Head Belly Root
Notes Privacy Is Hard Creative Commons License
Chapter 4

It's Merely Metadata

  1. J. Voorhees, "Antivirus Pioneer John McAfee Has Been Arrested," Slate, December 6, 2012.
  2. World Economic Forum, Personal Data: The Emergence of a New Asset Class (Geneva: World Economic Forum, January 2011).
  3. For example, the Time Machine functionality in Apple's MacOS.
  4. I. Thomson, "How TV Ads Silently Ping Commands to Phones: Sneaky SilverPush Code Reverse-Engineered," Register, November 20, 2015.
  5. N. Hoffelder, "Adobe Is Spying on Users, Collecting Data on Their eBook Libraries," Digital Reader, October 6, 2014.
  6. Kindle Direct Publishing Help Center (Amazon), "Royalties in Kindle Unlimited and Kindle Owners' Lending Library," August 13, 2019.
  7. See here, last updated January 8, 2019.
  8. S. Das and A. D. I. Kramer, "Self-Censorship on Facebook," in Proceedings of the 7th International Conference on Weblogs and Social Media (ICWSM), ed. E. Kiciman et al. (Palo Alto, CA: AAAI Press, 2013); C. Johnston, "Facebook Is Tracking What You Don't Do on Facebook," Ars Technica, December 16, 2013.
  9. Wikipedia, "Mouse Tracking," last modified, April 17, 2020.
  10. To be precise, every network interface on your computer that allows you to connect your computer to a network (whether by WiFi, Bluetooth, or Ethernet) has a separate MAC address. MAC addresses have a structure that allows the manufacturer of a device to be determined given its MAC address. Because MAC addresses are only relevant for a direct connection with the local area network, the websites you visit (which typically are not directly connected to your device) do not get to see your MAC address.
  11. See Bluetooth, accessed July 10, 2019; and Wi-Fi, accessed July 10, 2019.
  12. Location data, battery status information, and application (un)install information were used as evidence in a Dutch murder case: H. Modderkolk, "Hoe Google-data in een moordzaak leidden naar de echtgenote," De Volkskrant, August 8, 2019.
  13. R. Coulthart, "Metadata Access Is Putting Whistleblowers, Journalists and Democracy at Risk," Sydney Morning Herald, May 4, 2015; M. Meaker, "Europe Is Using Smartphone Data as a Weapon to Deport Refugees," Wired, July 2, 2018.
  14. D. Cole, "'We Kill People Based on Metadata,'" New York Review of Books, May 10, 2014.
  15. WhatsApp's privacy policy allows it to use this data for friend suggestions, but Facebook denies it is actually using this data: A. Tait, "Why Does Facebook Recommend Friends I've Never Even Met?," Wired, May 29, 2019.
  16. K. Hill, "Facebook Recommended That This Psychiatrist's Patients Friend Each Other," Splinter, August 29, 2016.
  17. Facebook first confirmed that location data was one of the factors to suggest new friends, but later claimed location data was not used for that purpose: E. Hunt, "How Does Facebook Suggest Potential Friends? Not Location Data— Not Now," Guardian, June 29, 2016.
  18. K. Hill, "Facebook Is Using Your Phone's Location to Suggest New Friends—which Could Be a Privacy Disaster," Splinter, June 28, 2016.
  19. M. Latzer, M. Büchi, and N. Festic, Internetverbreitung und digitale Bruchlinien in der Schweiz 2019, Themenbericht (Switzerland: World Internet Project, 2019).
  20. W. H. Porter, Proverbs, Arranged in Alphabetical Order (Boston: James Munroe and Company, 1845), 10. The following poem (Carmen 70) by Gaius Valerius Catullus also illustrates eloquently the relative value of what people say: "Nulli se dicit mulier mea nubere malle quam mihi, non si se Iuppiter ipse petat. dicit: sed mulier cupido quod dicit amanti, in vento et rapida scribere oportet aqua.", accessed November 4, 2019.
  21. Cole, "'We Kill People Based on Metadata.'"
  22. 22. P. Leskin, "Your iPhone Keeps a Detailed List of Every Location You Frequent— Here's How to Delete Your History and Shut the Feature Off for Good," Business Insider, April 2, 2019.
  23. Martin et al., "A Study of MAC Address Randomization in Mobile Devices and When it Fails."
  24. This does still allow such services to measure the number of people at one par- ticular location, and even allows them to measure the movement of these people over brief moments of time during which the MAC address stays constant.
  25. P. Samarati and L. Sweeney, "Protecting Privacy when Disclosing Information: k-Anonymity and Its Enforcement through Generalization and Suppression" (Tech- nical Report SRI-CSL-98-04, Computer Science Laboratory, SRI International, 1998); L. Sweeney, "k-Anonymity: A Model for Protecting Privacy," International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems 10, no. 5 (2002): 557–570.
  26. A. Machanavajjhala, D. Kifer, J. Gehrke, and M. Venkitasubramaniam, "L-Diversity: Privacy beyond k-Anonymity," ACM Transactions on Knowledge Discovery from Data 1, no. 1 (2007).
  27. M. R. Koot, "Measuring and Predicting Anonymity" (PhD thesis, University of Amsterdam, June 27, 2012); A. Hern, "'Anonymised' Data Can Never Be Totally Anonymous, Says Study," Guardian, July 23, 2019; Article 29 Working Party, "Opinion 5/2014 on Anonymisation Techniques," April 10, 2014.
  28. Pfitzmann and Hansen, Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management.
  29. Typically (but not always) considered only from the perspective of an external adversary. The recipient of a message may know the person that sent the message already or may be able to tell from the contents.
  30. M. Edman and B. Yener, "On Anonymity in an Electronic Society: A Survey of Anonymous Communication Systems," ACM Computing Surveys 42, no. 1 (2009): 5:1–5:35; G. Danezis and C. Diaz, "A Survey of Anonymous Communication Channels", Microsoft Research Technical Report (MSR-TR-2008-35) (January 2008).
  31. Wikipedia, "Penet Remailer," last modified May 16, 2020; Danezis and Diaz, "A Survey of Anonymous Communication Channels."
  32. Such free email services also allow you to register an arbitrary email address and do not really check your identity when registering for such an address. They do log your IP address when you register or access your email later, though, so these free email services have a similar centralized record that allows them— and others, like law enforcement— to recover your identity. (See chapter 2 for more on how IP addresses can be traced back to natural persons.)
  33. An outgoing email of a particular length sent at a particular time probably corresponds to an incoming email of about the same length received just a fraction of a second earlier. Even if the content of the email is encrypted, the header of the email, which contains the recipient's real or anonymous email address, is not. The header cannot be encrypted because email servers always need access to this info to determine what to do with the message. See also Edman and Yener, "On Anonymity in an Electronic Society"; Danezis and Diaz, "A Survey of Anonymous Communica- tion Channels."
  34. G. Danezis, R. Dingledine, and N. Mathewson, "Mixminion: Design of a Type III Anonymous Remailer Protocol," in 2003 IEEE Symposium on Security and Privacy (IEEE Computer Society, 2003), 2–15.
  35. D. Chaum, "Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms," Communications of the ACM 24, no. 2 (1981): 84–88.
  36. This is one difference between mix networks and onion routers, to be discussed next.
  37. Leaving the analogy for a moment, when messages are actually sent over the internet, a mix node learns not only the IP address of the next mix node on the path, but also the IP address of the previous mix node on the path— that is, the one that sent the message.
  38. Danezis and Diaz, "A Survey of Anonymous Communication Channels."
  39. R. Dingledine, N. Mathewson, and P. F. Syverson, "Tor: The Second-Generation Onion Router," in 13th USENIX Security Symposium, ed. M. Blaze (USENIX Associa- tion, 2004), 303–320.
  40. See https://www.torproject.org.
  41. P. Syverson, "Onion Routing," 2005.
  42. Although they could detect this information by looking carefully at the IP address of the connection.
  43. J. Ball, B. Schneier, and G. Greenwald, "NSA and GCHQ Target Tor Network that Protects Anonymity of Web Users.", Guardian, October 4, 2013. See also.
  44. Tor Community, "Types of Relays on the Tor Network,".
  45. Unless the web server enforces secure browsing—that is, uses HTTPS in the link—itself.
  46. J. P. Barlow, "A Declaration of the Independence of Cyberspace," February 8, 1996.
  47. P. Winter, A. Edmundson, L. M. Roberts, A. Dutkowska-Zuk, M. Chetty, and N. Feamster, "How Do Tor Users Interact with Onion Services?," in 27th USENIX Security Symposium, ed. W. Enck and A. P. Felt (USENIX Association, 2018), 411–428.
  48. Moreover, the addresses used in this example follow a previous version of the Tor onion service specification. A newer version with longer addresses has been proposed.