MetaPhone: the importance of phone metadata

How important is the metadata when using the phone? Discussions on this issue broke out with a new force after Edward Snowden’s last year’s revelations. The government is considering a variety of bans on access to such information; privacy concerns are also reflected in the US Federal Communications Commission (FCC).

President Obama particularly stressed that the NSA "did not delve into the content of the conversations." “Only metadata was used,” Senator Feinstein told reporters. Rejecting a claim by the American Civil Liberties Union (ACLU), Judge Pauley described the possible legal consequences of a different decision as a “horror parade.”
')
On the other hand, many scientists and IT professionals have expressed their concern about the risk of disclosing metadata. Ed Felten, in a statement to the ACLU, gave a comprehensive explanation of this: “Telephone metadata can help to fully reveal the user's identity. Both at the level of individual calls, and (especially!) In the aggregated state ”. Judge Leon, recognizing that the NSA surveillance program is likely to be unconstitutional , agreed with Felten's point of view and noted that “the metadata from the phone of a particular person can provide information about his marital status, political and religious views, sexual preferences.”

Accordingly, there is a gap and two opposing points of view. Is it easy to get important personal information using metadata? Do people often trust their phone to extremely personal information, which can then be obtained using metadata?

We used data from different sources to find empirical answers to these questions. Since November last year, we conducted a study on the security of telephone metadata. The participants in the experiment launched the MetaPhone application on their Android smartphones. It collects device logs and other social information, which is then redirected for later analysis. Using the data obtained through MetaPhone, we were able to correctly determine the status of a person’s relationship, understand the interrelationships of call graphs when making calls, and evaluate the identifiability of telephone numbers.



At the beginning of this study, we shared the point of view of colleagues from the IT sphere - telephone metadata can reveal very important and sensitive information about an individual. However, we didn’t particularly hope to find some irrefutable evidence in favor of this or that version, since the number of MetaPhone users was not so great, and it was planned to monitor the telephone activity only for several months.

We were very wrong. We found out that the metadata stored in the phone contains extremely sensitive information, and you can even get it by tracking the phone for a short period of time. We managed to obtain data on the health status of telephone users and on the ownership of firearms - all thanks to metadata alone.

Methodology

The first step was to identify the contacts of MetaPhone users. Here we used an approach in which phone numbers are matched with public data from Google and Yelp. A total of 546 participants in our experiment contacted 33,688 telephone numbers. We managed to identify the owners of 6,107 rooms (18%).

Then we noted the contacts that were more likely to refer some important information. In most cases, we managed to find out, for example, the name of the company with which the person contacted, from which it usually became clear what this company was doing. In the event that it was not possible to find out the type of activity of the company by one name, Google came to the rescue.

In the end, we managed to collect two groups of results. First, we analyzed individual calls to important numbers. Secondly, we compared various call patterns to get information about the caller's personal life, accessible from metadata.

The results of the analysis of individual calls

Many organizations perform some narrowly defined range of tasks, so a call to the numbers of these companies immediately carries some rather sensitive information. If a person, for example, calls the candidate’s campaign headquarters, then it can be argued that he is supporting him. In the same way, if a person often talks to someone who uses a number assigned to a religious organization, it becomes clear his religion. You can even figure out which particular church he goes to.

We were able to collect information about a large number of calls from which it is possible to draw such conclusions. The table below presents data on the proportional number of participants in the experiment who made at least one phone call to the numbers of “sensitive” organizations:



Information about religious organizations gave us the opportunity to check the accuracy of their assumptions. MetaPhone takes information about the user's religion directly from his Facebook profile, which allows (if religion is listed in the profile) directly correlate assumptions made based on the received phone metadata with accurate data from Facebook. We had 15 people with clear information about the religion in the profile (including atheism), and telephone contacts with religious organizations. Assuming that the religious organization where the person most often calls and reflects his religion, we were able to accurately determine the religious status of 11 of our 15 volunteers (accuracy 73%).

Many telephone numbers could be associated with specialized products and services, and even figure out a specific business line. In medicine, for example, we managed to divide the telephone numbers into categories corresponding to the diseases that are treated in a particular institution.



The degree of importance of the data, which can be obtained from the user's contacts, took us by surprise. Our subjects called the organization of anonymous alcoholics, arms stores, organizations that support the right to abortion, trade unions, called lawyers for divorces, clinics for the treatment of sexually transmitted diseases, strip clubs and this is not a complete list. This is not a hypothetical "horror parade", but only simple information about the owners of the phones, which can be easily extracted on an industrial scale.

Results of pattern matching calls

Call patterns often give out information that is much broader than just a list of numbers that a person called. In the course of our research, we were able to identify patterns of calls that allow us to make highly accurate assumptions about the sensitive nature of such contacts. The examples below were obtained from our data set by identifying telephone numbers using public means [identification]. Although the majority of MetaPhone users have given permission to divulge their identities, we still use pseudonyms.

• Participant A called various neurological clinics, specialized pharmacies and a hotline dedicated to the treatment of multiple sclerosis.
• Participant B talked to cardiologists at a large medical center several times, had short conversations with employees of the medical laboratory, received calls from the pharmacy and also called the hotline for monitoring cardiac arrhythmias.
• Participant In several times called the shop for the sale of weapons, which specializes in products on the platform of the semi-automatic rifle AR . In addition, we were able to track the call to the technical support line of the manufacturer of these weapons.
• For three weeks, Participant D contacted the hardware and materials store for the repair, the manufacturing company of the plumbing products, the hydroponics dealer and the tobacco and smoking products store.
• Member E had a long conversation with her sister early in the morning. Two days later, she called the family planning organization several times. Two weeks later, she also called several times there, the last call came a month later.

We were able to confirm the diagnosis of participant B and the fact of possession of weapons by participant B, using information from public sources. Due to the delicacy of the information received, we did not turn to A, D, and E. for confirmation.

findings

The data set that we analyzed in this report covered hundreds of users over several months. The NSA and telecom operators have information about millions of people over many years. You can argue about the need to impose restrictions on access to such information. One thing is certain - with the help of metadata you can get very important and sensitive information about a person.