Smartphone Experiment Shows How Your Metadata Tells Your Story


Somebody tell Siri that snitches get stitches.
Credit: Highways Agency / photo on flickr

For one short week, a Dutch volunteer named Ton Siedsma with the digital rights group Bits of Freedom agreed to allow researchers to have full access to all his smartphone metadata. This is the information the National Security Agency (NSA) and other governments have been collecting from its own citizens while insisting the information did not violate our privacy.

Few actually believe the government's arguments, but how much can somebody figure out just from smartphone data? Thus, the experiment with Siedsma. It turns out, as has been growing increasingly clear, you can figure out a lot. According to an article subsequently published in Dutch media, researchers (from a university and a separate security firm) gathered 15,000 records in a week, complete with timestamps. Each time he did pretty much anything on the cell phone they were able to determine physically where he was. And they were able to figure out a lot about both his personal and professional life:

This is what we were able to find out from just one week of metadata from Ton Siedsma's life. Ton is a recent graduate in his early twenties. He receives e-mails about student housing and part-time jobs, which can be concluded from the subject lines and the senders. He works long hours, in part because of his lengthy train commute. He often doesn't get home until eight o'clock in the evening. Once home, he continues to work until late.

His girlfriend's name is Merel. It cannot be said for sure whether the two live together. They send each other an average of a hundred WhatsApp messages a day, mostly when Ton is away from home. Before he gets on the train at Amsterdam Central Station, Merel gives him a call. Ton has a sister named Annemieke. She is still a student: one of her e-mails is about her thesis, judging by the subject line.

They were able to determine what kind of silly viral videos Siedsma had been watching and what sort of companies were sending him email newsletters offering deals (apparently some folks don't automatically opt out of those). From the data they were able to determine that Siedsma worked as a lawyer for Bits of Freedom. They were able to make a fairly good estimate of what sort of issues he handles for the organization and what he does for the Bits of Freedom website.

In response to the "So what?" crowd there's more to be concerned about. Because Bits of Freedom is a politically involved organization, access to Siedsma's metadata provides a window into what Siedsma and his co-workers are doing that would be of interest to those in government who may see the group as adversaries. Researchers discovered an active e-mail thread with the subject title "Van Delden must go," referring to the head of the chairman of a Dutch intelligence supervisory body. They can see which members of parliament the Siedsma has contacted to discuss issues related to international trade agreements. They can see that he is likely a supporter of the Dutch "green left" party on the basis of him receiving e-mails from them at a private address, not as part of his political work. They could see which journalists he has been corresponding with via e-mail. All of this information has all sorts of potential to be abused politically.

And, they figured out how to hack his other accounts to get even more information about him:

The analysts from the Belgian iMinds compared Ton's data with a file containing leaked passwords. In early November, Adobe (the company behind the Acrobat PDF reader, Photoshop and Flash Player) announced that a file containing 150 million user names and passwords had been hacked. While the passwords were encrypted, the password hints were not. The analysts could see that some users had the same password as Ton, and their password hints were known to be 'punk metal', 'astrolux' and 'another day in paradise'. 'This quickly led us to Ton Siedsma's favourite band, Strung Out, and the password "strungout",' the analysts write.

With this password, they were able to access Ton's Twitter, Google and Amazon accounts. The analysts provided a screenshot of the direct messages on Twitter which are normally protected, meaning that they could see with whom Ton communicated in confidence. They also showed a few settings of his Google account. And they could order items using Ton's Amazon account – something which they didn't actually do. The analysts simply wanted to show how easy it is to access highly sensitive data with just a little information.

Read the Dutch report here.

(Hat tip to TechDirt)