Metadata: The secret data trail

metadataEvery phone call, text message, even activated cell phones, leaves a trail of data across a network. In many cases this data is aggregated with other data and metadata including social media, web browsing, app data, GPS, shared pictures and other associated data to provide greater context. This data can then be used to fight crime and terrorism, or in the wrong hands, it can be used to facilitate a cyber attack.

Government collection and use of metadata

It is a well-known fact that law enforcement and intelligence agencies worldwide use metadata from phone calls, electronic messages, instant messages and other modes of telecommunication to carry out investigations and ultimately accomplish their missions. This “call detail record” metadata is typically recorded and stored for a limited period of time by telecom carriers and network operators (both wireless and wired) in accordance with local laws.

In countries where there is an expectation of privacy, access to this metadata requires a warrant or subpoena before law enforcement agencies are permitted to access it. In other countries, however, where there is no expectation of privacy, these networks are either operated by the government, or the government has open access to metadata collected by service providers.

In 1992, the US Drug Enforcement Agency (DEA) started collecting mass metadata of all international calls between the US and a varying list of foreign countries. After the September 11, 2001 attacks, the US FBI and NSA started collecting their own database of metadata. While the DEA and FBI/NSA bulk metadata collection programs have been terminated, law enforcement agencies in the U.S. can still obtain warrants to collect metadata with a high degree of specificity.

Despite the outcry that metadata collection and data retention laws are a threat to privacy, many national and regional governing bodies have tried to enact similar policies, including Australia, the European Union and Russia. While some policies have been withdrawn over time in response to citizen protest, the widespread practice of collecting metadata by telecommunications carriers, network service providers and government agencies continues to this day, albeit quietly with little publicity.

In many nations, law enforcement agencies need a qualified reason to access metadata and prove that the scope of data requested is the minimum amount needed for an investigation. For example, a police department could request all information available for the cell phone of a specific suspect. This could include months or even years of information, depending on the locale. In a different crime where there is no particular suspect, the police request a “tower dump” – a record of all activity associated with a specific cell tower within a period of time. This information can provide some insight into who was in the area when the crime was committed.

Such usage of cell phone records has been going on for some time. One Los Angeles police detective indicated in 2002 that “he has used cell phone records in every one of his investigations during the last few years, finding suspects, witnesses and accomplices. ‘It’s hard evidence; it doesn’t lie,’ he said.”

Criminals use of metadata

Actual hacker usage of metadata is hard to quantify. However there are two general approaches as to how the metadata can be exploited. The first approach is similar to that employed by the FBI and NSA up until 2015, where they collect everything and look for patterns. The second approach is more targeted, and is more likely a direct privacy concern.

Big Data is a major buzzword but what it denotes are large data sets that can be analyzed to reveal trends and associations that can ultimately indicate patterns of human behavior and interactions. A massive database of call detail record metadata certainly qualifies as such and there are significant concerns that stockpiled metadata is a major hacker target. In Australia, for example, a media storm erupted in 2015 when Parliament made it mandatory for telecommunications carriers to establish and maintain a two-year database of all phone metadata. Critics called this database a honeypot for hackers, saying a hack of the data store would result in a major compromise of citizens’ privacy.

A likely scenario is that a hacker (or government) focuses big computation resources on the data store and watches it over a period of time. This allows them to understand “normal” patterns in the data and then watch for unusual events. Over time, the hacker may see a pattern of metadata activity. Once those patterns are identified, the hacker could easily target specific individuals within the data store, identify other sources of metadata related to that individual and begin aggregating the data from multiple sources; piecing together a pretty good picture on that individual and their activities.

In the case of the Australia metadata law, critics are concerned a single “dump” of such a database would give hackers two years of historical data that would allow them to build these behavior maps, allowing them to conduct more targeted behavioral analysis in subsequent years, or perform targeted social engineering, playing on a repeated and expected pattern of behavior.

Attacks such as those outlined above require as much data as possible, allowing for correlation and pattern recognition. All of that data or even a partial dump of data, say from a single wireless operator, also allows for more targeted attacks. Such attacks are more clearly a breach of privacy, as they are focused on individuals, and can cause more direct harm. These attacks can include:

Blackmail – Correlating the data with a list of suspected drug dealers, prostitutes, bookies, or other criminals and underworld figures could result in a list of people that could be targeted for blackmail.

Social engineering – Correlating the data with the employees of a specific companies might give an entry point for social engineering, especially if combined with other techniques like faking caller ID. (For example, a faked call from a manager to the duty IT person to reboot a certain firewall or intrusion detection system at a critical moment in a hack.)


Across the world, the laws and policies that govern how metadata can be collected and used vary as the retention time and rules regarding access differ significantly from country to country. However, virtually all traditional legacy and mobile telecommunications providers collect this information which exposes their customers and users to surveillance, privacy and cybercrime risks. Without the proper tools and technology in place to mitigate these risks, both carriers and government agencies continue to build out their metadata libraries leaving users exposed to malicious actors and cybercriminals.

Don't miss