Metadata and Privacy
In terms of surveillance, metadata is more valuable than the contents of your communication. Think of the contents of your communication as the contents of all the books in the Library of Congress. To process that load of data any surveillance agency would need a Terminator-level AI, which is currently not here, yet, or a billion of humans to manually process the terabytes of bulk data collected daily.
Metadata, on the other hand, is like the index of all the books in the Library of Congress. It tells everything about who talks to whom, when and how often, and where they are, as well as who else is in their contact circles.
Metadata in the image you upload to Facebook reveals the location where it was taken, the make and model of the device you used to take the picture, when it was taken, as well as who is in the picture (because of the facial recognition used by Facebook, and many other social networks).
Chat messages in WhatsApp reveal who you’re talking to, how often, where you are, and how many people you know in common. Combine that with the fact that WhatsApp shares information with Facebook, and your two accounts are tagged as belonging to the same person.
Combine that and the fact WhatsApp is closed-source, proprietary code, and independent audits can not confirm there are no backdoors built into the system, and the private messenger no longer seems private, or secure.
WhatsApp Tracks Metadata (+ other security issues)
In terms of cataloging, analyzing and processing the collected data, metadata is the gold mine of surveillance.
Useful Reading: Metadata = Surveillance, Schneier on Security
So, how do you protect your metadata?
Second, use metadata-respecting apps.
Third, clean metadata from the files you intend to share. Here is a brief guide:
• Remove metadata from Office files, PDFs, and images
• The simplest way to strip your photos of metadata is to use any free, open-source image editor, like XNView for example, and to batch-convert your images to PNG format, which strips metadata.
• To remove metadata from a document in Windows, right-click on a file → select Properties → Details → Remove properties and personal information → Remove the following properties from this file → Select All → Accept.
Smart devices add more comfort to our daily life – smart door locks, smart cars, smart thermostats, smart TVs, fridges, smartwatches, smart coffee machines, whatnot. Several startups are working on smart mirrors from the likes you could see in Extant TV show. The smart devices also dubbed Internet of Things are connected to the Internet, its manufacturer, the developer of its software, marketing and big data analyzing agencies, and perhaps a few malicious parties intercepting the loads of unencrypted data.
The problem with IoT is:
• lack of security patches when flaws are encountered.
• lack of centralized system to deliver security updates to all consumers.
• lack of security protocols including encryption.
• high fragmentation.
• recently launched devices soon get obsolete and manufacturers quit supporting them and releasing updates.
• IoT devices often get connected to the network with extensive access rights, which make them potential targets for exploits in attacks against the system.
• users do not mingle to change the poor default settings.
• they spy on their users.
• they engage in user tracking.
• they send loads of data to manufacturers.
Smart TVs and smart cars are perhaps the worst. Smart TVs literally listen to what is happening in your home, and send the information about your preferences, how you react to ads, and your voice searches to manufacturers. Smart cars log your location, speed, diagnostics of your car, and transmit that data to your insurance company – just in case you claim your insurance.
Bruce Schneier takes the problem of poor security, and thus zero privacy, in the Internet of Things to the next level by shedding some light on the audio beacons and cross-device tracking, which he calls “the latest obsession” for Internet marketers.
An Indian startup SilverPush embeds inaudible audio beacons in websites you visit and TV commercials. The beacons activate the inbuilt software component in your devices (computers, smartphones and tablets), which make your devices ping back to SilverPush and report about the devices found in your household. SilverPush is not alone in this business, and tech giants along a dozen smaller companies are working on the solutions to harvest that data and analyze it.
Retailers are willing to pay generously for this information, since it gives them unique insight into people’s shopping behavior. They want to know if you googled their products afet you’ve watched their ads on TV. They want to know where geographically you are to send you ads upon which you are most likely to act. The unprecedented surveillance capabilities of your smartphones and tablets grouped with the data from your smart domestic appliances create a map of your life and shopping behavior.
Now think of the tracking capabilities of your smartwatch. Health conditions, med tracking apps, location, addictions – your medical history does not just stay on your smartwatch and the paired smartphone. It travels on.
Runkeeper recently got bashed by Norwegian authorities for tracking its users even when they were not using the health tracking app, and transmitting the information to ad agency servers in the US. The company said it was a “bug” and apologized, but the truth is the amount of apps tracking you in stealth mode when you’re not actively using them is huge. We have yet to see cybersecurity researchers publish the list, but Edward Snowden’s files explicitly named popular mobile games like Angry Birds and Subway Surfers as the NSA’s source of intel on large amounts of mobile users.
Useful reading: The Internet of Things that Talk About You Behind Your Back, Schneier on Security
The recommendations to limit the damage are:
• Never leave the default settings of your newly acquired IoT products on – always change passwords, enable two-step authentication when possible, enable encryption if supported.
• Disconnect when possible. This seems like a paranoid suggestion, but when you realize the scale of surveillance that’s happening right here in your household or your car, you might realize analog watch was far better than your Apple Watch.
• Restrict sharing and mirroring capabilities in your devices, ensure the passwords are strong, monitor the network.
Common sense tips.
Once you understand surveillance is the business model of the Internet, you can make more or less informed choices about your online behavior, and shopping preferences. Refraining from self-harm online is like steering clear of junk food, so once you are familiar with the modus operandi of the ad agencies and other data mining actors, you will know how to look for the solutions to stop them from abusing your privacy.
The important thing is to understand that privacy online is not a goal in itself. It’s a non-stop self-improvement, self-education, increase in cybersecurity awareness. New threats emerge every day, so you can’t just install Tor and think you’re done. Of even greater importance is to ensure the younger generations grow up with the understanding of nature of things in the Internet and IoT, and learn how to protect their privacy. Otherwise, Edward Snowden will be right:
A child born today will grow up with no conception of privacy at all. They’ll never know what it means to have a private moment to themselves an unrecorded, unanalyzed thought. And that’s a problem because privacy matters; privacy is what allows us to determine who we are and who we want to be.
Below is a short roundup of privacy and security tips that will help you protect your privacy online.
• Don’t use public Wi-Fi. Don’t use WiFi aboard airplanes.
• Store highly sensitive data on external drives that can not connect to the Internet on their own.
• Don’t overindulge in connected IoT things.
• Always log out from all your accounts, and close the browser instances.
• Clean temporary files and cookies.
• Have antimalware, antispyware (SpyBot Search & Destroy, Malwarebytes)
• Use anti-keyloggers and virtual keyboards for password input (Zemana Antilogger, Oxynger KeyShield, KeyScrambler)
• Consider running a research about a service provider before entrusting your personally identifiable data to them.
• See the devices connected to your home network (a brief guide on how).
• Don’t use the same credentials for different accounts, don’t cross-reference accounts, don’t use the same browser instance for different accounts.
• Stop being addicted to documenting your life on social networks – you’re compromising your very own security and privacy by over-sharing your private information with the people you barely know, ad agencies, tech corporations and hackers looking to steal your identity or credit card information.
• Backups prevent major data loss in case of ransomware or any technical failure. Do local backups as opposed to cloud backups. At least, do the backup of your encrypted password database.
• Explore crypto currencies like Bitcoin for anonymous online payments. Bitcoin, the gold of the Internet and the cloud money, lets you buy things online anonymously without revealing your identity. Check out Coinbase, which is a bitcoin wallet and supports transactions with bank accounts. There is a multitude of mobile apps, wallet apps, mobile wallet devices, and online wallet providers.
• Don’t use mainstream mobile apps like WhatsApp, Viber, Facebook Messenger, Google Hangouts, or Skype for sensitive communications.
• Ditch the habit of trading your privacy for a “free” service or product. It’s never free. In this equation, your data is the price you pay. If you don’t value it, why blame it on Google or Facebook for treating it like recyclable plastic?
Alternative privacy-focused devices
Purism Librem tablet ($599-$999) – runs open-source software, PureOS 3.0 Linux, Tor, HTTPS Everywhere, ad blocker Privacy Badger bundled. Future integration of QuebsOS is possible.
Blackphone is a relatively expensive phone from Silent Circle, endorsed by Snowden. It offers a secure operating system, runs Internet through a VPN (to hide the user’s IP address and encrypt their Web traffic) and end-to-end encryption for calls and messages sent to other Blackphones.
Boeing Black Smartphone (~$629) – comes from aerospace giant Boeing, offers trusted data transmission for classified an unclassified networks. Based on Android, Boeing Black is considered a Fort Knox for your data.
Teorem and Teopad – known to be favored by the French president and the French intelligence, Teorem secures phone calls and messages and notifies you if a call or message is not secure. Strong encryption AES 128 or 256 bits, PIN code, plus virtual or hardware-enables security measure, anti-rooting, integrity-check, TLS data exchange protection, SIP-TLS and SRTP voice calls protection, remote wipe, black lists and white lists of personal applications and full user control over WiFi, Bluetooth and Google Play store.
Turing Phone has not been released, yet, but its specs suggest a one of a kind experience, with a unique hardware chip dubbed Turing Imitation Key, which authenticates encryption on the device instead of relying on server authentication.
FreedomPop Privacy Phone is available for pre-order in select locations, and if you want to stay anonymous when buying it you can pay with Bitcoin. With a focus on privacy and anonymity, FreedomPop comes with 128-bit encryption for texting and calling, and anonymous Web browsing.
Anonabox ($79,99-$99,99) – privacy-focused portable plug-and-play Tor router, which changes your location, boosts your WiFi signal, encrypts your data, and lets you connect multiple devices.
Privacy IO – a list of tools, online and local, that help you protect your privacy online.
Security In A Box – comprehensive guides for beginners and savvy users on how to setup and use many of the tools we mentioned in this paper.
Schneier on Security – Bruce Schneier, expert in cybersecurity, privacy advocate.
Edward Snowden’s Twitter page
Fried on Privacy
Terms of Service – Didn’t Read – provides a brief and meaningful insight into websites’ treatment of user privacy. Has an extensive list of popular websites analyzed, and you can just paste an URL and have the website analyze it for you.