Secret Metadata: Beware Before You Share
24/03/2020 — by Sikhei Leung
Let’s talk about metadata. Specifically, the unavoidable metadata that comes attached to any electronic file on computers, phones, tablets, and everything in between. It’s a safe bet that you and I both unknowingly share a huge amount of metadata every day. And contrary to what the NSA might say, metadata can contain A LOT of critical information. So what is metadata?
What is Metadata?
Well, the classic definition comes from the etymology of the word itself. Metadata is “data about data.” Metadata in reference to electronic files like, photos, audio clips, videos and PDFs are bits of data that provide information and descriptions about the files themselves. Some examples include things like: the data size, when the data was created, the format of the data, and keywords that describe the data.
Think of it like this: If the data is a Twinkie, then its metadata is the list of ungodly ingredients and the table of horrifying nutritional information nearly invisible to the naked eye on the packaging. You may not notice it or be aware of it, but it’s definitely there if you look for it. That’s not to say metadata is not incredibly useful. It is.
What Does It Do?
Metadata summarises basic information about data, making finding and working with particular instances of data easier. it can be used to classify different types of data, relationships among different types of data, the properties of data, and the functions and limitations of the data. Almost every app, website, major information systems depend on metadata to function properly.
So, it’s that much more important that we be aware of what metadata we are sharing. We also need to know what the implications of doing so might have on personal privacy.
The Dangers of Sharing Your Metadata
There are far too many types of data to discuss them all. Emails you send can contain your IP address and social media posts can contain your personal information and data. So let’s focus on the type of data that almost everyone shares most frequently on social media nowadays—images.
In 2017, WhatsApp alone reported that 4.5 billion photos are sent using their app every single day. Instagram had an average of 95 million posts per day in 2016 (which likely means this number is less than half of today’s numbers). Think of the sheer amount of metadata that must come with those photos.
What happens when you put a photograph online? In most cases, absolutely nothing at all. The embarrassing photo of you dabbing that you posted a few years back will simply float around in cyberspace until the end of time. However, the metadata within the photo you posted could contain extremely revealing information about the photo, and you. This includes when the photo was taken, the camera used to take the photo, and camera specific metadata. Arguably, most important types of information hidden in a photo’s metadata are geolocation data and facial recognition data.
A Cautionary Tale
Whenever you take a picture with your phone, it embeds your location data into the file. If you then upload that photo then it’s not difficult to deduce information about where you are and where you have been in the past. Consider the case of Aaron Schock, a disgraced former Republican US congressman who was indicted by a federal grand jury on multiple counts of theft of government funds, fraud and making false statements. Schock was known for his social media presence and acting more like an Instagram influencer rather than a politician. Naturally, his posts of him going on lavish trips raised curiosity. The Associated Press launched an investigation which extracted the geolocation data from the photos he posted alongside photos that he tagged himself on his Instagram account. The AP then compared it to the travel expenses he was charging to his campaign. They analysed his travel expenses, his flight records of airport stopovers ,and the data extracted from his Instagram account. In the end, they found that taxpayer’s money and campaign funds had been spent on his private plane flights. Schock was forced to resign three weeks after the article was published.
Even When You Don’t Share
Even the photos and files you don’t actively share might be shared or leaked regardless of what you do. I for one, was shocked to discover that Google Maps had tracked my location for years with disturbing accuracy.
Additionally, almost everyone I know has their entire lives backed up on some sort of cloud based storage—Google Drive, iCloud, Dropbox—just to name a few of the big players. Those systems are not infallible either. There is an inherent and real risk to having your data and metadata leaked. One example is the 2014 iCloud leaks of celebrity photos where hundreds of private photos of celebrities were leaked. While it’s true most people don’t care to see photos of the weird mole on your backside, the information contained within those photos, such as where you’ve been in the last five years might be traced through the metadata on those photos.
Some of the worst-case scenarios in metadata mining involves stalking and harassment. It’s exceedingly easy to find someone by looking into the data on photos, tracing the movements of individuals and then finding them at their home address.
Although not strictly metadata by definition, I have to mention the case where fitness tracking apps such as FitBit and Strava have inadvertently revealed the locations of newly built US military drone bases in Africa. People started asking questions about why there were people running around in circles in the middle of the desert. Turns out they were US military personnel tracking their fitness while doing laps around the base and was most certainly not location data they wanted to be shared.
Who wants your metadata?
There are primarily three groups that want your metadata. Marketers such as Google and Facebook are constantly tracking and collecting your metadata and targeting advertisements to the user based on their data. Hackers might also for the same reason—money—want to steal your metadata. They may be using it for malicious purposes, but that’s not to say that the marketers are saints in comparison. Lastly, there are government agencies. There are plenty of examples of law enforcement agencies collecting metadata and evidence of privacy intrusions by governments into personal data happening all the time. There’s very little legislation anywhere on earth that specifically prevents law enforcement from obtaining metadata without good cause. Laws change slowly and that’s really the reason most countries’ laws don’t even mention electronic metadata.
Despite metadata being omnipresent, there are ways to reduce and limit the amount of metadata you share in your day to day life. There is a wide range of tools that can help delete metadata from files before you share them. However you also have to keep in mind that a lot of apps also depend on metadata to function as they are intended.
Metadata removal tools that you might encounter include:
- Integral metadata removal tools, which are included in some applications like Microsoft Office
- Batch metadata removal tools, which can process multiple files
- E-mail client add-ons, which are designed to remove metadata from e-mail attachments just before they are sent