Analysis Of Volunteer's Metadata Stream Reveals His Life In Detail, Allows Passwords To Be Guessed

from the not-"just"-metadata dept

From one week of logs, we were able to attach a timestamp to 15,000 records. Each time Ton's phone made a connection with a communications tower and each time he sent an e-mail or visited a website, we could see when this occurred and where he was at that moment, down to a few metres. We were able to infer a social network based on his phone and e-mail traffic. Using his browser data, we were able to see the sites he visited and the searches he made. And we could see the subject, sender and recipient of every one of his e-mails.

Ton is a recent graduate in his early twenties. He receives e-mails about student housing and part-time jobs, which can be concluded from the subject lines and the senders. He works long hours, in part because of his lengthy train commute. He often doesn’t get home until eight o'clock in the evening. Once home, he continues to work until late.

Based on the data, it is quite clear that Ton works as a lawyer for the digital rights organisation Bits of Freedom. He deals mainly with international trade agreements, and maintains contact with the Ministry of Foreign Affairs and a few Members of Parliament about this issue. He follows the decision-making of the European Union closely. He is also interested in the methods of investigation employed by police and intelligence agencies. This also explains his interest in news reports about hacking and rounded-up child pornography rings.

From a social network analysis based on Ton's e-mail traffic, it is possible for us to discern different groups to which he belongs. These clusters are formed by his three e-mail accounts. It may be the case that the groups would look a bit different if we were also to use the metadata from his phone. However, we agreed to not perform any additional investigation, such as actively attempting to discover the identity of the user of a particular number, so as to protect the privacy of those in Ton’s network.

The analysts from the Belgian iMinds compared Ton's data with a file containing leaked passwords. In early November, Adobe (the company behind the Acrobat PDF reader, Photoshop and Flash Player) announced that a file containing 150 million user names and passwords had been hacked. While the passwords were encrypted, the password hints were not. The analysts could see that some users had the same password as Ton, and their password hints were known to be 'punk metal', 'astrolux' and 'another day in paradise'. ‘This quickly led us to Ton Siedsma's favourite band, Strung Out, and the password "strungout",' the analysts write.



With this password, they were able to access Ton's Twitter, Google and Amazon accounts. The analysts provided a screenshot of the direct messages on Twitter which are normally protected, meaning that they could see with whom Ton communicated in confidence. They also showed a few settings of his Google account. And they could order items using Ton's Amazon account -- something which they didn't actually do. The analysts simply wanted to show how easy it is to access highly sensitive data with just a little information.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Three years ago, Techdirt wrote about how German politician Malte Spitz obtained six months' worth of basic geolocation data for his mobile phone. He then gave this to the German newspaper Die Zeit, which produced a great visualization of his travels during this time . That showed clearly how much was revealed from such basic data. Since then, of course, metadata has assumed an even greater importance, as it has emerged that the NSA routinely gathers huge quantities of it about innocent citizens. More chillingly, we also know that people are killed purely because of their metadata. But whatdoes metadata show about us? We now have a better idea thanks to the generosity of Ton Siedsma from Holland. He has allowed researchers to access not just the geolocation data of his mobile phone, but all of its metadata That's very similar to the sort of thing governments around the world are now routinely demanding. Here's what the researchers were able to find out about various aspects of his life as a result. The basics:His work:His social networks:There is much more of this in the post, and it's well-worth reading the whole thing to see just how much the researchers were able to find out. But it gets even more interesting -- and troubling -- when they move beyond this passive analysis of metadata to using this information to break into accounts:That gives a hint of the havoc that government agencies with access to your metadata could wreak on your life -- not only reading the contents of your emails, but also possibly accessing ecommerce or even bank accounts. We should be grateful to Siedsma for having the courage to hand over this intimate data, and for reminding us yet again why it is wrong to call it " just " metadata.Follow me @glynmoody on Twitter or identi.ca , and +glynmoody on Google+

Filed Under: anonymity, content, metadata, privacy, surveillance, ton siedsma