In an interview conducted by Reporters Without Borders (RSF), technology expert Benjamin Finn warns about the threat posed by metadata and details the tools available for journalists to protect themselves and their sources.
RSF: What is metadata?
Benjamin Finn: In its strictest sense, metadata is data that describes data. Different platforms have different metadata needs for their operation, which includes information such as date, time, filename, settings, location, email header, recipient, server names, software, and more. It can also include what a user clicks on, how long they stay on a page, what a user purchases, and every trackable habit or interest a user displays. There is metadata on everything a user does on a computer including personal computer files, documents, social media, and in all web searches. These can be combined across multiple platforms using profiles and trackers, also known as cookies, to gain a deep understanding of who someone is and even to predict their online behavior.
RSF: How can metadata be used for surveillance?
BF: Government authorities may not always be able to access the content of an encrypted conversation, but through metadata they can know the identities of those who are communicating. For example, through an internet service provider (ISP), authorities can access information about who a journalist contacts, their contact’s geolocation and movements, the type of app they’re using, and the size of the file being sent, whether it’s encrypted or unencrypted. Though the content of the message itself is inaccessible, the metadata reveals vital information that can be used against both the sender and receiver.
Companies such as Google or Facebook pay an extortionate amount for metadata, encouraging apps and ISPs to collect it from their users. Companies are not interested in what one individual user has to say or do, but being able to take specific statistics from millions of users on their habits, timing, and interests is beneficial for development, sales, and marketing.
RSF: Does China’s mass surveillance system exploit metadata?
BF: The government-owned mass surveillance system in China, known as Skynet, monitors its citizens through the internet, surveillance cameras, and other digital technologies. Its internal systems were developed using the data — including, of course, metadata — it collected through WeChat, a multi-purpose instant messaging, social media, and mobile payment app widely used by Chinese citizens and the diaspora. This piece of technology allows the Chinese government to track users in multiple ways, sometimes even after they leave the country. Artificial intelligence (AI) features have also been added, primarily using metadata from social media activity and browsing history, which allows authorities to “predict” the actions of those they deem problematic.
RSF: Can metadata be encrypted?
BF: No. Generally, metadata cannot be encrypted as it is often needed for an app or website to function. Metadata encryption is a developing technology that many apps do not offer. Virtual private networks (VPNs) can block certain metadata such as an IP address (a unique device identification number) from the app. Beyond that, there are almost no examples of commercially available metadata encryption.
RSF: Are there laws to protect tech users against abusive metadata practices?
BF: No. It is difficult to know which laws a user’s metadata is subject to, as users don’t have control over where their metadata resides. The few laws that do exist to protect metadata are weak or easily bypassed. In 2016, Australia passed a Metadata Retention law which requires ISPs to keep its users’ metadata for up to two years, making it available to a range of law enforcement agencies without having to obtain a warrant. This has since proven to be dangerous and has been used to target journalists’ sources without their knowledge. A similar metadata law was rejected by the European Union as it was found to violate its Charter of Fundamental Rights.
RSF: How can journalists protect themselves and their sources?
BF: Since ISPs have access to a large amount of information by default, combating privacy issues can be a difficult task. There is no way to completely eliminate the risk of being tracked through metadata, but the following can increase privacy while online.
- Use a VPN at all times – a good VPN can mask some metadata such as IP addresses.
- Install apps like Privacy Badger, which reduces the tracking systems that social media sites use. Have a designated device only for social media, and never use it for secure discussions.
- Use a security-focused browser like Brave or Tor. If possible, use the Tor system itself and not just the browser.
- Use security-focused apps for communication like Signal.
- Use encrypted email services like ProtonMail and encourage sources to do so as well, because this email service only offers strong protection when used with another ProtonMail account.
- Use burner phones and when not in use, keep them powered off with the battery taken out. Be sure to use a different ISP than your everyday phone, with a dedicated SIM card.
- Use a physical exchange of large files without directly meeting a source, for example by using a post office box. If meeting a source is necessary, do not bring along any device.
Benjamin Finn has been in the IT field for a decade, during which his primary focus was the deployment of internal security tools across large enterprises. Over the last two years, he has been working in Myanmar and researching how to maintain proper security under an oppressive nation-state. He has also trained multiple groups in Taiwan on security and safety measures.