November 25, 2021




Tags: Cybersecurity, metadata, privacy


Categories: Cybersecurity, Privacy, Technology

For investigations, metadata is enough. Uphold privacy

Intelligence agencies, around the world, collect enormous amounts of data on individuals on grounds of national security. They also plead for laws to access the content of encrypted messages between individuals on social media — a demand social media companies are uncomfortable with.

We believe there is a strong case for analysing metadata better, which can give valuable leads in investigation. Active collaboration on the part of law enforcement agencies and corporates in studying metadata closely will render crucial leads in investigation.

While the pedantic definition of metadata is data about data, the practitioner’s definition is activity records. Location data from cellular phones, call data records, messaging records, IP addresses logged by various service providers, and device identifiers such as manufacturer name, model, activation date, connection duration are all examples of metadata.

Consider the recent example of how metadata analysis alone was sufficient to trace and investigate the January 6 insurrectionists in the United States (US) capitol. The attackers disrupted a joint session of the US Congress, which was convened to affirm the presidential election results — leading to five deaths and damage to the building.

The first step in investigating the insurrectionists was to get the list of phone numbers active during the period from the mobile telecom providers. While location records of cell phones are already accurate to a city block level (a grid of approximately 120×120 metres), these were then enhanced by serving warrants to intermediaries such as Google, Facebook, and Snapchat, which were used to post images/videos by the attackers, to provide even accurate data within a range of 10 metres radius (accurate 68% of the time).

By looking back in time, regular employees and others who often visited the Capitol were eliminated. Burner phones, which were activated only a few hours before the incident, were easy to identify, as they had a unique signature when it comes to call records — where often the leader of a gang activates other members, by either calling them or messaging them through coded words. This allowed identifying members who made conscious efforts to hide their identity, thus establishing prior intent.

These patterns are typically good enough to convince a judge to issue a search warrant for further seizures and smartphone records, which then allows a more specific targeted investigation.

Metadata analysis thus allows investigators to establish probable cause via technical analysis, and then tighten it further by obtaining more evidence to file charge-sheets and obtain convictions. While a particular suspect may refuse to unlock his device to avoid self-incrimination, it still allows investigators to establish a prima facie case, based on behavioural patterns and detecting anomalies.

The power of metadata was recognised by the Supreme Court (SC) in the Aadhaar case, when it ruled that the Unique Identification Authority of India (UIDAI) and other authenticating entities can’t store authentication records (metadata) for more than six months, from an earlier limit of seven years. This was due to an incident that happened during the hearing. The then UIDAI chief submitted his authentication records to the court, claiming it has no adverse privacy implications and within hours, enough information was decoded about his life patterns with these records. The court did not fully stop the collection and storing of metadata as it also helps in fraud detection — implying perhaps that in view of proportionality, it is preferable to having actual data.

The traceability clause introduced by the Information Technology Rules, 2021, is all about metadata. But why did WhatsApp go to court challenging it? It turns out that the clause envisaged a technical implementation, which required metadata to be embedded within the data (content of the message), thus making both data and metadata one and the same. This was a clear no-no in terms of not only technical architecture, but also a violation of proportionality, as laid out in the SC (Puttaswamy) judgment.

But do service providers, including messaging applications, share metadata with intelligence agencies and law enforcement in India? They clearly do, but the State has technical capability issues when it comes to the usage of metadata analysis to investigate and obtain convictions. This deficiency leads it to not only pass laws that demand mixing up of data and metadata, but also resorts to other cruder methods. For instance, the Hyderabad police asked commuters to unlock their mobile devices randomly, to check for WhatsApp chats for key words related to narcotics. These methods are not just constitutionally impermissible, but also vitiate the investigation and sully the name of the agencies involved, since they fall apart in court because of procedural violations, apart from being ineffective tools in investigation.

In an increasingly digitised and interconnected world, no possibility of surveillance reforms exists until the technical dimension is debated and understood by all actors including civil society, the judiciary, the executive, and Parliament. Encryption must not be tinkered with, since metadata has much to provide that is yet unexplored.

(This article was published in Hindustan Times)