmful to your privacy.
A simple explanation about metadata is that it is "data that describes data"!
That, in the context of your mobile phone, gives more information to third parties and law enforcement than an actual phone call or text message. So even if you are using encrypted messaging, you can and will still leak metadata.
Every message you send or receive, every app you are use are all creating metadata. It is, basically, an electronic callsheet that details everything about the activity. Your location, who you were in contact with, when you communicate with someone, how long you communicated with them etc.
Obviously, this information is hugely important, not just to you and the recipient (the vast majority of people won't even know that they have created it), but even more so to companies, governmental agencies and other 3rd parties.
All this information has incredible value which explains why the routine monitoring of metadata has been so prevalent for so long. Fully eight years ago, in 2013, the UK's Guardian newspaper ran a story detailing the collection operations of the USA's National Security Agency (NSA) amongst others.
In case of Signal, the messaging service provider, for example, designed its app to leave as little as possible metadata about you. Yet, Signal uses Google and AWS (Amazon Web Servers) for communication. This, of course, creates and leaves metadata so Google and Amazon could know the time and the receiver of messages. Both ends use a telephone number and the operating system using Google/Apple push notifications so that links the metadata to your time stamp etc.
Let me say that that even though Signal uses AWS and Google servers, they are still one of the best when it comes to hiding as much metadata as possible. If they let you self-host, or avoid using AWS and Google servers, that would be outstanding.
All metadata created will also possibly capture your location data (even when you have location switched off on your phone), Google, for example, is still tracking you. And just let me say this again, for effect, the metadata also potentially discloses with whom you communicated, for how long and the online status of your device etc. etc.etc.
So let's illustrate how metadata could be used:
"You board a public service vehicle and someone who the authorities has under surveillance for whatever reason (could be anything from terrorism to journalism) sits down across from you.
All entirely coincidental and completely innocent on your part BUT the metadata from you both has now been logged! The following week you go into a supermarket and the same thing happens and there you are..now on a watch-list!"
The misuse of metadata erodes freedoms
Anonymity empowers people to speak out, to organize, to protest and to defend. Freedom of speech is a one of the most basic and fundamental human rights and it allows people to discuss, to learn, to agitate and for societies to grow.
Removal of that freedom will see free societies disappear and the collection and misuse of metadata poses exactly the kind of threat that could destroy the protection that is provided by anonymity.
The collection of metadata is not necessarily a precise science as it only provides a partial picture of the activity and its context and the content of the communication may not be known or considered. That opens the door to misinterpretation or malicious manipulation and there are plentiful examples including the one of several NSA employees in the US using it to stalk their partners or of the TV weather presenter, again in the US, being falsely accused of spying because of their ties to the PRC which was gleaned from metadata but weren't correct.
Incomplete data can lead to erroneous conclusions and inappropriate accusations, and sometimes deliberately so.
And whilst you might think it unlikely, if not impossible, for conclusions about you to be drawn from just a few data-points, one MIT study, analyzed anonymous credit card data from over a million people and discerned (correctly) the location and time of use through metadata and cross-referenced it with other data.
So now you know, protecting your metadata protects the people with whom you communicate and where there is no data, there can be no misuse, by anybody!
To sum that all up, metadata is defined as all the data related to electronic communications, excluding the content. Future legal protections must include both as it is difficult to ensure the safety of one without the other being protected.
Metadata allows the identification of the people involved, their behaviors, friends and contacts, their physical location and their regular communication methods. It is not difficult to then see how it is possible, along with other data, to create a frighteningly detailed picture of someone without even ever reviewing what they actually said in their messages!
Metadata has been the subject of multiple articles in decentralize.today and I wanted to get this message out once again. Sadly, metadata is everywhere, not just on your phone records, text messages, encrypted messaging but also your photos. I always recommend to remove metadata from any picture you send over the internet. Signal and Threema is doing that for you 'out of the box'.
However, take the extra step and use Scrambled Exif or Imagepipe from F-Droid and tunnel the images through these apps before you send them. It will remove the metadata and change the name of the images you're sending. iOS claims you can remove metadata too, I would still use an app to remove Exif and there are multiple solutions in the Apple Store. Have a look at what looks best for you, and make sure there is no data collection.
Lock down your phones with a firewall and DNS, on Android you have many great solutions, including NetGuard, RethinkDNS, AdAway TrackerControl and AdGuard. The later can also be found on iOS. Sadly, on iOS you can't use it as a firewall to block apps completely from the internet.
It is a shame that we live in a world that makes Orwell's fiction book into a blueprint of what governments and data collection agencies are trying to do.