The Devil is in the Detail: What your Metadata Says about You

Imagine the following scenario: the CEO of your company and the CEO of another company in the same industry have been engaging in cell phone conversations over the last two weeks.

A couple of the conversations took place over a weekend, even while your CEO was away with his family. More recently, other executives in your company started engaging in conversations with their counterparts, at the other company, with some of the conversations taking place at night, well after business hours.

Two days ago, your CEO and CFO participated in a conference call with the partner of a major law firm and a prominent investment banker. Yesterday morning the CEO of the other company engaged in a series of calls with members of the company’s Board of Directors. Yesterday afternoon, he called an investment banker and they spoke for 75 minutes.

The information about communications above does not include a single word said in any of these conversations. All you know is who is speaking with whom, who called whom, when they spoke, where they were located and how long they spoke. Additional data revealed includes the sequence of the conversations and how they flow and spread over time, for example when the conversations with Board members, lawyers and bankers took place.

It is abundantly clear that a great deal of knowledge can be gleaned from this scenario even though no information about the content of the discussions themselves was divulged and all participants were discreet and careful not to share information with anyone not included.

Is the information described above of value to your competitors?

All the competitive intelligence gathered in this story is based solely on the aggregation, analysis and use of metadata.

What is Metadata?

Metadata is defined as, “data about data.” It is the data that provides information about data in order to make it useful. While the term metadata has become more prominent in our lexicon in the digital age, a classic example is a library card catalog, which contained metadata about the books in the library such as the author, title, genre and where to find the book. It was far more practical to browse through the card catalog than search the entire library for a single book. The same concept applies to digital information today, however the quantity and type of digital metadata generated and collected is far larger, diverse, detailed, precise, and far more personal.

If metadata only divulges simple descriptive details, why are so many government organizations all over it? Why do intelligence agencies and law enforcement fight for the right to access metadata? Why are privacy and watchdog organizations concerned about the invasions of privacy? What makes metadata so valuable that providers like AT&T are selling it?

Clearly while many believe that it’s ‘just metadata,’ a significant amount of information can be gleaned from the metadata – the details about the data, without reference to the actual data.

Uses of Metadata

A common use of metadata is to enable targeted advertisements on social media, in browsers, and other Websites. It is common practice for companies, such as Facebook, Google and others to utilize metadata for corporate marketing. They monitor online and mobile activity by collecting and analyzing our calls, texts, chats, websites visited, posts, likes, purchases, comments, articles read, our friends, their activities and much more. For each and every one of us, these providers create a detailed persona including family (both immediate and distant), sex, friends, religious affiliation, where we live, where and when we vacation, medical history and other personal information.

This metadata is collected and analyzed to create accurate digital representations of us, so that they can provide relevant advertisements to sell goods and services. And, while the knowledge that companies know so much about us may be disturbing to some, a great many find the convenience and value provided by companies like Google, Facebook and others to be worth the trade-off.

But what about other uses of metadata?

Other (non-Innocuous) Uses for Metadata

What if the mobile communications metadata of government officials could be tracked? What about police? Military? Regulators at the SEC? IRS? The metadata – including records of communication flows, who is talking to whom, when, for how long reveals a tremendous amount about operations.

Corporate espionage is a problem that has been with us for decades. According to a recent Harvard Business Review article, a study of the archives of the East German Ministry for State Security (commonly known as the “Stasi”) revealed the former communist agency realized significant economic returns for East Germany from the Stasi’s industrial espionage operation during the 1960s, 1970s and 1980s – so much so that espionage was seen as more cost-effective than conducting original R&D.

Globally, we are likely experiencing the same phenomenon today, only on a much larger scale. Certainly we hear a good amount about the Chinese conducting corporate espionage and the benefit of stealing intellectual property, trade secrets and other confidential business information from American companies. But the threat is not just China, and the prevalence of corporate espionage is a large and rapidly growing problem. While the issue is compounded with international competitors that may be supported by their local government, companies engage in a wide range of actions to gain advantage over their competitors. The scenario at the beginning of this article did not include the theft of intellectual property, yet revealed valuable information based on metadata alone that could be used perhaps to manipulate markets, change competitive dynamics, influence customers and more.

Within businesses, metadata may provide insight into corporate strategies, such as mergers and acquisitions. Every day business leaders engage in a broad range of sensitive conversations that should be protected, including perhaps the conversation metadata. What about the metadata from conversations between a company and its regulators? Could the metadata indicate that the company may be under investigation? A spike in communications between employees of an industrial company working at a specific facility and executives at headquarters can have many important implications. Access to and analysis of the metadata of employees working on a pipeline, a mine or a refinery, could perhaps provide others with valuable business information about activity that the company may want to manage or contain. Access to the metadata from conversations between sales people and prospective customers can tip off competitors. With metadata that provides insight into executives of an automobile maker engaging in conversations with government officials in one country or another; one could easily piece together enough information to understand that they may be building a factory in one location as opposed to another.

The availability of unencrypted metadata is an issue that grows in scale as we continue to utilize more digital devices including cellphones, computers, tablets and others. All digital interactions are associated with metadata, and while the metadata doesn’t provide the content of the interaction, it provides all the details surrounding the interaction. By piecing together metadata from various types of events including phone calls, text messages, emails, websites visited and others; government organizations, competitors, criminals and hackers can gain significant insight into our activities and plans.

Concerned about your business’s metadata? TrustCall On-Prem provides full control of all data and metadata so that no one no one other than your organization administrators can access it.

Originally published in (IN)SECURE Magazine and HelpNetSecurity, republished with permission.

Elad Yoran

Elad serves as Executive Chairman of KoolSpan and CEO of Security Growth Partners. His cyber experience spans executive leadership, several-time successful entrepreneur, investor, and advisor. He is an advisor at the Army Cyber Institute (ACI), director of the Cloud Security Alliance New York Chapter, and previously on the FBI IT Advisory Council. Elad authored the Internet Security Threat Report, briefed to Congress and was recognized as “Entrepreneur of the Year” by E&Y. His entrepreneurial experience includes Riptech, a managed security services firm acquired by Symantec; MediaSentry, a provider of anti-piracy technology acquired by SafeNet; Sentrigo, a database security firm acquired by McAfee; and Vaultive, a cloud encryption company. Elad was also a strategic investor/advisor to NetWitness (acquired by RSA), ThreatGrid (acquired by Cisco), and Insightix (acquired by McAfee). Elad also served as VP Global Business Development at Symantec. He served as a US Army officer and is a veteran of Operation Restore Hope in Somalia. Elad is a graduate of the Wharton School and West Point. Elad also serves as Director at Infinidat and Red Owl Analytics.