Analysis Of Volunteer's Metadata Stream Reveals His Life In Detail, Allows Passwords To Be Guessed

from the not-"just"-metadata dept

Three years ago, Techdirt wrote about how German politician Malte Spitz obtained six months’ worth of basic geolocation data for his mobile phone. He then gave this to the German newspaper Die Zeit, which produced a great visualization of his travels during this time. That showed clearly how much was revealed from such basic data. Since then, of course, metadata has assumed an even greater importance, as it has emerged that the NSA routinely gathers huge quantities of it about innocent citizens. More chillingly, we also know that people are killed purely because of their metadata. But what exactly does metadata show about us?

We now have a better idea thanks to the generosity of Ton Siedsma from Holland. He has allowed researchers to access not just the geolocation data of his mobile phone, but all of its metadata:

From one week of logs, we were able to attach a timestamp to 15,000 records. Each time Ton’s phone made a connection with a communications tower and each time he sent an e-mail or visited a website, we could see when this occurred and where he was at that moment, down to a few metres. We were able to infer a social network based on his phone and e-mail traffic. Using his browser data, we were able to see the sites he visited and the searches he made. And we could see the subject, sender and recipient of every one of his e-mails.

That’s very similar to the sort of thing governments around the world are now routinely demanding. Here’s what the researchers were able to find out about various aspects of his life as a result. The basics:

Ton is a recent graduate in his early twenties. He receives e-mails about student housing and part-time jobs, which can be concluded from the subject lines and the senders. He works long hours, in part because of his lengthy train commute. He often doesn?t get home until eight o’clock in the evening. Once home, he continues to work until late.

His work:

Based on the data, it is quite clear that Ton works as a lawyer for the digital rights organisation Bits of Freedom. He deals mainly with international trade agreements, and maintains contact with the Ministry of Foreign Affairs and a few Members of Parliament about this issue. He follows the decision-making of the European Union closely. He is also interested in the methods of investigation employed by police and intelligence agencies. This also explains his interest in news reports about hacking and rounded-up child pornography rings.

His social networks:

From a social network analysis based on Ton’s e-mail traffic, it is possible for us to discern different groups to which he belongs. These clusters are formed by his three e-mail accounts. It may be the case that the groups would look a bit different if we were also to use the metadata from his phone. However, we agreed to not perform any additional investigation, such as actively attempting to discover the identity of the user of a particular number, so as to protect the privacy of those in Ton?s network.

There is much more of this in the post, and it’s well-worth reading the whole thing to see just how much the researchers were able to find out. But it gets even more interesting — and troubling — when they move beyond this passive analysis of metadata to using this information to break into accounts:

The analysts from the Belgian iMinds compared Ton’s data with a file containing leaked passwords. In early November, Adobe (the company behind the Acrobat PDF reader, Photoshop and Flash Player) announced that a file containing 150 million user names and passwords had been hacked. While the passwords were encrypted, the password hints were not. The analysts could see that some users had the same password as Ton, and their password hints were known to be ‘punk metal’, ‘astrolux’ and ‘another day in paradise’. ?This quickly led us to Ton Siedsma’s favourite band, Strung Out, and the password “strungout”,’ the analysts write.

With this password, they were able to access Ton’s Twitter, Google and Amazon accounts. The analysts provided a screenshot of the direct messages on Twitter which are normally protected, meaning that they could see with whom Ton communicated in confidence. They also showed a few settings of his Google account. And they could order items using Ton’s Amazon account — something which they didn’t actually do. The analysts simply wanted to show how easy it is to access highly sensitive data with just a little information.

That gives a hint of the havoc that government agencies with access to your metadata could wreak on your life — not only reading the contents of your emails, but also possibly accessing ecommerce or even bank accounts. We should be grateful to Siedsma for having the courage to hand over this intimate data, and for reminding us yet again why it is wrong to call it “just” metadata.

Follow me @glynmoody on Twitter or, and +glynmoody on Google+

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Analysis Of Volunteer's Metadata Stream Reveals His Life In Detail, Allows Passwords To Be Guessed”

Subscribe: RSS Leave a comment
That One Guy (profile) says:

Something to remember

They were able to find out all of that based on nothing more than the metadata gathered from his phone, imagine how much more comprehensive a picture you could make if you had access to all the metadata generated by/on a person, like the various spy agencies are always demanding.

Also of importance, with just that limited metadata they were able to get access to his twitter, email, and amazon accounts. While bad enough on it’s own, remember that it wasn’t too long ago that it came out that the NSA(and likely their UK partner) considers attacking someone’s reputation/presence online fair game as long as they consider them an ‘enemy’.

So let’s see, with access to those three services, they could make tweets in someone’s name, say threatening tweets that they could use to justify an investigation later, send out incriminating emails that could be used as evidence in that ‘investigation’, and make suspicious or potentially ’embarrassing’ purchases via their amazon account, again adding to the pile of ‘evidence’ they could use against someone.

And all of this due to nothing more than ‘metadata’. ‘Harmless’ indeed.

Anonymous Coward says:

Re: Something to remember

And how about when all the metadata is used, when data analysis connects dots that aren’t apparent. Such as two unconnected cellphones reveal via GPS co-ordinates that they happened to “meet” (same place, same time) once every six months. Reminds me of how burner phones can be tracked thru the absence of data. OpSec got even harder.

Anonymous Coward says:

Re: Re:

I don’t think anyone here is surprised by how much metadata reveals.

As for Facebook/Google – there’s a big difference to agreeing to it under terms and services, for a free service along with the ability to mitigate some of it (via extensions and other methods) and having it done to you, without knowledge, lied to about it, with no (meaningful) oversight … yada yada yada.

You have scored -100 Intelligence, -200 Verbal Reasoning

Rikuo (profile) says:

Re: Re:

“You are all worried about the govenment having this metadata, yet you will gladly hand most of it to google, facebook, twitter, and the like.”
Do you want to know why I’m not worried (typically) in Google et al having this sort of information on me?
Because these technology corporations DO NOT HAVE the power to imprison me.
For feck’s sake, can you not think about what you’re going to say for a bit before you post it, thus you won’t be revealed as an idiot?

Anonymous Coward says:

Re: Re:

Whether or not this data is handed to Google, Facebook and Twitter does not make it a good thing for the government to have it.

Most people will find it surprising especially if they haven’t been paying attention, but it seems that you would rather people don’t know this so they can feed the government with information that lets them survey every aspect of their lives and silence anyone you find undesirable.

Sounds like someone’s already got his rectum lubed for the government.

PaulT (profile) says:

Re: Re:

“Congratulations, a big long post”

Funny, minus quotes (which, along with citations, evidence or anything to back your words up, are usually lacking in your own posts), it’s about 4 paragraphs. That’s shorter than many of your own pointless, fact-free ramblings, yet it manages to address something concrete.

“You are all worried about the govenment having this metadata, yet you will gladly hand most of it to google, facebook, twitter, and the like.”

Ah, a sweeping statement pulled straight from your ass, even before you realise that there’s a massive difference between the government and private enterprise. But, you’re tripping over yourself to attack everybody here in a handy fiction, so why let facts bother you?

“What I think is most disturbing from this story is that you find it surprising.”

If you bothered to read most of the posts here instead of leaping in to attack what’s said, you might find that this is not surprising to anyone here, and that subject is in fact the focus of years’ worth of articles written.

The actual point of the article is that this is the sort of thing that politicians are claiming is impossible or not something that metadata can be exploited to use. That someone has proven that it is possible despite their assurances does not mean that anyone is surprised about those results. It’s simply something worth noting in full.

Please, learn reading comprehension, stop being an ass, and address reality. In your rush to attack, you often forget the latter, thus your reputation as a fantasist and a liar.

Rikuo (profile) says:

Re: Re: Re: Re:

That statement sounds an awful lot like infamous christian apologist Sye Ten Bruggencate, who says “I don’t do bible studies with atheists”, whenever non-believers want to challenge him on his interpenetration of said bible.
So in other words, it’s fine for you to come along and post your opinion and critique, but not fine for someone else, whether anonymous or not when doing the same to you.

art guerrilla (profile) says:

Re: Re: Re: Re:

@ whatever
1. you really are shitheel of a human bean…
2. that nearly 100% of the 1% of the inertnet denizens who frequent this (or similar) sites and have an abiding interest in the subject may indeed ‘know’ that their metadata is vast and too easily hoovered, is one thing…
3. for the VAST majority of inertnet users, yes, they may have some working theory that they are vulnerable, they may have some suspicions that The They ™ don’t have their best interests at heart, etc; but MOST are using the tubes without having a clue, because YOU DON’T HAVE TO…
just like 90% of the people who drive cars might have some scant knowledge of how an internal combustion engine works, etc, they REALLY don’t know shit about it unless/until someone educates them on how it works…
AND, for the most part, THEY DON’T CARE: their car stops working, they call a mechanic; their tubes stop working, they call a nerd, they don’t have to ‘know’ shit about it…
4. did i mention you are a shitheel of human bean ? can’t be emphasized enough…

Anonymous Coward says:

it’s just a government ploy to try to put people off from finding out exactly what can be done with ‘meta data’! let’s face it, they were hardly likely to admit to anything let alone how much they can see into a person’s life!
the only way to stop this is to demand that ALL government surveillance stops on everyone unless they can provide a valid reason, to a proper court (not the bunch of yes men that checks atm) that then issues a warrant or whatever stating exactly what can be done and what cant be done. then every step needs to be checked before the info gathered can be used in court.
hopefully the time this takes would at least discourage any underhandedness as illegitimate surveillance could cost the case and lives if done incorrectly

Whatever (profile) says:

Re: Re: misinformation?

I think it’s pretty much the single most important thing, that this doesn’t sound like standard metadata (as in the data collected by NSA in the US) but rather a much larger in depth pool of information obtained in part by hacking his accounts.

Leave it to the apologists to not consider the obvious!

OldMugwump (profile) says:

Re: Re: Re: misinformation?

When an apologist (in this case, spook agency spokesmen) says they are “only doing X”, it is prudent to expect that they mean the broadest possible interpretation of “X”.

The more so as the apologist in question has a reputation for deceit. (Or, in the case of spook agencies, considers deceit a part of their mission and raison d’ etre).

Whatever (profile) says:

Re: Re: misinformation?

Not true John. The search engine connecions are all https now, so the information sent wouldn’t be visible (like the searches you made) so that would already be not really true.

It also seems that much of the information gathered here was related to first hacking his password. It seems really silly to think that the guy had the same simple password for everything, no capitals, no special characters, no extra characters (just adding “!!” on the end of something makes it almost unhackable by these methods). If anything, it sounds like the guy went out of his way to pave the road of information for them to find.

Anonymous Coward says:

Re: Re: Re: misinformation?

Actually, if you read the article:

From one week of logs, we were able to attach a timestamp to 15,000 records. Each time Ton’s phone made a connection with a communications tower and each time he sent an e-mail or visited a website,

The operative description being visited a web site, which is identifiable by its IP address, and site selector if used. That is all non encrypted data and available to ISP by simply logging syn packets.

GEMont (profile) says:

Tip o' the hat, Ton.

In a time when all of (what used to be) our most trusted officials and institutions have become the very forces of deception and exploitation they were supposedly designed to defend the public from, it is always a joy to read about the real heroes of humanity, such as Ton and others who risk their lives and livelihoods, or simply do the unthinkable, in order to foil the plans of the enemy inside the gates.

Their efforts, even though few and far between, tend to balance somewhat the constant negative work of paid blog shills like Whatever, and the army of liars employed by the Most Transparent Administration In American History, who tirelessly attempt to bury the truth and muddy the waters of public perception.

In the face of such apparently overwhelming odds, it is truly amazing what having a spine can accomplish.

That One Guy (profile) says:

Re: New law

Not quite far enough, I’d also include any other public figure/official who’s defended the spying programs with the ‘It’s just metadata’ line. If they really believe that ‘just metadata’ isn’t personally identifiable, and capable of revealing personal information, let them prove it by putting their own out there.

If they refuse, well, that just makes them hypocrites and/or liars, and deserving of having that pointed out.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...