Analysis Of Volunteer's Metadata Stream Reveals His Life In Detail, Allows Passwords To Be Guessed
from the not-"just"-metadata dept
Three years ago, Techdirt wrote about how German politician Malte Spitz obtained six months' worth of basic geolocation data for his mobile phone. He then gave this to the German newspaper Die Zeit, which produced a great visualization of his travels during this time. That showed clearly how much was revealed from such basic data. Since then, of course, metadata has assumed an even greater importance, as it has emerged that the NSA routinely gathers huge quantities of it about innocent citizens. More chillingly, we also know that people are killed purely because of their metadata. But what exactly does metadata show about us? We now have a better idea thanks to the generosity of Ton Siedsma from Holland. He has allowed researchers to access not just the geolocation data of his mobile phone, but all of its metadata:From one week of logs, we were able to attach a timestamp to 15,000 records. Each time Ton's phone made a connection with a communications tower and each time he sent an e-mail or visited a website, we could see when this occurred and where he was at that moment, down to a few metres. We were able to infer a social network based on his phone and e-mail traffic. Using his browser data, we were able to see the sites he visited and the searches he made. And we could see the subject, sender and recipient of every one of his e-mails.That's very similar to the sort of thing governments around the world are now routinely demanding. Here's what the researchers were able to find out about various aspects of his life as a result. The basics:
Ton is a recent graduate in his early twenties. He receives e-mails about student housing and part-time jobs, which can be concluded from the subject lines and the senders. He works long hours, in part because of his lengthy train commute. He often doesn’t get home until eight o'clock in the evening. Once home, he continues to work until late.His work:
Based on the data, it is quite clear that Ton works as a lawyer for the digital rights organisation Bits of Freedom. He deals mainly with international trade agreements, and maintains contact with the Ministry of Foreign Affairs and a few Members of Parliament about this issue. He follows the decision-making of the European Union closely. He is also interested in the methods of investigation employed by police and intelligence agencies. This also explains his interest in news reports about hacking and rounded-up child pornography rings.His social networks:
From a social network analysis based on Ton's e-mail traffic, it is possible for us to discern different groups to which he belongs. These clusters are formed by his three e-mail accounts. It may be the case that the groups would look a bit different if we were also to use the metadata from his phone. However, we agreed to not perform any additional investigation, such as actively attempting to discover the identity of the user of a particular number, so as to protect the privacy of those in Ton’s network.There is much more of this in the post, and it's well-worth reading the whole thing to see just how much the researchers were able to find out. But it gets even more interesting -- and troubling -- when they move beyond this passive analysis of metadata to using this information to break into accounts:
The analysts from the Belgian iMinds compared Ton's data with a file containing leaked passwords. In early November, Adobe (the company behind the Acrobat PDF reader, Photoshop and Flash Player) announced that a file containing 150 million user names and passwords had been hacked. While the passwords were encrypted, the password hints were not. The analysts could see that some users had the same password as Ton, and their password hints were known to be 'punk metal', 'astrolux' and 'another day in paradise'. ‘This quickly led us to Ton Siedsma's favourite band, Strung Out, and the password "strungout",' the analysts write.That gives a hint of the havoc that government agencies with access to your metadata could wreak on your life -- not only reading the contents of your emails, but also possibly accessing ecommerce or even bank accounts. We should be grateful to Siedsma for having the courage to hand over this intimate data, and for reminding us yet again why it is wrong to call it "just" metadata.
With this password, they were able to access Ton's Twitter, Google and Amazon accounts. The analysts provided a screenshot of the direct messages on Twitter which are normally protected, meaning that they could see with whom Ton communicated in confidence. They also showed a few settings of his Google account. And they could order items using Ton's Amazon account -- something which they didn't actually do. The analysts simply wanted to show how easy it is to access highly sensitive data with just a little information.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: anonymity, content, metadata, privacy, surveillance, ton siedsma
Reader Comments
Subscribe: RSS
View by: Time | Thread
Right?
Guys?
[ link to this | view in thread ]
Something to remember
Also of importance, with just that limited metadata they were able to get access to his twitter, email, and amazon accounts. While bad enough on it's own, remember that it wasn't too long ago that it came out that the NSA(and likely their UK partner) considers attacking someone's reputation/presence online fair game as long as they consider them an 'enemy'.
So let's see, with access to those three services, they could make tweets in someone's name, say threatening tweets that they could use to justify an investigation later, send out incriminating emails that could be used as evidence in that 'investigation', and make suspicious or potentially 'embarrassing' purchases via their amazon account, again adding to the pile of 'evidence' they could use against someone.
And all of this due to nothing more than 'metadata'. 'Harmless' indeed.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
What I think is most disturbing from this story is that you find it surprising.
[ link to this | view in thread ]
Re: Something to remember
[ link to this | view in thread ]
Re:
As for Facebook/Google - there's a big difference to agreeing to it under terms and services, for a free service along with the ability to mitigate some of it (via extensions and other methods) and having it done to you, without knowledge, lied to about it, with no (meaningful) oversight ... yada yada yada.
You have scored -100 Intelligence, -200 Verbal Reasoning
[ link to this | view in thread ]
Re:
Do you want to know why I'm not worried (typically) in Google et al having this sort of information on me?
Because these technology corporations DO NOT HAVE the power to imprison me.
For feck's sake, can you not think about what you're going to say for a bit before you post it, thus you won't be revealed as an idiot?
[ link to this | view in thread ]
Re:
Most people will find it surprising especially if they haven't been paying attention, but it seems that you would rather people don't know this so they can feed the government with information that lets them survey every aspect of their lives and silence anyone you find undesirable.
Sounds like someone's already got his rectum lubed for the government.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
Funny, minus quotes (which, along with citations, evidence or anything to back your words up, are usually lacking in your own posts), it's about 4 paragraphs. That's shorter than many of your own pointless, fact-free ramblings, yet it manages to address something concrete.
"You are all worried about the govenment having this metadata, yet you will gladly hand most of it to google, facebook, twitter, and the like."
Ah, a sweeping statement pulled straight from your ass, even before you realise that there's a massive difference between the government and private enterprise. But, you're tripping over yourself to attack everybody here in a handy fiction, so why let facts bother you?
"What I think is most disturbing from this story is that you find it surprising."
If you bothered to read most of the posts here instead of leaping in to attack what's said, you might find that this is not surprising to anyone here, and that subject is in fact the focus of years' worth of articles written.
The actual point of the article is that this is the sort of thing that politicians are claiming is impossible or not something that metadata can be exploited to use. That someone has proven that it is possible despite their assurances does not mean that anyone is surprised about those results. It's simply something worth noting in full.
Please, learn reading comprehension, stop being an ass, and address reality. In your rush to attack, you often forget the latter, thus your reputation as a fantasist and a liar.
[ link to this | view in thread ]
the only way to stop this is to demand that ALL government surveillance stops on everyone unless they can provide a valid reason, to a proper court (not the bunch of yes men that checks atm) that then issues a warrant or whatever stating exactly what can be done and what cant be done. then every step needs to be checked before the info gathered can be used in court.
hopefully the time this takes would at least discourage any underhandedness as illegitimate surveillance could cost the case and lives if done incorrectly
[ link to this | view in thread ]
Re: Re:
You have a right to an opinion, even if you are full of it. I have a right to mine. Have a wonderful weekend!
[ link to this | view in thread ]
Re:
Here's that link
https://www.techdirt.com/articles/20140511/06390427191/michael-hayden-gleefully-admits-we-kill-p eople-based-metadata.shtml
[ link to this | view in thread ]
Re: Re: Re:
So in other words, it's fine for you to come along and post your opinion and critique, but not fine for someone else, whether anonymous or not when doing the same to you.
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
so .... "Bible Company Fuckery" then?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
by now everyone should know to use DIFFERENT complex passwords for each account....
[ link to this | view in thread ]
Re: Re: Re:
You know, the one where your premise is completely destroyed.
Because otherwise you might have to address the issues - omg.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
misinformation?
Using his browser data, we were able to see the sites he visited and the searches he made.
That seems to be more than metadata. That seems way more than anyone is collecting.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: misinformation?
[ link to this | view in thread ]
Re: misinformation?
[ link to this | view in thread ]
Re: misinformation?
Do you have anything of substance you can potentially throw at us, or is this all you can think of?
[ link to this | view in thread ]
Re: misinformation?
[ link to this | view in thread ]
Tip o' the hat, Ton.
Their efforts, even though few and far between, tend to balance somewhat the constant negative work of paid blog shills like Whatever, and the army of liars employed by the Most Transparent Administration In American History, who tirelessly attempt to bury the truth and muddy the waters of public perception.
In the face of such apparently overwhelming odds, it is truly amazing what having a spine can accomplish.
---
[ link to this | view in thread ]
Re: Re: misinformation?
It also seems that much of the information gathered here was related to first hacking his password. It seems really silly to think that the guy had the same simple password for everything, no capitals, no special characters, no extra characters (just adding "!!" on the end of something makes it almost unhackable by these methods). If anything, it sounds like the guy went out of his way to pave the road of information for them to find.
[ link to this | view in thread ]
Re: Re: misinformation?
Leave it to the apologists to not consider the obvious!
[ link to this | view in thread ]
Re: Re: Re: misinformation?
[ link to this | view in thread ]
Re: Re: Re: Re:
... likely because there's good odds they'd know it better than him.
[ link to this | view in thread ]
Re: Re: Re: misinformation?
The operative description being visited a web site, which is identifiable by its IP address, and site selector if used. That is all non encrypted data and available to ISP by simply logging syn packets.
[ link to this | view in thread ]
New law
Wonder how long it will take them to change their tune.
[ link to this | view in thread ]
Re: Re: Re: misinformation?
The more so as the apologist in question has a reputation for deceit. (Or, in the case of spook agencies, considers deceit a part of their mission and raison d' etre).
[ link to this | view in thread ]
Re: Re: Re:
1. you really are shitheel of a human bean...
2. that nearly 100% of the 1% of the inertnet denizens who frequent this (or similar) sites and have an abiding interest in the subject may indeed 'know' that their metadata is vast and too easily hoovered, is one thing...
3. for the VAST majority of inertnet users, yes, they may have some working theory that they are vulnerable, they may have some suspicions that The They (tm) don't have their best interests at heart, etc; but MOST are using the tubes without having a clue, because YOU DON'T HAVE TO...
*just like* 90% of the people who drive cars *might* have some scant knowledge of how an internal combustion engine works, etc, they REALLY don't know shit about it unless/until someone educates them on how it works...
AND, for the most part, THEY DON'T CARE: their car stops working, they call a mechanic; their tubes stop working, they call a nerd, they don't have to 'know' shit about it...
4. did i mention you are a shitheel of human bean ? can't be emphasized enough...
[ link to this | view in thread ]
Re: New law
If they refuse, well, that just makes them hypocrites and/or liars, and deserving of having that pointed out.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]