What Is Metadata? And Why Do You Need To Know?
Being in the know about what metadata is and how it could be used to threaten your cyber security is smart practice for any digital citizen.
If you’ve been following the trends in cybersecurity over the last few years, one of the terms you’re sure to know about is “metadata”. Defined as “data that provides information about other data,” metadata has been a flash point in the debate around the revelations that came from whistleblower Edward Snowden’s leak of mass surveillance tactics from the NSA.
For some time now, metadata has gotten something of a “free ride”, so to speak, when it comes to security officials and companies getting away with holding onto it with the full knowledge of citizens. We don’t hold it to the same standard as, say, the contents of our private chats, which are increasingly protected by the kinds of end-to-end encryption mechanisms we see on WhatsApp and Facebook. Indeed, as TechCrunch recently wrote, “We have been led to believe that metadata — or rather, activity logs — is nothing to worry about; it’s only the content that matters.”
But does this argument hold up under the tsunami of metadata that is being accumulated by the companies who hold it? There are increasing numbers of voices in the cybersecurity world pointing out that, when there’s enough of it, metadata can indeed be used to pull out the kinds of identifying details we assume are hidden for our personal safety. A telling study from Stanford University found that “telephone metadata densely interconnected, susceptible to re-identification, and enabling highly sensitive inferences.” Even more chillingly, NSA General Counsel Stewart Baker has been quoted as saying “metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.”
After all, while half a decade ago each individual’s metadata footprint was perhaps limited to their phone records and search history, today it covers nearly everything we do, from shopping, social activity, online banking and GPS, and increasingly the internet of things. While the number of devices and tools we use on a daily basis which collect our data has grown, so too has the storage capacity of the servers that contain it. Now companies have no reason to get rid of our data as it’s cheap to hold onto it forever.
So, what’s happened in the wake of all this metadata retention? As TechCrunch continued, “Today, metadata collection and mining has become an industry of its own — accumulating and matching information across countless databases to produce detailed records of everyone’s activities and associations. The goals range from targeting users with relevant advertising to behavioral pattern recognition to aimless harvesting of records for yet unknown future use.”
With these kinds of activities being fairly widespread, it’s fair to say that the era of not being worried about our metadata is over. Companies need to be more transparent and ask users to opt into their metadata being stored, with informed consent of just what that means. It’s no longer enough to focus on protecting digital content itself; we have to think about our right to privacy when it comes to the bigger picture of our online lives as well and lobby our lawmakers to treat the two categories with equal amounts of seriousness and rigor.
This is essential, both to keep companies and institutions in check and accountable to their users, and also to protect our metadata from more nefarious actors. After all, “the less time the metadata lives and the fewer servers it touches, the more secure we all are against targeted criminal attacks and cyber espionage.” This is not just a matter of being distrustful of major companies, but also of what could happen if they don’t treat our metadata with proper precautions.