Because of Edward Snowden, we’ve been hearing a lot about metadata for the past 15 months.
Governments have been getting that metadata by covert means of questionable legality.
As news about surveillance efforts have leaked, officials have typically downplayed it as “just” metadata – as if metadata didn’t reveal just about as much about us as email or phone call content itself.
As author and researcher Door Hans de Zwart of Dutch digital rights foundation Bits of Freedom noted, even recently, on its website, the Dutch Intelligence Agency (AIVD) downplayed the interception of metadata as “a minor infringement of privacy”.
Thanks to a Dutch man, Ton Siedsma, we now have a glimpse of the type of information that can be squeezed from what officials would have us believe is “just” metadata.
→ For a quick and accessible explanation of metadata and what it’s all about, see our recent Patch Tuesday analysis, where we explain why simply knowing if a file is there, without being able to look inside it, can tell you almost as much as knowing what it contains.
Siedsma voluntarily handed a week’s worth of mobile phone data over to researchers, one of whom was Hands de Zwart.
Siedsma didn’t just give up the geolocation details of his wanderings, mind you.
Siedsma allowed researchers access to the same type of metadata that intelligence agencies would collect, including phone and email header information, by letting the researchers install a data-collecting app on his phone.
The app pulled off a blizzard of data:
From one week of logs, we were able to attach a timestamp to 15,000 records. Each time Ton's phone made a connection with a communications tower and each time he sent an email or visited a website, we could see when this occurred and where he was at that moment, down to a few metres. We were able to infer a social network based on his phone and email traffic. Using his browser data, we were able to see the sites he visited and the searches he made. And we could see the subject, sender and recipient of every one of his emails.
These are some of the basic things that the researchers discerned from just one week’s worth of metadata from Siedsma’s life:
Ton is a recent graduate in his early twenties. He receives emails about student housing and part-time jobs, which can be concluded from the subject lines and the senders. He works long hours, in part because of his lengthy train commute. He often doesn’t get home until eight o’clock in the evening. Once home, he continues to work until late.
The researchers aren’t sure whether he lives with his girlfriend, Merel, but they do know that the couple exchange an average of a hundred WhatsApp messages a day, mostly when Ton’s away from home.
They know he’s interested in sports. That he’s into cycling. His sister’s name.
He reads Scandinavian thrillers. Or, well, at least that he searches for titles on Google and Yahoo.
He’s probably Christian. He enjoys reading about “cats wearing tights”, “Disney princesses with beards” and “guitars replaced by dogs”.
The marketing angle
The researchers also found that Ton would be like candy to online marketers:
If we were to view Ton’s profile through a commercial lens, we would bombard him with online offers. He’s signed up for a large number of newsletters from companies like Groupon, WE Fashion and various computer stores. He apparently does a lot of shopping online and doesn’t see the need to unsubscribe from the newsletters. That could be an indication that he’s open to considering online offers.
His political leanings
We ... suspect that he sympathises with the Dutch 'Green Left' political party. Through his work ... he’s in regular contact with political parties. Green Left is the only party from which he receives emails through his Hotmail account. He has had this account longer than his work account.
The researchers discerned that Ton is knowledgeable about, and very interested in, technology, information security, privacy issues and internet freedom:
He frequently sends messages using encryption software PGP. He performs searches for database software (SQLite). He is a regular on tech forums and seeks out information about data registration and processing. He also keeps up with news about hacking and rounded-up child pornography rings.
His metadata also makes it crystal clear where he works and in what capacity:
Based on the data, it is quite clear that Ton works as a lawyer for the digital rights organisation Bits of Freedom. He deals mainly with international trade agreements, and maintains contact with the Ministry of Foreign Affairs and a few Members of Parliament about this issue. He follows the decision-making of the European Union closely. He is also interested in the methods of investigation employed by police and intelligence agencies. This also explains his interest in news reports about hacking and rounded-up child pornography rings.
Beyond that, one of the researchers, security expert Mike Moolenaar, concluded that Ton has “a good information position within Bits of Freedom” – a detail that’s important from an intelligence perspective.
Some of the metadata that could have brought the information sifters to that conclusion include Ton’s frequent correspondence with anti-virus software providers and his emails to set up an appointment with a member of parliament’s assistant.
The password pièce de résistance
Information about us is one thing. But what about actually breaking into our accounts?
Can metadata lead governments, or cybercrooks, or any other type of snoop to guess our passwords?
Absolutely. Here’s how the researchers did it with Ton’s data:
First, they compared the data with a file of leaked passwords from the horrific Adobe breach of 150 million user names and passwords.
As you may recall, while the passwords were supposedly “encrypted” (although we don’t know in what way), the password hints were not.
The analysts saw that some users had the same password as Ton. They took a look at their password hints: “punk metal”, “astrolux” and “another day in paradise”, and that lead them to his password:
This quickly led us to Ton Siedsma’s favourite band, Strung Out, and the password 'strungout'.
Using that password, they got into Ton’s Twitter, Google and Amazon accounts.
Besides taking screenshots of normally confidential direct messages on Twitter, the analysts could have actually purchased things on Ton’s Amazon account, but they opted not to.
Ton, we hope you’ve since changed your ways with regards to picking more secure passwords, and that you’re using unique, strong passwords for all your sites, instead of reusing passwords.
But more to the point, the researchers called this very complete portrait mere “child’s play” when compared with what intelligence agencies can do:
We focused primarily on metadata, which we analysed using common software. We refrained from undertaking additional investigation, with the exception of using the leaked dataset from Adobe.
Besides the success they had with just a limited tool set, the researchers underscored the fact that they only had access to one week’s worth of metadata – a fraction of what intelligence agencies have:
An intelligence agency has metadata on many more people over a much longer period of time, with much more advanced analysis tools at its disposal. Internet providers and telecommunications companies are required by law in the Netherlands to store metadata for at least six months. Police and intelligence agencies have no difficulty asking for and receiving this kind of data.
As goes the Netherlands, so goes the US and other countries implicated in NSA-gate.
So the next time you hear a politican append the word “only”, “mere” or “just” to the term “metadata”, think of Ton Siedsma.
Think about how much you now know about him. Bear in mind that this intimate, detailed portrait comes courtesy of your mobile phone and the immense wealth of metadata it has the power to silently hand over.