The Devil is in the Detail: What your Metadata Says about You

Imagine the following scenario: the CEO of your company and the CEO of another company in the same industry have been engaging in cell phone conversations over the last two weeks.

A couple of the conversations took place over a weekend, even while your CEO was away with his family. More recently, other executives in your company started engaging in conversations with their counterparts, at the other company, with some of the conversations taking place at night, well after business hours.

Two days ago, your CEO and CFO participated in a conference call with the partner of a major law firm and a prominent investment banker. Yesterday morning the CEO of the other company engaged in a series of calls with members of the company’s Board of Directors. Yesterday afternoon, he called an investment banker and they spoke for 75 minutes.

The information about communications above does not include a single word said in any of these conversations. All you know is who is speaking with whom, who called whom, when they spoke, where they were located and how long they spoke. Additional data revealed includes the sequence of the conversations and how they flow and spread over time, for example when the conversations with Board members, lawyers and bankers took place.

It is abundantly clear that a great deal of knowledge can be gleaned from this scenario even though no information about the content of the discussions themselves was divulged and all participants were discreet and careful not to share information with anyone not included.

Is the information described above of value to your competitors?

All the competitive intelligence gathered in this story is based solely on the aggregation, analysis and use of metadata.

What is Metadata?

Metadata is defined as, “data about data.” It is the data that provides information about data in order to make it useful. While the term metadata has become more prominent in our lexicon in the digital age, a classic example is a library card catalog, which contained metadata about the books in the library such as the author, title, genre and where to find the book. It was far more practical to browse through the card catalog than search the entire library for a single book. The same concept applies to digital information today, however the quantity and type of digital metadata generated and collected is far larger, diverse, detailed, precise, and far more personal.

If metadata only divulges simple descriptive details, why are so many government organizations all over it? Why do intelligence agencies and law enforcement fight for the right to access metadata? Why are privacy and watchdog organizations concerned about the invasions of privacy? What makes metadata so valuable that providers like AT&T are selling it?

Clearly while many believe that it’s ‘just metadata,’ a significant amount of information can be gleaned from the metadata – the details about the data, without reference to the actual data.

Uses of Metadata

A common use of metadata is to enable targeted advertisements on social media, in browsers, and other Websites. It is common practice for companies, such as Facebook, Google and others to utilize metadata for corporate marketing. They monitor online and mobile activity by collecting and analyzing our calls, texts, chats, websites visited, posts, likes, purchases, comments, articles read, our friends, their activities and much more. For each and every one of us, these providers create a detailed persona including family (both immediate and distant), sex, friends, religious affiliation, where we live, where and when we vacation, medical history and other personal information.

This metadata is collected and analyzed to create accurate digital representations of us, so that they can provide relevant advertisements to sell goods and services. And, while the knowledge that companies know so much about us may be disturbing to some, a great many find the convenience and value provided by companies like Google, Facebook and others to be worth the trade-off.

But what about other uses of metadata?

Other (non-Innocuous) Uses for Metadata

What if the mobile communications metadata of government officials could be tracked? What about police? Military? Regulators at the SEC? IRS? The metadata – including records of communication flows, who is talking to whom, when, for how long reveals a tremendous amount about operations.

Corporate espionage is a problem that has been with us for decades. According to a recent Harvard Business Review article, a study of the archives of the East German Ministry for State Security (commonly known as the “Stasi”) revealed the former communist agency realized significant economic returns for East Germany from the Stasi’s industrial espionage operation during the 1960s, 1970s and 1980s – so much so that espionage was seen as more cost-effective than conducting original R&D.

Globally, we are likely experiencing the same phenomenon today, only on a much larger scale. Certainly we hear a good amount about the Chinese conducting corporate espionage and the benefit of stealing intellectual property, trade secrets and other confidential business information from American companies. But the threat is not just China, and the prevalence of corporate espionage is a large and rapidly growing problem. While the issue is compounded with international competitors that may be supported by their local government, companies engage in a wide range of actions to gain advantage over their competitors. The scenario at the beginning of this article did not include the theft of intellectual property, yet revealed valuable information based on metadata alone that could be used perhaps to manipulate markets, change competitive dynamics, influence customers and more.

Within businesses, metadata may provide insight into corporate strategies, such as mergers and acquisitions. Every day business leaders engage in a broad range of sensitive conversations that should be protected, including perhaps the conversation metadata. What about the metadata from conversations between a company and its regulators? Could the metadata indicate that the company may be under investigation? A spike in communications between employees of an industrial company working at a specific facility and executives at headquarters can have many important implications. Access to and analysis of the metadata of employees working on a pipeline, a mine or a refinery, could perhaps provide others with valuable business information about activity that the company may want to manage or contain. Access to the metadata from conversations between sales people and prospective customers can tip off competitors. With metadata that provides insight into executives of an automobile maker engaging in conversations with government officials in one country or another; one could easily piece together enough information to understand that they may be building a factory in one location as opposed to another.

The availability of unencrypted metadata is an issue that grows in scale as we continue to utilize more digital devices including cellphones, computers, tablets and others. All digital interactions are associated with metadata, and while the metadata doesn’t provide the content of the interaction, it provides all the details surrounding the interaction. By piecing together metadata from various types of events including phone calls, text messages, emails, websites visited and others; government organizations, competitors, criminals and hackers can gain significant insight into our activities and plans.

Concerned about your business’s metadata? TrustCall On-Prem provides full control of all data and metadata so that no one no one other than your organization administrators can access it.

Originally published in (IN)SECURE Magazine and HelpNetSecurity, republished with permission.

Elad Yoran

Elad Yoran is Executive Chairman of KoolSpan, CEO of Security Growth Partners (SGP) and Associate Adjunct Professor at Columbia University School of International and Public Affairs (SIPA). He is a 20+ year cybersecurity executive and entrepreneur, among other things having founded and led many foundational cyber companies. He serves as director at Infinidat as well as on several government and industry boards including the Army Cyber Institute, the Cloud Security Alliance, and previously, the FBI IT Advisory Council. Elad is the author of many articles going back to the original Internet Security Threat Report research papers. Elad’s cybersecurity entrepreneurial experience, for which he was honored as “Entrepreneur of the Year” by E&Y, includes Riptech, acquired by Symantec; MediaSentry, acquired by SafeNet; Sentrigo, acquired by McAfee; Vaultive, acquired by CyberArk and others. Previously, Elad served as VP Global Business Development at Symantec. In addition, Elad was a strategic investor and director/advisor to Red Owl Analytics, acquired by Forcepoint; NetWitness, acquired by RSA; ThreatGrid, acquired by Cisco; and Insightix, acquired by McAfee. Previously, Elad served as a US Army officer and is a veteran of Operation Restore Hope in Mogadishu, Somalia. He is a graduate of the Wharton School and West Point.