A Melbourne hackathon has revealed how easy it is to expose people through their metadata, as unknowing Australians continue to leave digital footprints into their lives everyday.
The “Snitch Hunt” was hosted by the University of Melbourne in collaboration with multiple tech groups including ThoughtWorks and Hack For Privacy on World Human Rights Day.
CryptoParty Sydney, Platypus Initiative, Blueprint for Free Speech, Digital Rights Watch and Electronic Frontiers Australia were also involved.
At the event, more than 40 participants of all ages and backgrounds were given the task of using metadata to bust a whistleblower.
A team of students aged 10 to 14 won the game.
The prize of this hackathon is not a new startup, but rather a lesson on the real threats that metadata retention presents to citizens around the world, says Dr Suelette Dreyfus, who co-organised the event.
Dreyfus says the teams had access to a number of types of metadata, including emails, IP addresses, phone numbers and geo-locational data, which might have revealed who called at what time, and their location.
In late 2015, Australia began wide-scale data retention by telecommunications and internet providers, which must keep customer metadata for two years.
“It’s very easy to drop little electronic breadcrumbs about your life everywhere you go and not even realise that you’re doing it,” Dreyfus told StartupSmart.
Dreyfus says metadata can reveal your geographical location at certain times of the day, as well as who you talk to and for how long.
“The fact that a team of pre-teen girls could hunt down a mock journalist whistleblower in two hours using this metadata should concern everyone about their personal privacy,” she says.
“I asked a security investigator once: If you were given a choice between the content of a conversation or metadata, which would you choose?
“He said he’d rather have the metadata because it tells you more.”
Why this matters to startups
For startups, Dreyfus says putting customer privacy and security front and centre is crucial.
“A critical component of any brand is trust. If your customers’ privacy is violated because you weren’t careful you break trust,” she says.
“Increasingly people are aware that their privacy has monetary value and they want a say in how it’s going to be monetised and if it’s going to be monetised.
“As people become more and more aware of the importance of privacy, they are looking for relationships with service providers who are in their corner and are going to fight for them.”
The power and hazards of metadata retention
From Edward Snowden to those behind documentary series like Truth and Power on Netflix, many activists have been fighting to show the potential consequences of complacency with metadata retention and poor digital privacy.
NordVPN says new legislative powers on metadata retention and surveillance in Russia, Poland, Germany, the US and the UK this year have created “shocks and abuses” to internet privacy.
“We kill people based on metadata,” said the former boss of US-based National Security Agency (NSA) Michael Hayden during a public debate in 2014.
Back at home, Dreyfus says Australians should be more aware of the metadata that’s being collected about them.
“If you have metadata it’s very powerful,” she says.
But the hazards of metadata retention go beyond whistleblowers, according to NordVPN.
“Citizen control and surveillance, especially suspicion-less surveillance, whether physical or digital, has not proved to be an effective way to control criminal activity [and] history tells us it has always turned out to be counter-productive, endangering lives and causing fear and insecurity,” the VPN provider said in a statement.
“For example, when the government opens a backdoor to citizen’s data, it means that this backdoor could potentially be used by anyone else … In the wrong hands, it can be used to steal people’s identities and rob them of their bank accounts.
“Data can also get misplaced, systems can crash and everyone can get endangered.”
The Australian government has recently committed $230 million to a Cyber Security Strategy, which includes the Cyber Security Growth Centre to be led by Atlassian’s former head of security Craig Davies, and ICT expert David Glance has said this is a “small step in the right direction“.
Protecting digital privacy
To protect digital privacy, Dreyfus recommends the use of end-to-end encryption communication tools like ProtonMail, browsers like Tor and secure messaging apps like Whisper Systems’ open-source Signal instead of traditional SMS.
“Turning on full disk encryption on your laptop or desktop, making sure that you have full encryption enabled on your phone, [using] a longer pin number not just a four-digit pin,” she says.
“Those things will help nudge us all closer to cyber privacy.”