What is metadata and how can it be used to monitor you?

First of all: What is data?

While everyone certainly knows what I mean by “data,” here are two important points to remember.

1. Data is created by people .
2. They are consciously created.

You press the button on your mobile phone camera and take a picture of your cat. You press “save” in the word processor and save the text of your term paper. You call a customer in the company and save his order in the ordering system. The result is corresponding data, eg images, videos, texts and database entries.

Now you know what data is. Then what is metadata?

If you ask a photographer what metadata is, they will tell you that it is additional information about a photo. Information stored with the photo. Let’s say you take another picture of your cat. Then the following information will be saved in your photo:

• the size of the picture – “1280 x 768 pixels”
• the camera type – “iPhone12”

This information is called metadata because it contains information about the actual information. Such metadata is everywhere in the digital world. In a video, for example, the information how many minutes were recorded. In a text, information about the number of characters, the author and perhaps a copyright notice.

This type of metadata is important and helps us to make our data usable, for example to sort it, to find it and to generally deal with it. However, this lesson does not deal with this type of metadata.

We want to talk about metadata, which contains information about our activities.

Activity metadata is your footprint on the web

Specifically, metadata can be defined as “activity data,” a record of everything we do with our devices and everything they do by themselves. For example, the metadata of a phone call includes the date and time of the call, its duration, the number of the caller, the number of the called party, and their locations. Edward Snowden, Permanent Record, p.230

Edward Snowden’s revelations in 2013 reassessed the importance of activity data for monitoring and tracking people internationally.

Until then, investigative authorities had always maintained that activity data did not allow direct insight into the content of a communication. This should also be used to justify that the collection of such metadata cannot constitute an invasion of privacy.

Edward Snowden’s revelations made it clear that by analyzing and linking our activity data, the NSA (and other investigators) are able to deduce the content of the actually encrypted communication. For this they can also access the data of the large Internet companies.

Although the NSA is preparing to store the data of every person on earth, it cannot yet evaluate and analyze the contents of all intercepted conversations, emails, images and videos in real time. However, the metadata alone is a good approximation, a substitute and a starting point for further investigations.

Examples of activity data

Let’s recap what Edward Snowden said about activity metadata. They are:

• recording everything we do with our devices,
• Records that our devices do by themselves.

Devices are your SmartPhones, your computer and other electronic devices connected to the internet.

And the record that your devices do by themselves? They usually result from their construction and valid definitions (protocols) of how the Internet and the connected devices communicate with each other.

You may have already heard that when you are traveling, your smartphone is always (to put it simply) looking for the radio tower with the best connection for you. To do this, it reports to the nearest radio tower. And this ping with your registration remains there.

Activity data that “you” generate with WhatsApp Messenger

WhatsApp (Facebook) now uses secure end-to-end encryption for the actual message content. So far so good. Nevertheless, with every chat, who speaks to each other when and from where is recorded.

From the length of the encrypted messages, the frequency with which two users speak to each other, their locations and the time of their message exchange, the following can be determined:

1. recognize a network of relationships
2. create a movement profile
3. and possibly also reconstruct the actually encrypted conversation content.

The whole thing becomes easier the more Facebook services are used on the same mobile device. This allows Facebook to link this data as well.

Especially crazy … in order to be able to use WhatsApp sensibly, WhatsApp users usually allow their complete address book with all contacts (including the contacts who do not use WhatsApp) to be uploaded to a Facebook server when the program is started. In this way, people are also recorded by Facebook without their intervention.

Activity data that your smartphone generates “without you”.

WiFi tracking (often called WPS tracking) is a good example. Our smartphones work (with the WLAN function switched on) like a direction finder. They automatically search for available WLANs in our area. The signals sent (including the internationally unique number of your smartphone) can be picked up and evaluated by the operator of a WLAN. All this happens without your smartphone having connected to the WLAN.

For example, it is possible to create a movement profile of you, to determine your employer or to research your habits (e.g. shopping or fitness).

Ready for a (risk-free) self-experiment?

Test which activity data your internet browser generates.

With a click on www.browsercheck.me or coveryourtracks.eff.org you can test which metadata your smartphone or computer generates when using the Internet.

What to take away from this lesson

You should now understand the difference between data and metadata. You also know how the “special” activity (meta) data is created and how you can be monitored with it. Now continue to learn step by step in BaseCamp how you can anonymize your traces on the net.