Crime fans know the scene from many films: suspects are caught with the tracing of telephone calls. The investigators use metadata for this, which provides information on who is communicating with whom and when. These are more easily accessible for secure communication than expected.
Metadata is structured data that describes other data – in a sense, data about data. They contain important information about websites or even pictures and videos, including the place and time of a recording. Metadata is also used in software development, for example. There you can describe various processing rules and programming instructions, which can be used to implement more complex applications. In the example of telephone usage, metadata describes who communicated with whom and when. It is important to note that they alone do not provide any information on the exchanged content.
No Protection Through End-To-End Encryption
Depending on the area of application, it can make sense to capture metadata. In the case of messaging services, among other things, they secure the functionality. Many therefore assume that the services can be encrypted and thus protected to a similar extent as the message content itself. However, this is often a fallacy since the end-to-end encryption often used does not cover metadata. Therefore, both messaging providers and, in some cases, third parties can read and analyze them.
Such analyzes can be interpreted in many ways, for example, to reconstruct groups of friends and acquaintances. Daily routines can also be traced. The time of the first sent message of a day provides information about when to get up. If a messenger logs in from Monday to Friday via the IP address of the same company, this is almost certainly the employer. This is no illusion, but backed up with scientific evidence: In a study, researchers from Ulm reconstructed daily routines, including deviations, from the presence status on WhatsApp alone, and at the same time disclosed who was in contact with whom at what time.
The obvious question is: How can such conclusions be prevented from the outset? Specific critical data in chat messaging are essential. This includes the sender, recipient, and the times for sending and receiving. Can metadata be dispensed with here? No, but the amount of metadata can be reduced. Furthermore, access to them can be limited, and their combination with other (meta) data can be prevented.
Approaches To Protecting Metadata
There are several approaches to protecting metadata. First and foremost, “Sealed Sending” should be mentioned here. Messages can be sent without the sender being identified – practically a digital equivalent of a letter with an empty sender address. However, even with this method, metadata can be read out under certain circumstances – conclusions about the person cannot be completely ruled out. If the IP address is read out, it can be traced to who is communicating with whom. For example, if IP 1 sends 5,372 bytes to a messenger server and forwards 5,372 bytes to IP 2 directly at the connection, IP 1 is likely in contact with IP 2.
But this is not the only reason why IP addresses are problematic. In addition, they can often be assigned to a fixed geographical area and thus restrict the potential whereabouts to a certain extent. Messenger services pass this information on to the provider – possibly also to service providers.
If the metadata protection provided by “sealed sending” is insufficient, further measures can be taken. These include messenger services that anonymize the IP address involved when exchanging messages. However, this variant does not offer absolute security either but instead harms the user experience. The reason? To communicate with each other, both the sender and the recipient must be online simultaneously with this method.
The Key: Shredding Metadata
So-called metadata shredding is recommended if neither content nor metadata is to be recognized. This procedure protects by mixing metadata in “anonymity sets” and makes them unrecognizable. As a result, service providers and third parties can neither analyze activity patterns nor connect senders with the respective recipients.
In this way, the privacy of both sender and recipient is fully protected. Conclusions about the respective persons are no longer possible due to the anonymity sets. So far, providers have mainly implemented this concept for messenger services. Potential future application scenarios can also be payment systems. In any case, this technology has the potential to prevent conclusions from being drawn from metadata finally.