For one short week, a Dutch
volunteer named Ton Siedsma with the digital rights group Bits of
Freedom agreed to allow researchers to have full access to all his
smartphone metadata. This is the information the National Security
Agency (NSA) and other governments have been collecting from its
own citizens while insisting the information did not violate our
privacy.
Few actually believe the government’s arguments, but how much
can somebody figure out just from smartphone
data? Thus, the experiment with Siedsma. It turns out, as has
been growing increasingly clear, you can figure out a lot.
According to an article subsequently published in Dutch media,
researchers (from a university and a separate security firm)
gathered 15,000 records in a week, complete with timestamps. Each
time he did pretty much anything on the cell phone they were able
to determine physically where he was. And they were able to
figure out a lot about both his personal and professional
life:
This is what we were able to find out from just one week of
metadata from Ton Siedsma’s life. Ton is a recent graduate in his
early twenties. He receives e-mails about student housing and
part-time jobs, which can be concluded from the subject lines and
the senders. He works long hours, in part because of his lengthy
train commute. He often doesn’t get home until eight o’clock in the
evening. Once home, he continues to work until late.His girlfriend’s name is Merel. It cannot be said for sure
whether the two live together. They send each other an average of a
hundred WhatsApp messages a day, mostly when Ton is away from home.
Before he gets on the train at Amsterdam Central Station, Merel
gives him a call. Ton has a sister named Annemieke. She is still a
student: one of her e-mails is about her thesis, judging by the
subject line.
They were able to determine what kind of silly viral videos
Siedsma had been watching and what sort of companies were sending
him email newsletters offering deals (apparently some folks don’t
automatically opt out of those). From the data they were able to
determine that Siedsma worked as a lawyer for Bits of Freedom. They
were able to make a fairly good estimate of what sort of issues he
hands for the organization and what he does for the Bits of Freedom
website.
In response to the “So what?” crowd there’s more to be concerned
about. Because Bits of Freedom is a politically involved
organization, access to Siedsma’s metadata provides a window into
what Siedsma and his co-workers are doing that would be of interest
to those in government who may see the group as adversaries.
Researchers discovered an active e-mail thread with the subject
title “Van Delden must go,” referring to the head of the chairman
of a Dutch intelligence supervisory body. They can see which
members of parliament the Siedsma has contacted to discuss issues
related to international trade agreements. They can see that he is
likely a supporter of the Dutch “green left” party on the basis of
him receiving e-mails from them at a private address, not as part
of his political work. They could see which journalists he has been
corresponding with via e-mail. All of this information has all
sorts of potential to be abused politically.
And, they figured out how to hack his other accounts to get even
more information about him:
The analysts from the Belgian iMinds compared Ton’s data with a
file containing leaked passwords. In early November, Adobe (the
company behind the Acrobat PDF reader, Photoshop and Flash Player)
announced that a file containing 150 million user names and
passwords had been hacked. While the passwords were encrypted, the
password hints were not. The analysts could see that some users had
the same password as Ton, and their password hints were known to be
‘punk metal’, ‘astrolux’ and ‘another day in paradise’. ‘This
quickly led us to Ton Siedsma’s favourite band, Strung Out, and the
password “strungout”,’ the analysts write.With this password, they were able to access Ton’s Twitter,
Google and Amazon accounts. The analysts provided a screenshot of
the direct messages on Twitter which are normally protected,
meaning that they could see with whom Ton communicated in
confidence. They also showed a few settings of his Google account.
And they could order items using Ton’s Amazon account – something
which they didn’t actually do. The analysts simply wanted to show
how easy it is to access highly sensitive data with just a little
information.
Read the Dutch report
here.
(Hat tip to
TechDirt)
from Hit & Run http://ift.tt/1nXubll
via IFTTT