Authorities have long incorrectly argued that users’ metadata cannot reveal sensitive privacy information that may be damaging to users; and that metadata is essentially benign.
- Why metadata even requires encryption security.
- What metadata can reveal that may surprise.
Stanford academics’ findings highlight that things are not as simple as they seem. Therefore, organisations’ responsibilities to protect privacy and prevent other cyber-crime threats, should also apply to the metadata they collect.
Many security experts argue that all captured data – raw source data and metadata – should be encrypted and that the longer the data’s potential useful life, the more compelling it is to encrypt.
In the context of protecting data in ‘transit’ (in motion) – data travelling across data networks, Stanford University academics’ findings are noteworthy.
It took highly controversial revelations of major government agencies’ eavesdropping on data networks and state sanctioned intellectual property theft to encourage commercial enterprises and governments to protect their ‘sensitive’ raw source network data while in motion from one place to another.
There are two main valuable applications of metadata – law enforcement (in some cases mandated by governments as an aide in criminal investigations); and Big Data analytics as a business tool (such as for customer buying behaviour analyses), which often includes both raw and metadata and may be limited to metadata.
However, is metadata sensitive data? What is sensitive data? Obviously, being widely used for commercial purposes and valued by law enforcement; metadata must contain useful or sensitive information as shown by the Stanford study.
Why else would such enormous volumes of metadata be collected; frequently transmitted across high-speed networks; stored and analysed; all at considerable expense? Therefore it should be protected by encryption.
Researchers easily extract personal details from metadata.
Academics from Stanford University in the United States have shown how trivially easy it can be to infer sensitive details about individuals from metadata on their communications.
They set out to test claims by the US National Security Agency that metadata is not personally identifiable information (PII).
Researchers Jonathan Meyer, Patrick Mutchler and John Mitchell collected the data for the study by running an application on Google Android phones used by 823 volunteers.
The application automatically retrieved device logs with metadata on calls, text messages, and Facebook accounts. All in all, over 250,000 calls and more than 1.2 million text messages formed the body of the study.
Analysis of the metadata showed that it was easy to infer highly sensitive details about people’s religious affiliations, their locations, health status and other traits from what was collected.
In one example, the researchers noted that one participant in the study received a long phone call from the cardiology group at a regional medical centre. The person also spoke briefly to a medical laboratory, and received multiple short calls from a local pharmacy, and rang a self-reporting hotline for a cardiac arrhythmia monitoring device.
Using public sources the researchers were able to confirm that the person was indeed a cardiac arrhythmia suffer.
In another example, the researchers worked out that a study participant owned an AR semi-automatic rifle from his metadata.
The researchers were also able to infer that one person was likely growing hydroponic marijuana, and another person was trying to become pregnant, simply by analysing phone logs.
The Stanford team said their findings exposed the serious privacy implications that bulk metadata collection by government agencies carries.
Senetas High-Assurance Security Comments
To those well informed about data and metadata, the Stanford study results are not a surprise. To the rest of the world, the results may be of considerable concern. Users need to be satisfied that all organisations handling their data, of any type, actively protect it and their privacy etc.
So, when considering the protection of network data (raw source data – including
voice, images and video), it’s equally important to consider that data’s metadata. Clearly metadata is potentially sensitive information about the user and the raw data and should be encrypted – in transit and at rest.
And it is just as important to consider the security effectiveness of the encryption solution chosen. ‘Near enough’ is certainly not ‘good enough’ as independent experts regularly emphasise.
Although governments and commercial enterprises are increasingly encrypting their network data; today, they must also be alert to the fact that not all network encryption solutions provide the same strength of protection. Sadly, there have been too many ‘embedded’ encryption solutions breached and discovered to be vulnerable to cyber-attacks – all because the devices were not secure and high-assurance encryption products.
The encryption device itself must be 100% secure; and then the Encryption Key Management must be state-of-the-art for organisations to be confident they have high-assurance encryption protection.