Metadata: Four syllables — zero privacy
February 10, 2020 / Privacy
Metadata (n.): Data about data; data which describes or gives information about other data.
Metadata is the trail of footprints that you leave when you move through the digital world. Things like file creation times, file sizes and locations, and artist and album information for music files, are all examples of metadata. Metadata is created when you do things in a digital environment: create, move, or delete files, sync your phone with your computer, send an email, or even just turn on your laptop.
Some kinds can be really helpful. Your computer uses metadata to arrange files into folders and sort them by name or date. Your phone uses metadata to show you photos taken in a particular location. And your smart home assistant uses metadata to suggest relevant content for you to watch or listen to.
However, not all metadata is harmless — and not everyone who tracks and uses it has your best interests at heart.
Websites you visit will often collect metadata about you: for example, what browser and device you’re using, your IP address and location, how long you spend on the site, and whether you’ve visited before. This information can be used in helpful ways — sending you to the right site for your location, adapting the website design if you’re on a mobile device, and serving content relevant to you if you’ve visited before.
But this information can also be used by advertisers to build up a profile of who you are — a profile they can use to track and target you across the internet.
Advertisers often pay websites to host tracking software that lets them track you not only on one website, but on most or all of the sites you visit. Some advertisers may also simply buy access to websites’ stored metadata. Either method lets the advertiser build up a much more detailed and complete profile than if they could only see your browsing habits on a single website. Advertisers are then able to serve up ads specifically designed to target your needs, wants, and desires — walking a very fine line between helpful and just plain creepy.
Metadata takes on a whole new level of significance when you move into the realm of private messengers. Often, you use a private messenger because you either want privacy, or because you need it. But whether it’s a want or a need, metadata threatens your privacy when it comes to messaging.
End-to-end encrypted messaging apps secure the contents of your messages from prying eyes. If the messenger you’re using is truly end-to-end encrypted, nobody but you and the recipient can read it. Pretty private, right?
Every time you send or receive a message, even in an encrypted private messenger, you generate metadata. Sender and recipient identities, message lengths, and the dates and times messages are sent and received — your private messenger can log and store all these fragments of metadata, and more.
If the messenger uses centralised servers, you simply have to trust that the company or group running the app won’t store or sell your metadata.
Centralisation refers to a single central entity having control over a group or a system. In computer networks, centralisation means that there’s a single server (or cluster of servers) that manages data traffic over the network. For centralised messaging apps, this central server routes messages from sender to receiver — meaning that the server has to know who’s talking to who.
Even if the company behind the app is trustworthy, the simple fact that metadata is generated in the first place can be a security risk. If it exists, there’s the possibility it could be leaked, stolen, or exposed to the public.
The sheer existence of messaging metadata also opens up the possibility for governments or other third parties to file court orders forcing the company running the app to log, store, and surrender metadata about specific users — even if the company would otherwise never do so.
If you want real privacy, you need to minimise your metadata footprint — both on the web and in your messenger. There are a number of tools you can use to block invasive tracking in your web browser — the Ghostery browser extension blocks tracking across a number of browser platforms, and if you’re looking for an all-in-one solution, Mozilla Firefox comes with built-in tracking prevention.
When it comes to messaging apps, your options are more limited. Session is the first private messenger to use a combination of decentralised servers, onion and proxy routing, and end-to-end encryption technologies to keep your metadata footprint as small as possible. Because Session is truly decentralised, there are no central servers to log or store metadata about your conversations.
You don’t have to trust that the app won’t misuse your messaging metadata — it’s simply not possible.
Your messages are encrypted before being routed over Session’s decentralised network, so there’s no way for it to know who you’re talking to.
And to top it all off, Session is built from the ground up to minimise metadata generation. Not only is there no central server to store your metadata — it simply doesn’t exist. You don’t have to take our word for it, either. Session is open-source, meaning that anyone can take a look under the hood.
It’s time to take back your online privacy. Send messages — not metadata. Get Session.
Session Release Roundup #13: It’s all about the UX
September 16, 2021
Why are phone numbers a privacy problem?
September 14, 2021
On the recent Australian surveillance legislation
September 09, 2021
Deleting messages and time-to-live: This message will self-destruct in…
September 06, 2021
Contact discovery: Finding friends without foes
August 09, 2021