Predicting With The Spies. The Intelligence Community Wants People Good At Predicting World Events
Internet Access: A New I've Been Mugged Topic

Surprise! Metadata About Your Online Activity Reveals Where You've Been

An earlier blog post discussed the metadata associated with your mobile phone calls, and with photos and videos you upload to social networking sites. Today's post discusses what metadata about your online activity reveals.

Cyrus Farivar devised a test to learn what metadata about his online activity revealed when he logged into a website. We all do this -- log into sites to access information, to blog, to read news, and/or to post comments. When you go online, your Internet Service Provider (ISP) assigns an IP address to your computer or mobile device. When you log into a site, that site records the date and time you logged in, plus your IP address and summary data about your device (e.g., operating system, screen size) -- metadata about your online activity.

Farivar used the Ars Technica site for his test:

"For 11 days in February 2014, Ars tracked all of my logins. The working theory was that since I’m telling Ars who I am... and loading the site multiple times per day, my logins would actually give Ars a clear idea of my actions and movements."

At the end of the test, Farivar reviewed the Ars Technica server logs containing metadata about his online activity. He found:

"... it showed when I started and ended my work day... generally speaking, I was consistently online by about 7am and ended around 5pm...Second, the data showed physical places that I knew I visited in the Bay Area: a particular San Francisco office building, an Oakland café, and the University of California, Berkeley, campus... I didn’t realize that Comcast distinguishes its IP information in the hostname of business versus residential accounts. Anything that shows up as comcast.net is a residence..."

Farivar learned how much the IP address reveals when you access the Internet via WiFi or wired computer networks away from home:

"... I was logged in at a particular San Francisco IP address. Looking up that IP on myip.ms turned up not only the city, but one of two possible street addresses as well... If I was Google doing this analysis or the [National Security Agency], I would already have a large database as to what [building corresponds] to this IP address, or what all the information I know about [that IP] is... Lots of companies are already doing this, creating physical maps influenced by the location of known, fixed Wi-Fi networks."

And the goal of any surveillance entity is to link where you go with who you are:

"One thing that we know that the NSA does on their non-US wiretaps is bind usernames to cookies, so if you see a request for LinkedIn or YouTube or Yahoo, these are all sites that have user ID in the clear... This is why the NSA went after Google ad networks; they include user identification [broadcast] in the clear: ‘I am person X at this location."

Farivar concluded:

"...metadata is surveillance..."

What can consumers make of what Farivar learned? Several things:

  1. Metadata about your online activity allows companies (and governments) tracking you to deduce what specific business you visited (not online) in the physical world. Perhaps, your visit was a meal with family or friends. Perhaps, it was something else: a sales pitch, help a client fix a problem, sign a contract, or a job interview.
  2. By tracking log-in days and times, plus IP addresses, an entity can easily plot your habits and travel patterns in the physical world: where and when you go, and how long you stay there. Metadata reveals a lot about you.
  3. Consumers should think long and hard about where and when you log into the Internet from (e.g., public WiFi, supermarkets, restaurants, etc.).
  4. Consumers should think long and hard about which sites you choose to remain logged into for long periods of time. You are giving that site a clear view into your habits and travel patterns. You may or may not want to give that site so much information. Chances are, you are logged into certain sites (e.g., social networking, banking, etc.) for long periods or all day long with your mobile devices. You may not check-in at a specific location with a certain social networking site, but that social site probably collects that location data anyway.
  5. All of this provides consumers with a view of the extensive surveillance advertising networks perform for themselves and/or for government spy agencies.
  6. Any time you hear a politician or pundit claim that metadata is harmless, you now know another reason why metadata is not harmless (and to view that talking head's claims with skepticism).

Farivar also concluded that the privacy tools he uses help:

"... I run all kinds of anti-tracking software on my browser: constant private mode, Ghostery, Disconnect, and my VPN... If you have your browser set to clear cookies every time you quit, it really helps..."

The Internet has morphed into something entirely different that I expected when I started building websites in the mid 1990's. I thought that the Internet would help with the distribution of information to all consumers, and not just the wealthy. The Internet has helped the distribution of information, and then some. It has morphed into this corporate-controlled surveillance mechanism by advertising networks, companies, and governments. And that surveillance now marries together your online activity and your movements in the physical world.

Sometimes, I wish we called smart phones what they really are: pocket computers. Perhaps, we should also call these devices what they are being used for: perpetual tracking computers.

What's your view about metadata of your online activity? About surveillance by both spy agencies and advertisers?

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.