Researchers easily extract personal details from metadata

Academics from Stanford University in the United States have shown how trivially easy it can be to infer sensitive details about individuals from metadata on their communications.

They set out to test claims by the US National Security Agency that metadata is not personally identifiable information (PII).

Researchers Jonathan Meyer, Patrick Mutchler and John Mitchell collected the data for the study by running an application on Google Android phones used by 823 volunteers.

The application automatically retrieved device logs with metadata on calls, text messages, and Facebook accounts. All in all, over 250,000 calls and more than 1.2 million text messages formed the body of the study.

Analysis of the metadata showed that it was easy to infer highly sensitive details about people's religious affiliations, their locations, health status and other traits from what was collected. 

In one example, the researchers noted that one participant in the study received a long phone call from the cardiology group at a regional medical centre. The person also spoke briefly to a medical laboratory, and received mutliple short calls from a local pharmacy, and rang a self-reporting hotline for a cardiac arrhytmia monitoring device.

Using public sources the researchers were able to confirm that the person was indeed a cardiac arrhythmia suffer.

In another example, the researchers worked out that a study participant owned an AR semiautomatic rifle from his metadata.

The researchers were also able to infer that one person was likely growing hydroponic marijuana, and another person was trying to become pregnant, simply by analysing phone logs.

The Stanford team said their findings exposed the serious privacy implications that bulk metadata collection by government agencies carries.

“The results of our study are unambiguous: there are significant privacy impacts associated with telephone metadata surveillance,” the researchers wrote.

Telephone metadata is densely interconnected, easily reidentifiable, and trivially gives rise to location, relationship, and sensitive inferences.”

Government intelligence agencies around the world, including in Australia, continue to insist that metadata is not reidentifable, and cannot be used to glean sensitive, personally identifable information on people.