Data Privacy Security Bloggers Network 
SBN

Metadata and Your Privacy

by Avoid The Hack! on March 1, 2023

The importance of metadata to user privacy is simply under emphasized.

Metadata can tell the whole story without ever reading the message contents; with files, Metadata can reveal additional and potentially sensitive information in addition to whatever is contained inside a file.

People break up over metadata, are arrested over metadata, and killed over metadata. The leaking/capture of metadata is just as privacy invasive as gaining access to and reading message contents in many cases, despite downplaying by the many private and public entities relying on metadata collection.

What is metadata?

In its most basic form, metadata is the data associated with a message but not included in its contents. Common metadata frequently includes the time of a message sent and who it was sent to.

These may seem like two insignificant data points at first glance, but a lot of the “story” can be told just using these two data points.

In many cases, we don’t need to read the explicit contents of the message itself to get the “story.” Sometimes, who sent/received a message and when the message was sent/received answers important-enough questions that make the content of the message irrelevant, such as:

  • Who are they messaging?
  • What time was the message sent? Received?
  • How often are two people messaging?


analytics data floating across screen

For rather obvious reasons, who a message was sent to can be significant enough all on its own, especially if the users have been identified with rather unique identifiers, such as a phone number attached to a SIM card.

Knowing when a message was sent to a user can establish a pattern; especially if the central servers relaying messages are logging and storing these particular data points – as many do. 

Over time, just with tracking these two metadata data points alone, we can establish patterns – for example, User X may message User Y every Sunday at 5:00pm for approximately an hour.

Even on end-to-end encrypted platforms, sometimes you’ll find that while the message itself is encrypted, the metadata is made available to the servers handling the message. In this case, at minimum, metadata is transmitted to the servers of whatever communication service you’re using – be it a messenger or an email service provider.

If the provider respects user privacy, then likely this data wouldn’t be logged (for an excessive amount of time), analyzed, aggregated, shared, or otherwise used outside of proper message routing.

Of course, some messaging platforms use metadata for more than just message routing. They may use user metadata for targeted advertising, user tracking across multiple platforms, data to feed to machine-learning algorithms like automated spam detection (or “AI”), or as a “commodity” for selling (data brokers, etc).


concept of data flowing on a green background

Many free and popular, yet privacy-unfriendly email providers also use metadata – which are usually called email headers. “Free” email providers often scan and use user metadata to train the machine-learning algorithms behind spam, phishing, and malicious message filtering.

If the email provider also offers other products – perhaps a calendar – the data captured from the platform’s email scanning may be used to create calendar events.

For example, if you’ve received a flight itinerary to your inbox, the platform may infer from the message metadata you are planning a trip and place it on the calendar.

While this may seem a rather innocuous and convenient action, it at least means the provider/server has access to the metadata in the email headers and is using this metadata outside of message routing purposes. We can also assume they have access to your calendar and it wouldn’t be unreasonable to assume they have access to the messages in your inbox.

Metadata and communications


different messaging apps on a phone screen

What specific metadata attached to communication can be especially broad, since technically anything outside the message contents can be labeled as metadata. Therefore, it would be exceedingly difficult to give a definitive and all inclusive list here, but common metadata does frequently include:

  • Who sent/received a message (including unique identifiers)
  • Time message was sent
  • Server handling the message (specifically in email)
  • Location of device when message was sent
  • Client used to send a message (specifically in email)

Metadata and files

Photos

Most of this post focuses on metadata associated with messages. However, photos and videos also have associated metadata.

For example, by default on iOS, pictures taken with the device’s camera automatically have metadata associated with it; the most notable of this photo metadata is GPS location.

File and photo metadata can include:

  • Location details of a photo
  • Timestamp/date details of a photo
  • Timestamp of author who last edited a file
  • File type and size


a pile of instant photos

Exchangeable image file format (EXIF) is the specific metadata standard for digital images, and can also include much more detailed metadata such as:

  • Date/Timestamps
  • Device ID numbers
  • Camera settings
  • Image metrics (pixel dimension, resolution, file size)

In most cases, devices – such as smartphones – include exact timestamps and GPS coordinates in images taken with the device’s camera by default. It’s often difficult to remove the majority of this EXIF metadata without specialized software.

On iOS, users can disable the geolocation tagging using GPS via the Photos app by tapping on an image, tapping on the information tab, tapping “adjust” for the location, and then selecting “No Location.”

Most users are unaware their images contain this potentially sensitive data. As a result of this lack of awareness, users frequently share photos to the internet containing this data. This data can be harvested by anyone – including the platform on which it was shared – with the means and know-how to do so.

An obvious answer some may have to this problem is to tell users to “only share photos with trusted contacts.” While this is generally good advice (especially for more personal photos or videos), it is but one solution to a multi-faceted problem. Photos and associated metadata may be unintentionally shared with other parties…

  • Do you have iCloud enabled? Photos from your iDevice may be automatically synced with Apple’s iCloud servers and while stored encrypted, Apple has the keys for decryption. (This can be mitigated by enabling Apple’s Advanced Data Protection).
  • Syncing/storing photos on a non-privacy friendly or unencrypted storage provider like Google Photos? You’re sharing your metadata, like location data and timestamp of photos, with Google.
  • Uploaded a photo to Instagram? Instagram may ingest your photo…

*** This is a Security Bloggers Network syndicated blog from Avoid The Hack! authored by Avoid The Hack!. Read the original post at: https://avoidthehack.com/metadata-privacy

Avoid The Hack!