Monday, March 9, 2015

The case against Metadata panic

Ever since Edward Snowden started releasing his documents, people have been going on about the fact that Intelligence agencies are tracking communications Metadata pretty much completely, and how we have to worry about this.

Well, guess what - I don't, at least not to the extend some people do.

Let's have a look at what Metadata is... it's where you browse to, who you send emails to, who you call, who calls you, who sends emails to you, where you are at that time, and of course at what time it happens.

From this, they can deduce certain stuff about you - like what you're interested in (from your browsing history - yes, even if you switch on anonymous mode before going to Pornhub), who your friends and colleagues are... that's most certainly all true.

However, some people see this as a reason to try and avoid producing all that Metadata alltogether. Which is a) pretty much impossible, and b) not really necessary...

As for a:
You can't really avoid leaving a data trail about who you communicate with unless you're willing to wait a long time for a reply - when you make a phone call, you expect the phone on the other side to ring immediately. So anybody tracking your call will see an outbound call on your side, and an inbound call at the same time on the other side - it doesn't take a genius to correlate that data. Systems that promise you to "hide" your metadata simply add a machine in the middle - so anybody tracking you will see you're calling a gateway machine, and they won't know who you're calling. Right? Wrong... they can try and correlate from the outbound connections of this machine, or they just subpoena the logfiles of it. Same for text messaging - yes, you could switch from using SMS to using a system like TextSecure or WhatsApp, but that doesn't mean nobody can track who you're talking to... in fact, the number of people who CAN track you merely grows, because it now also contains the people who run that system that's supposed to hide your tracks.

For web browsing, systems like Tor exist, which aren't perfect but a bit better... but the reason they're so slow is that on every step of the way, a tiny random amount of time is added to make sure nobody can just tell which connection in is linked to which connection out. The same is true of Mixmaster remailers. The absolutely safest way to send a message is also the slowest... it's sending an anonymous newsgroup message via Mixmaster. That way, all somebody can see is you sending out some emails to remailers. Some time later, a message will show up in a group like alt.anonymous.messages that the whole world can read (so don't forget encrypting it - but NOT to a known public key...). Loads of people will download the message, along with hundreds of others, to their machine, but only one person will know which message is adressed to him or her. This avoids producing usefull Metadata, but obviously has a LONG delay.

As for b:
Think about it - who do you communicate with, and what exactly is it you're trying to hide? You call your mother every Friday evening - you don't want somebody to listen in, but you probably don't care if people know you call your mom. You call your coworkers, get calls from your boss - again, the contents of the calls are confidential, but the identity of the people?

Tracking Metadata is a great way for Intelligence agencies to discover networks of people - who calls whom, how often, who initiates the call. That way, they deduce organisational structures. But if they want to find out who you work for, they may just as well look at your LinkedIn profile, or steal the org chart you emailed to somebody. Your friends all use Facebook, you have their contact data stored in your phone... so their identity again is very often known already.

You may want to hide your communications frequency... but why bother, really? Apart from that warm and fuzzy feeling of showing the NSA who's the boss (assuming that you actually DO manage it, see a)...), what do you gain? Intelligence agencies track the frequency and length of encrypted messages to deduce intentions - a sudden rise in communication can mean a group of people is up to something and they're involved in planning discussions. A sudden drop means they're done with planning and are getting ready to execute the plan - or that they had a flaming row and went their separate ways. That's the sort of information you gain from communications analysis - patterns that are stable for some time, but then something changes. It's the stuff that's out of the ordinary that will stand out... so your ordinary communications with friends will just be background noise anyway. A call to the suicide prevention hotline will stand out like a sore thumb - but to what lenghts do you want to go with your daily routines just to hide a call you may never make? Easy workaround: If you need to make a phone call out of the ordinary, use a payphone (and switch off your mobile phone while walking there, as it would track your location to the payphone ;-))

If you actually WANT to plan something nefarious and want to avoid this whole problem - that's even easier, just use proper OPSEC: Send the same amount of data, to the same adress, every day, at the same time, wether you have something to say or not. Again, it makes for slower communications, but it will for a daily routine that betrays nothing. Send an encrypted file of 10MB twice a day to a mailing list, and all everybody will know is that you send an encrypted file of 10MB twice a day to a mailing list - Metadata, Schmetadata...

But don't bother hiding your Metadata when calling your mom - whoever is watching will KNOW who you're talking to Friday evening at 19:00 precisely...

No comments: