03 Aug 2018

Don’t underestimate the riches in metadata!

Despite the common myth, metadata (data about data) is sensitive information. It is the most under-estimated source of data breach riches for cyber-criminals; especially in a world where Big Data analytics and machine learning benefit hackers as much as legitimate users.

In a recent post “Identifying People by Metadata”, data security expert Bruce Schneier highlights a research paper by Beatrice Perez, Mirco Musolesi, and Gianluca Stringhini.

Schneier provides a synopsis of the paper: You are your Metadata: Identification and Obfuscation of Social Media Users using Metadata Information, which points to the potential riches contained within metadata; using Twitter as a typical use case.

In the paper itself, researchers report the ability to identify an individual user within a 10,000 strong sample with 96.7% accuracy. They also explore the ineffectiveness of data perturbation or obfuscation when it comes to metadata.

Data security policy makers have been eager to convince the public that government obtained metadata doesn’t pose a security risk. However, as we’ve seen in recent months, a metadata breach can be far from benign. Data about data may be just as sensitive as the data itself.

Organisations that gather, store and process metadata should employ cyber-security best-practice and ensure the metadata is encrypted, both at rest and in motion (for example, to, from and between data centres). Failure to do so could have serious consequences for both the data subjects and processors.

On May 1st, 2017 Australia’s first metadata breach was reported – occurring just two weeks after the Australian metadata retention laws came into effect. Somewhat embarrassingly, the breach was of metadata held by the Australian Federal Police.

Government and legislative assurances that metadata is not “sensitive” nor personally identifiable reveal either naivety or ignorance of the reality of Big Data analytics. A properly motivated or skilled data analyst can extract a wealth of exploitable information from metadata.

If the Australian government doesn’t classify metadata as sensitive, and deserving of encryption security, it begs the question; who else is overlooking the importance of metadata?

In her article for CNet, “Why the AFP’s metadata breach is actually a big freakin’ deal”, Claire Reilly articulates nine issues resulting from the breach. Amongst them, she acknowledges that any data security system is only as strong as its weakest link. When prevention technologies fail, sensitive data should be protected using strong and effective encryption.