General security

Digital Trails: Metadata and Privacy

November 12, 2014 by Infosec

There was someone in my extended family who ran an investor relations firm. For his sake, I won’t name him. One day, he sent my late father death threats via email. My father was no computer geek, but he was a highly intelligent man with a much greater awareness of computer technology than most people who were born in the 1930s.

“Kimberly,” my father said, “How stupid is this man? Doesn’t he know that if he does something on the Internet, he can be traced?” So my dear old Dad forwarded those emails to the police. Death threats are illegal here in Canada, and emailing them is just asking for trouble.

The reason why emails can be traced is due to their metadata. That code usually can’t be seen in an email client or in webmail, but it’s definitely there.

I have a lot of experience with spoofing emails, including for penetration testing. If I wanted to spoof an email well enough to fool a large corporation’s IT department, here’s what I’d do. First, I’d double and triple check the IP address of the SMTP server associated with the email address that I’d want to spoof. I’d also need to input the full email address correctly. I’d also verify the email client that the account I want to spoof usually uses. Knowing all that, and also having a feel for the style in which the person I’m spoofing writes (for the body of the email), I’d then use a MySQL/PHP based email spoofing form on the web, like this one: Select “Advanced Settings,” and I can spoof the client and everything else. Then, I’ve got an easy means to test for social engineering vulnerabilities. It’s that easy!

And all I’d need to be able to do that is to have received emails from the person I’m spoofing. Keeping that in mind, don’t send anyone any emails that you may regret. It’s appalling how many end users are oblivious about that.

Email is just one of many forms of digital media that uses metadata that can trace your communication back to you. Metadata is also found in your social media use, in the websites you surf, and even in your phone calls, as our entire telephone infrastructure is digital these days. Yep, that even covers your Grandma’s landline.

Knowing all that, I wonder why it’s taking so long for police to investigate the Gamergaters who have sent Zoe Quinn, Anita Sarkeesian, and Brianna Wu death threats. I hope that the FBI is prioritizing the matter, and I hope they’re hot on the trail.

Web servers at the very least know which web browser you’re using and your gateway IP address. Your gateway IP address can usually be traced to your ISP, whether it’s static or dynamic. From there, if you’re the target of a criminal investigation, your ISP may be legally obligated to reveal who you are and where you are. A proxy network like Tor will make tracing you a lot more difficult, but law enforcement has been able to exploit exit node vulnerabilities. Even while behind a proxy, I’d never do anything illegal other than pirating media via P2P networks. You can’t say I didn’t warn you. (I do legally buy movies, music, books, and video games most of the time. I create content, and I’d like other content creators to be able to make a living as well. But sometimes I’ll try before I buy, especially if my last paycheck was a while ago. My favorite creators are always rewarded on payday!)

Absolutely everything I post via social media is “public,” because I know that the most a social media network’s privacy settings can do is possibly keep something from people who aren’t computer literate. I know better than to think that any of my tweets or Google+ posts are truly “private.” And metadata has a lot to do with that.

What kind of metadata exists?

As I mentioned, email metadata can include your email address, name, SMTP IP address, and email client. It can also include date, time, and time zone, your subject, a unique identifier, and email client login records.

Phone call metadata can include the phone numbers on each end of the call, time and duration, phone serial numbers, calling card records, and the locations on each end of the call.

Web browser metadata includes web browser engines, cookies, gateway IP addresses and location, device and operating system information, and timestamps for downloads and uploads.

Social media metadata includes your geolocation, device and operating system, whatever personal information you put in your profile even if it’s “private,” subscriptions, unique identifiers, and date, time, and time zone.

So, what about the NSA?

Thanks to Edward Snowden, even many end users now have some idea of how intelligence agencies may be tracking them.

In November 2013, a group of researchers at Stanford University started a very interesting study. They had a number of volunteers install their app on their Android phones, called MetaPhone. The app was designed to collect the sort of phone call metadata the researchers hypothesized that the NSA would have access to. By March 2014, their results were in.

Amongst the phone data the study found were calls to firearms dealers, Canadian pharmacies (our drugs are cheaper than yours), neurology clinics, and Planned Parenthood clinics. Imagine if a vigilante anti-women’s rights group had access to that!

“This just confirms what everyone’s intuition suggested. Phone metadata is incredibly revealing. It’s great to have some empirical evidence to back up that intuition, and it only reinforces the intrusiveness of the NSA’s mass collection of Americans’ call records,” said researcher Brian Pascal.

The United Nations resolution proposal

Germany and Brazil were understandably upset about revelations that the NSA may have been spying on their governments.

Their initial resolution proposal was drafted in December 2013, and as of November 2014, there’s a new draft. According to the draft, the NSA’s alleged collection of metadata “violate(s) the right to privacy and can interfere with the freedom of expression and may contradict the tenets of a democratic society, especially when undertaken on a mass scale.”

Data retention laws may force ISPs in their respective jurisdictions to collect metadata in case it may be useful for intelligence and law enforcement. Brazil has yet to have such laws. Germany via the European Union had such laws starting in 2008, but their constitutional court struck it down in 2010. Keeping that in mind, it’s probably not hypocritical for those countries to initiate their UN resolution proposal.

It’d be interesting to see what may come out of that. It doesn’t surprise me that the American government seems to care less about citizen privacy than some other developed nations do.

Remember I mentioned those poor women who were targeted by Gamergate, simply for being female and interested in the sociology of video games? Just for the heck of it, I’ll plug Zoe Quinn’s game, Depression Quest. It’s web browser based, and it’s donationware. You can play it for free, but please make a modest donation if you enjoy it:


What Your Email Metadata Told the NSA About You- Rebecca Greenfield, The Wire

Metadata and Privacy, A Technical and Legal Overview- Office of the Privacy Commissioner of Canada

Volunteers in metadata study called gun stores, strip clubs, and more- Cyrus Farivar, Ars Technica

Metadata collection comes under fire in new UN anti-surveillance draft resolution- David Meyer, Gigaom

Is metadata collected by the government a threat to your privacy?- Michael Kassner, Tech Republic

Posted: November 12, 2014
View Profile

Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training.