Since it's been the topic of many conversations I've had in the last 24 hours let's talk about metadata analysis and why it's so powerful, and what happens when you don't defend against it.
The crux of the power of metadata analysis is this:
You can have the best in-call encryption in the world, but I don't need to decrypt anything to understand the context of you calling a crisis hotline at 3 in the morning.
You can have the best in-call encryption in the world, but I don't need to decrypt anything to understand the context of you calling a crisis hotline at 3 in the morning.
The vast majority of modern day protocols create a whole bunch of metadata when they are deployed and used.
It used to be my job to understand how to collect & exploit this data.
It used to be my job to understand how to collect & exploit this data.
Mass surveillance systems run off metadata. Content collection/ analysis is fucking expensive, unless you are a high value target no one wants to be sitting around listening to your phone calls.
But social network analysis, call graphs & event logs are cheap & easy to exploit.
But social network analysis, call graphs & event logs are cheap & easy to exploit.
Metadata comes in all shape and forms, but some common categories are:
Who are you communicating with?
When are you communicating?
How are you communicating?
Who are you communicating with?
When are you communicating?
How are you communicating?
With just those 3 pieces of info you can infer a whole lot about the What and the Why you are communicating:
6pm call to pizza store.
11pm video stream from pornhub
7am call to a doctors office
6pm call to pizza store.
11pm video stream from pornhub
7am call to a doctors office
End to end encryption is great and necessary, but very few systems in deployment today do much to protect against mass surveillance systems hoovering up communication flows.
While such analysis might be beyond the reach of local law enforcement, intelligence agencies have being doing this kind of collection for decades, and the capabilities filter down.
The communities most impacted by this kind of metadata analysis are often the most marginalized - when you introduce new protocols that fail to account for metadata resistance they are the ones that will feel the brunt of that neglect.
Metadata resistance is a really hard problem. There are only really 2 tools out there right now that provide that capability in a meaningful way: ricochet.im and @BriarApp
@OpenPriv Our aim with cwtch is to eventually shift the conversation from "how do we do metadata resistance" to "time to build a metadata resistant dating/personals/healthcare/wahetver app"
@OpenPriv Building a surveillance-resistant and censorship-resistant web means building a metadata-resistant one too.
