We all know by now that the government collects metadata. You might also already know that metadata does not keep the call itself, only who and for how long. What you don’t know is how complete a picture you can get of someone’s life from metadata. A Dutch correspondent, however, does. He used an app to track his own metadata for a week and then published the results in an effort to draw attention to what metadata actually shows. Those results are far past disturbing.

From one week of logs, we were able to attach a timestamp to 15,000 records. Each time Ton’s phone made a connection with a communications tower and each time he sent an e-mail or visited a website, we could see when this occurred and where he was at that moment, down to a few metres. We were able to infer a social network based on his phone and e-mail traffic. Using his browser data, we were able to see the sites he visited and the searches he made. And we could see the subject, sender and recipient of every one of his e-mails.

So what can we find out about him from just that information? A lot. Far more than any government should know about the average citizen. Take a look:

Ton is a recent graduate in his early twenties. He receives e-mails about student housing and part-time jobs, which can be concluded from the subject lines and the senders. He works long hours, in part because of his lengthy train commute. He often doesn’t get home until eight o’clock in the evening. Once home, he continues to work until late.

His girlfriend’s name is Merel. It cannot be said for sure whether the two live together. They send each other an average of a hundred WhatsApp messages a day, mostly when Ton is away from home. Before he gets on the train at Amsterdam Central Station, Merel gives him a call. Ton has a sister named Annemieke. She is still a student: one of her e-mails is about her thesis, judging by the subject line. He celebrated Sinterklaas this year and drew lots for giving gifts.

Ton likes to read sports news on nu.nl, nrc.nl and vk.nl. His main interest is cycling, which he also does himself. He also reads Scandinavian thrillers, or at least that’s what he searches for on Google and Yahoo. Other interests of his are philosophy and religion. We suspect that Ton is Christian. He searches for information about religion expert Karen Armstrong, the Gospel of Thomas, ‘the Messiah book Middle Ages’ and symbolism in churches and cathedrals. He gets a lot of information from Wikipedia.

Ton also has a lighter side. He watches YouTube videos like ‘Jerry Seinfeld: Sweatpants’ and Rick Astley’s Never Gonna Give You Up. He also watches a video by Roy Donders, a Dutch reality TV sensation. On the Internet, he reads about ‘cats wearing tights’, ‘Disney princesses with beards’ and ‘guitars replaced by dogs’. He also searches for a snuggie, with a certain ‘Batman Lounger Blanket With Sleeves’ catching his eye. Oh, and he’s intensively looking for a good headset (with Bluetooth, if possible).

If we were to view Ton’s profile through a commercial lens, we would bombard him with online offers. He’s signed up for a large number of newsletters from companies like Groupon, WE Fashion and various computer stores. He apparently does a lot of shopping online and doesn’t see the need to unsubscribe from the newsletters. That could be an indication that he’s open to considering online offers.

He keeps his e-mail communication reasonably well separated, using three different e-mail accounts. He receives all promotional offers on his Hotmail account, which he also uses to communicate with a number of acquaintances, though he hardly sends any messages himself from the account. He has a second personal e-mail account, which he uses for both work and correspondence with closer friends. He uses this account much more actively. Lastly, he has an e-mail account for work.

Ton knows a lot about technology. He’s interested in IT, information security, privacy issues and Internet freedom. He frequently sends messages using encryption software PGP. He performs searches for database software (SQLite). He is a regular on tech forums and seeks out information about data registration and processing. He also keeps up with news about hacking and rounded-up child pornography rings.

We also suspect that he sympathises with the Dutch ‘Green Left’ political party. Through his work (more about that later), he’s in regular contact with political parties. Green Left is the only party from which he receives e-mails through his Hotmail account. He has had this account longer than his work account.

While you might think this is disturbing, it’s not even all of the info they collected. Remember, this is one week of data. One week’s worth of the type of privacy intrusion that our own government claims is no big deal. But it gets even worse. Not only did they construct his entire social network of friends, colleagues and contacts, they were able to crack his passwords…just by using his hints.

But that’s not all. The analysts from the Belgian iMinds compared Ton’s data with a file containing leaked passwords. In early November, Adobe (the company behind the Acrobat PDF reader, Photoshop and Flash Player) announced that a file containing 150 million user names and passwords had been hacked. While the passwords were encrypted, the password hints were not. The analysts could see that some users had the same password as Ton, and their password hints were known to be ‘punk metal’, ‘astrolux’ and ‘another day in paradise’. ‘This quickly led us to Ton Siedsma’s favourite band, Strung Out, and the password “strungout”,’ the analysts write.

With this password, they were able to access Ton’s Twitter, Google and Amazon accounts. The analysts provided a screenshot of the direct messages on Twitter which are normally protected, meaning that they could see with whom Ton communicated in confidence. They also showed a few settings of his Google account. And they could order items using Ton’s Amazon account – something which they didn’t actually do. The analysts simply wanted to show how easy it is to access highly sensitive data with just a little information.

One week of data. That’s all it took for a non-state actor to paint a pretty complete picture of his life, wants, needs, and belief systems. Now take into account the federal government, with its unlimited technology and resources. Now take into account the simple fact that the same federal government sees patriots as the enemy, as a domestic terror threat. Do you really think that they aren’t putting more work into looking at your information?

Computer security is necessary. Privacy is necessary. Those who claim that they have nothing to hide, or that they don’t care if the feds look at their stuff, are not only putting themselves at risk, but they’re putting everyone they work with in danger.

TOWR will be sponsoring a cryptoparty soon. Make sure to attend it, because the life you’re protecting isn’t just your own.

Clef two-factor authentication