Holly Porteous
Legal and Social Affairs Division  

This HillNote is the third in a series of four. (Also available in French: Métadonnées et organismes de sécurité nationale et d’application de la loi)

Metadata – data about data – matters to national security and law enforcement agencies. They repeatedly tell parliamentarians that collecting and analyzing metadata are essential to their operations.

Just what can others learn about you from the metadata you generate? This will give you an idea:

• Landline telephone: who you’ve spoken to, when and for how long;
• Email: who, when and what type of content you email as well as information in the subject line;
• Surfing the web: the type of computer and browser you use, what websites you’ve visited, the pages that interested you, your login details (if you enable auto-fill), your previous interactions with a website (if you permit cookies and data caching), and (if you are using a mobile device) your geographic location to within a specific house or street;
• Uploading digital images: when and where photos were taken, the type of camera used and its settings at the time.

From a surveillance perspective, the content of what the person is saying may be less important than when, where and to whom he or she is saying it. Overall patterns of life, rendered through analysis of metadata, known as “traffic analysis,” tell a richer tale than the particulars of any one conversation. People can brag or lie when they talk to others, but it is harder to hide an entire life.

For law enforcement, traffic analysis may point the way to each node of an online child pornography ring or spam operation, enabling search warrants to be issued and arrests made.

SIGINT: Traffic analysis on a massive scale

Signals intelligence (SIGINT) agencies perform traffic analysis on a massive scale to glean foreign intelligence from the global information infrastructure. Traffic analysis enables these “SIGINTers” to build a picture of social networks that terrorists use to recruit and to plan and execute attacks.

Along with this “big picture” intelligence, traffic analysis can generate intelligence that has immediate tactical value. Michael Hayden, former United States National Security Agency director, was serious when he said: “We kill people based on metadata.” In this context, real-time geolocation metadata is tantamount to targeting data for a drone attack.

Traffic analysis also lies at the heart of another national security and law enforcement preoccupation – cybersecurity. To characterize a cybersecurity event, one must interpret logged metadata. Network routers, firewalls, web and email servers, desktop computers and even hand-held devices are among the many potential sources of logged metadata.

Sophisticated attacks – those that aim to create an undetected presence on a specifically targeted system – are an analytical challenge for network defenders because they happen slowly and quietly. Attackers will typically try many different attack vectors (i.e., approaches) over weeks and months to defeat a victim organization’s security and infiltrate its system.

State agencies and criminal organizations often use specialists to perform each stage of an attack: reconnaissance, creation of one or more covert access points, data exfiltration and ongoing maintenance of the resulting covert access points.

Detecting these “advanced persistent threats” (APTs) requires traffic analysis combining current and historic metadata from many different sources inside and outside a targeted network. For example, some recent APT incidents entailed breaking into the targeted organization via links it had with less well-secured subcontractor networks.

“Botnets”: Networks of compromised computers

APT operations create a form of “botnet.” Botnets are networks of computers that have been compromised and transformed into remote-controlled “bots” (robots). End-users generally have no idea their machines have been compromised because they continue to function normally.

Botnets, which can comprise a few key computers on one or more networks or many thousands of Internet-connected computers worldwide, represent a multi-purpose covert infrastructure.

In the hands of foreign SIGINT agencies, botnets can be used to exfiltrate sensitive government data and corporate intellectual property. Or they can be left dormant until they are awakened by remote command and ordered to sabotage the systems where they reside.

In the hands of criminals, botnets are a means to deliver spam or to access valuable information, or they can be a commodity to be sold or leased (often to state agencies). They can also be a weapon. Criminals can, for example, harness botnets to coerce ransom payments, launching massive distributed denial of service attacks that direct an overwhelming flood of traffic to a company’s e‑commerce website, crippling it until payment is forthcoming.

Creating botnets on an industrial scale

Lured by the low risk and high pay-offs, state agencies and criminal organizations are creating botnets on an industrial scale, using them to steal data, extort funds, deliver spam and enable future sabotage.

Large-scale traffic analysis is required to detect, map and eliminate botnets. This, in turn, requires bulk collection of metadata by anyone who must defend a large network, including national security and law enforcement agencies.

Public discussion about the issue of bulk collection and analysis of metadata has tended to focus on whether its potential harms to privacy outweigh its utility in discovering terrorist networks. To be complete, however, the debate should consider the role of large-scale metadata collection and analysis in cybersecurity.

It should also lead to questions about the role of SIGINT agencies, law enforcement agencies and information technology providers in eliminating technical flaws in the global information infrastructure that attackers use to create botnets.