Metadata and Your Privacy

The importance of metadata to user privacy is simply under emphasized.

Metadata can tell the whole story without ever reading the message contents; with files, Metadata can reveal additional and potentially sensitive information in addition to whatever is contained inside a file.

People break up over metadata, are arrested over metadata, and killed over metadata. The leaking/capture of metadata is just as privacy invasive as directly reading message contents in many cases, despite the downplaying by the entities who rely on data collection via metadata.

What is metadata?

In its most basic form, metadata is the data associated with a message but not included in its contents. Common metadata frequently includes the time of a message sent and who it was sent to.

These may seem like two insignificant data points at first glance, but a lot of the “story” can be told just using these two data points - in many cases, we don’t need to read the explicit contents of the message itself to get the “story.” Sometimes, these two data points can answer important-enough questions that make the content of the message irrelevant, such as:

  • Who are they messaging?
  • What time was the message sent? Received?
  • How often are two people messaging


analytics data floating across screen

For rather obvious reasons, who a message was sent to itself can be significant enough on its own, especially if the users have been identified with rather unique identifiers, such as a phone number attached to a SIM card. Knowing when a message was sent to a user can establish a pattern; especially if the central servers relaying messages are logging and storing these particular data points – as many do. 

Over time, just with tracking these two metadata data points alone, we can start establishing clear patterns - for example, User X may message User Y every Sunday at 5:00pm for approximately an hour.

Even on encrypted platforms, sometimes you’ll find that while the message itself is encrypted, the metadata is made available to the servers handling the message. In this case, at minimum, metadata is transmitted to the servers of whatever communication service you’re using - be it a messenger or an email service provider.

If the provider respects user privacy, then likely this data wouldn’t be logged (for an excessive amount of time), analyzed, aggregated, or shared.

However, some messaging platforms use metadata for more than just message routing. They may use user metadata for targeted advertising, user tracking across multiple platforms, data to feed to machine-learning algorithms like automated spam detection, or as a “commodity” for selling (data brokers, etc).

Many free and popular, yet privacy-unfriendly email providers also use metadata - email headers. This metadata is often scanned and used to train the machine-learning algorithms behind spam, phishing, and malicious message filterinIf the cloud storage provider does not run their servers in-house, then third-parties such as the server infrastructure provider (hosting) may have access tog.

If the email provider also offers other products - perhaps a calendar - the data captured from the platform’s email scanning may be used to create calendar events. For example, if you’ve received a flight itinerary to your inbox, the platform may infer from the message metadata you are planning a trip and place it on the calendar.

Metadata and communications


different messaging apps on a phone screen

Metadata as attached to communication can be especially broad, since technically anything outside the message contents can be labeled as metadata. Therefor, it would be exceedingly difficult to give a definitive and all inclusive list, but common metadata does frequently include:

  • Who sent/received a message (including unique identifiers)
  • Time message was sent
  • Server handling the message (specifically in email)
  • Location of device when message was sent
  • Client used to send a message (specifically in email)

As mentioned earlier, metadata is often associated with files - particularly photos. File metadata can include:

  • Location details of a photo
  • Timestamp/date details of a photo
  • Timestamp of author who last edited a file
  • File type and size

Metadata and files

Photos

Most of this post focuses on metadata associated with messages. However, photos and videos also have associated metadata.

For example, by default on iOS, pictures taken with the device’s camera automatically have metadata (EXIF) associated with it; the most notable of this photo metadata is GPS location.


a pile of instant photos

Exchangeable image file format (EXIF) is the specific metadata standard for digital images, and can also include metadata such as:

  • Date/Timestamps
  • Device ID numbers
  • Camera settings
  • Image metrics (pixel dimension, resolution, file size)

In most cases, devices - such as smartphones - include exact timestamps and GPS coordinates in images taken with the device’s camera by default. It’s often difficult to remove the majority of this EXIF metadata without specialized software.

On iOS, users can disable the geolocation tagging using GPS via the Photos app by tapping on an image, tapping on the information tab, tapping “adjust” for the location, and then selecting “No Location.”

Most users are unaware their images contain this potentially sensitive data; as such, they frequently share photos to the internet containing this data, which can be harvested by anyone - including the platform on which it was shared - with the know-how.

An obvious answer some may have to this problem is to tell users to “only share photos with trusted contacts.” While this is generally good advice (especially for more personal photos or videos), it is but one solution to a multi-faceted problem because photos - and their associated metadata - may be unintentionally shared to other parties…

  • Do you have iCloud enabled? Photos from your iDevice may be automatically synced with Apple’s iCloud servers and while stored encrypted, Apple has the keys for decryption. (This can be mitigated by enabling Apple’s Advanced Data Protection).
  • Syncing/storing photos on a non-privacy friendly or unencrypted storage provider like Google Photos? You’re sharing your metadata, like location data and timestamp of photos, with Google.
  • Uploaded a photo to Instagram? Instagram may ingest your photo EXIF metadata.
  • Used Imgur to share an interesting bird from your hike on Reddit? In addition to sharing metadata with Imgur or Reddit, anyone who views your photo may be able to download it and extract its EXIF data.

Files

Files (that are not photos) also have associated metadata. Common file types that frequently retain and attach metadata include Word files (.docx) and PDF files (.pdf).


a pixelated file folder on a screen

These files can contain a lot of metadata, such as:

  • Author names
  • Which “author” last saved the document
  • Comments (which...

The post Metadata and Your Privacy appeared first on Security Boulevard.

01 March 2023


>>More