MetadataMetadata is “data about data”. Security wise metadata is important for us in two ways:
1 - Metadata about a communication.
2 - Metadata about a computer document.
Metadata about a communicationWe can say that in a communication the data is the content of that communication, for instance
what you say over the phone, the metadata would be the data describing who was involved in
that phone call, how long it was, the time the communication started etc. That information usually
is used by the by the provider for billing purposes and by the government to keep track of what
you do and with whom you communicate.
Thanks to Snowden leaked documents was known an order from the Foreign Intelligence Surveillance
Court (or FISC) that directs Verizon to provide “on an ongoing daily basis” all call records for any call
“wholly within the United States, including local telephone calls” and any call made “between the
United States and abroad.”
Government officials claimed that they weren’t listening to your calls but “just analyzing the metadata”,
in a great article the EFF shows that metadata isn’t trivial, just check these examples:
- They know you rang a phone sex service at 2:24 am and spoke for 18 minutes. But they don't know
what you talked about.
- They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the
call remains a secret.
- They know you spoke with an HIV testing service, then your doctor, then your health insurance company
in the same hour. But they don't know what was discussed.
- They know you received a call from the local NRA office while it was having a campaign against gun legislation,
and then called your senators and congressional representatives immediately after. But the content of those
calls remains safe from government intrusion.
- They know you called a gynecologist, spoke for a half hour, and then called the local Planned Parenthood's
number later that day. But nobody knows what you spoke about.
Same happens when you use email, even using end-to-end encryption, metadata is available and it reveals
with whom you are communicating.
Sadly there isn’t a easy way to solve those issues, you can use discardable phones and email accounts.
Metadata about a computer documentMost computer documents, like images, word files, .ppt presentations etc; besides its contents include
information about the time they were created, the device that created them and its configuration, some
phones even included the GPS coordinates of pictures they took.
A few years ago, when IPhones just appeared, Hollywood stars noticed that paparazzis found them
everywhere, at one point they realized that it was because they were posting pictures took with their
phones on Twitter and those pictures included the GPS coordinates of the place they were took, so
paparazzis extracted that info and ran to there to get an exclusive picture.
Because of that, most Internet sites started cleaning up the metadata contained in pictures and some other
multimedia documents, known as EXIF data, but you shouldn’t trust in that, you should be cleaning the metadata
yourself, check your phones and turn off “geotagging”.
Documents created with Microsoft Office include metadata about who created or modified them and when, analyzing
them is a technique used by hackers to identify usernames inside a corporate network. The Microsoft’s competitors
“Office suites” behave the same way.
There are some online tools that allow you to view documents metadata, for pictures you can use
http://metapicz.com and to analyze documents
http://www.informatica64.com/foca/.Also to be sure you’re not leaking your identity, or little clues that could end up acting as a fingerprint you should
be cleaning up the metadata yourself, or avoid using documents that contain metadata. For instance is best to
exchange plain text files than Word documents.
Also, .pdf documents are the worst, you shouldn’t use them if possible, because they use an scripting language can
be exploited, there are many documented attacks using .pdf files.
Depending on your operating system there are many tools to clean up metadata, here are just a few of them:
Windows: http://www.thewindowsclub.com/office-metadata-cleaner-cleanup-toolLinux: https://mat.boum.org/Mac: Sorry I can’t find shit for Mac, except for people asking why would you like to do that...Please tell me if you find a nice tool.
Here is a nice list of incidents due leaked metadata:
http://www.digitalconfidence.com/the-importance-of-using-metadata-removal-software.htmlAnd for the tl:dr; guys:
Practice1 - Check a few of your files for metadata using the online resources I shared with you.
2 - Install one of the metadata removal tools and clean up a picture metadata.
3 - Start using plain text documents whenever is possible.