What you write is no longer the sensitive part of a message – The entire message is
“Metadata is far more intimate than our conversations. It shows where we go, our interests, our relationships – it shows who we are.” – Bruce Schneier
Metadata is often talked about when it comes to social networks, online advertising and websites. However very rarely is metadata discussed in the context of mobile messaging. Having understanding of mobile metadata is crucial to better understanding anonymity, privacy and messaging security.
Defining Metadata and how it is essential for privacy
Metadata records what we say and do online, from the websites we visit, to the people we interact with. With it mapping all of our activity, it can construct a profile of us, with unnerving accuracy. And as it gathers, uses and stores this data, it provides companies with a personal and extensive knowledge of the user. And the more information companies know about us, the more potentially to be stolen or shared from a hack.
This video can help with the definition:
None of this is exactly new knowledge, as it is well documented how websites gather information about us, and that is then used for personalization and advertising. Together, website metadata creates a detailed image of you from your activity. Think of like an online fingerprint, almost completely unique to you. Messaging apps, whether encrypted or not, such as Signal and WhatsApp, collect similar information, though slightly different.
These include carrier, phone number, username, contact list, Specific device identification, mobile operating system, location, IP address and device.
The final four of this list provide interesting insight. The other six identify the user almost immediately, but through IP address, location, device and mobile operating system, the exact time and location can be found. Add to this an exact list of who you have talking with and the length of the conversation and it gives a worryingly sharp look into a person’s life. Combine this with the first section and the metadata can tell you exactly who the person talked to, for how long as well as usernames they had been using. One glance at all of this is enough to tell you this is worrying for privacy.
A definition of metadata
In this 2013 EFF post (Link ‘Why Metadata Matters’)
it provides a good look at phone metadata and examples of what it can record. These include calling medical professionals, emergency services, political affiliation, and personal details. It records who was speaking and to who, as well as the length of time, but not what was said.
Looking at this in a wider scope, a paper by James Handler and Nidhi Rastogi of the Rensselar Polytechnic institute provides a better look:
“In the privacy domain, there have been concerns related to user metadata as well. WhatsApp encrypts the communication channel between users using end-to-end encryption. The metadata of the user is encrypted as well when data is in motion on the communication channel between various parties. It is essential to understand that information stored in metadata is just as important in preserving privacy of the users, as is the data itself. The company’s legal terms allow them to store information associated with successfully delivered messages such as time of delivery, mobile phone numbers involved in the messages, size of any digital content swapped between the two parties (Bernstein 2006).
Also, the app persists the user to share one’s entire contact list with the app. This is a way to further gather information about who is in a particular social network of a user. It is like trading the convenience of having the app to figure out who uses it amongst one’s contacts for giving up the entire list of which one contacts regularly, including those who don’t use the app. There is still no option of selectively adding contacts to the WhatsApp list. Any addition of this feature in the future will not help existing users as they have already shared this detail with the app. A smartphone metadata reflects a wealth of details both at the level of individual calls and when analyzed in aggregate. Computer scientists and researchers have proved this a number of times in the past.
It is here where WhatsApp falters.
While the metadata is encrypted during transit, phone numbers, timestamps, connection duration, connection frequency, as well as user location are being stored on the company’s servers. This metadata is sufficient to create a profile and draw some strong inferences between the communicating parties. And as we’ve seen very often, both governments and hackers can get their hands on the metadata if they really go after it.”
Metadata has to be collected and stored for a short time, so that messaging apps can work. The vital part is apps reducing and minimizing the amount they collect and using what is necessary to give their users full anonymity.
What is the right amount of metadata?
Secure messaging apps such as SKY EEC, do not require vast amounts of metadata, needing only the sender and recipient’s SKY ECC ID to be able to send messages from one person to another. Only when one person is offline will encrypted messages be stored. We want to make sure our users have real anonymity. For this we believe that messaging means gathering and holding the least amount of information as possible as to what our users do, so that we can prove real anonymity. When used incorrectly, Metadata can be used without you knowing, for reasons you did not agree to. When it comes to secure communication, the less gathered metadata, the better.