How pre-teens using metadata found a whistleblower in two hours

James Purtill

12 Dec 2016

Team Sherlock began the scenario with one clue: the leaked documents about fracking chemicals had been sent to anna@minewatch.org.au.

With access to the kind of metadata that has been retained and made available to Australian government agencies for the past year, the team of three primary school students were then able to track down the mock corporate whistleblower in two hours.

They were part of a ‘cyber fox hunt’ co-hosted by University of Melbourne to explore how Australia’s 2015 metadata laws affect our privacy. In the scenario, twelve teams used software to filter through a database of mobile, internet and location metadata. All but one team tracked down the home address of the whistleblower, and the winning team took just one hour.

kidspy

Hunting the snitch. Supplied

Since October 2015, potentially every phone call you make, text message you send and email you write has been tracked by the government.

Only authorised agencies can access metadata, though many unauthorised government organisations have been getting around this by asking the AFP to do metadata searches for them. They don’t need a warrant, and they don’t need to warn you.

It’s just possible that sometime in 2016 unauthorised agencies such as Racing NSW and the Taxi Services Commission (Victoria) have asked the AFP to search your metadata.

Your metadata includes the addresses of people you have emailed, the numbers of people you have called, the time, date and duration of the communication, the location of your phone, and the postal and billing addresses of your mobile plan.

Because this is intangible and abstract, it can be hard to grasp what this means for your privacy, which is why Melbourne University co-organised the ‘snitch hunt’.

Gen, a 12-year-old from Team Sherlock, told Hack how her team used the metadata.

“It was a lot easier than I expected,” she said.

“Basically what happened was we found the data that had the Google searches and the ones that corresponded with searches the whistleblower would use.

We then found the IP address they used with the Google searches and we linked the IP address to their email. We used the email to find their phone number and their address.”

Dr Suelette Dreyfus, a Melbourne Uni technology researcher and privacy expert who helped organise the ‘snitch hunt’ at the weekend, said she was “shocked, surprised and slightly horrified” by how quickly the teams found the whistleblower.

“It illustrates this data is easy to get – agencies don’t need to have a warrant,” she said.

You can have a go at the scenario here, using the analysis tools to try and find the whistleblower. Or read below for a step-by-step guide. (The screenshots aren’t of what people would have searched for in the scenario, but they are of the same kinds of searches).

Searching the metadata database

Searching the metadata database.

Step One: Search Google for suspicious searches

The scenario is about an employee at ‘Minecorp’ emailing confidential information to an investigative journalist at ‘MineWatch’.

You are a police data analyst who is told to identify and arrest the employee. “May I remind you the mines in Australia are all critical infrastructure, and those leaked docs cannot get into the wrong hands,” your boss tells you.

You can sift through four sets of information.

One set is a search query log that represents information that would be held by Google and other search engines about what their users have searched for.

Search query metadata

Search query metadata.

You can find the IP address of anyone who has searched for log for “MineWatch” (the news website) or “Anna Dupont” (the name of the journalist who wrote the story).

Through a combination of searches you can narrow it down to a few likely IP addresses.

Step Two: Link the IP address with an email address

Once you have the IP, you can also search the database for what email address has been using that IP.

Email metadata

Email metadata.

Step Three: Use email address to access address and phone number

Once you know the email, you can search the telcos’ customer list for a phone number and the billing and postal address. (When you activate a SIM card you have to provide photo ID with an address).

The email and phone metadata logs also contain information about who has emailed who, and who has phoned who, and when. These are kept by telcos and made available without a warrant to 22 agencies. You can now confirm an email was sent from the address to ‘anna@minewatch.org.au’.

Phone metadata

Phone metadata.

Step Four: Use phone number to get a recent location

The phone metadata also gives a record of where the suspected whistleblower has travelled. This is based on cell tower records.

You can use this to predict where they will be, and then intercept them to make an arrest.

Metadata isn’t only about knowing a person’s past movements, it also about predicting their future activities. That’s because most of us live according to routine. Once you know the pattern, it’s easy to work out where a person will be on a given day.

“There’s been research that’s shown nearly half of most people’s everyday activities follow a pretty regular pattern,” Dr Dreyfus said.

“You go to your university class every Tuesday or you go to your job every Monday morning or Mum’s house for dinner every Saturday night. Those patterns become a way of identifying people. One study that was done looked at the geolocation data points of more than a million people. It found that four space and time location points were all you needed to uniquely identify 95 per cent of people.”

In a graphic illustration of how this works, the US’s armed drone program identifies targets through their metadata. People are killed on the basis their metadata fits pattern of a terrorist. “We know former head of the National Security Agency said ‘We kill people based on metadata’,” Dr Dreyfus said.

Step Five: Find out who else has contacted the journalist

Using a graphing tool, you can interpret the metadata to understand relationships and social connections – you can use this to identify the journalist’s other sources.

In April, the AFP admitted it had sought access to a Guardian reporter’s metadata without a warrant in an attempt to hunt down his sources.

The Snitch Hunt used data analysis software that might be similar to that used by the AFP, Dr Dreyfus said.

Graphing phone calls

Graphing phone calls.

Gen, the 12-year-old from Team Sherlock, said she had expected it would be harder to find the whistleblower.

“It’s interesting how easy it is to find small pieces of data, and then linking them you can find out so much about a person.”

Her brother, Miles, 10, said that it was fun and his team beat half the adults.

The Snitch Hunt is co-sponsored by partners ThoughtWorks, CryptoParty Sydney, the Platypus Initiative, Hack for Privacy, Blueprint for Free Speech, Digital Rights Watch and Electronic Frontiers Australia.

Advertisements

Posted on December 15, 2016, in ConspiracyOz Posts. Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: