Tech & Rights

#MeAndMyRights: What Is Metadata & Why Should You Protect It?

Politicians arguing in favour of mass surveillance often make a distinction about the kind of information that they want to collect. They argue that just collecting our metadata, rather than content data, is fine. Let's look at that claim...

by Israel Butler

The word data, just means information. In the context of this series of #MeAndMyRights, it refers to information that is stored electronically. It could be stored in the databanks of an internet or phone company, or on a storage device like a hard drive or a USB stick that you might use at home or that are used by businesses and the authorities.

Content data refers to the actual content of your phone call, email or text messages. That is, the things you said in a phone call, or the video you made, if it was a video call or the words you wrote in an email or text message.

Metadata refers to information about your calls or emails, rather than what is in them. So things like the subject line of an email or text message, the name of the recipient, the time it was sent, the location you were when you sent it. Or for a phone call, the number you dialled or received the call from, where you were during the call and how long it lasted. Many of the apps (applications) on your smart phone also collect information about your location and this is also considered metadata, as well as the addresses of all the websites you have visited and the searches you have made using search engines on the internet.

Metadata says a lot about us

The reason you might hear politicians make a distinction between metadata and content data is because many governments want to collect our metadata. Politicians arguing in favour of mass surveillance often compare metadata to an address written on an envelope, and compare content data to the letter inside. They argue that the public should be OK with the government collecting our metadata because they won’t actually know what we are saying. Unfortunately, this is a very misleading analogy.

The thing is, metadata actually says a lot more about us, and much more quickly, than content data. If I could see your metadata collected over a few weeks I would be able to work out fairly quickly what your daily routine is. For example, when and where you tend to go for lunch, where you work, what time you arrive and leave, what you do after work (like collecting your children from school, going to the gym, going shopping). I would be able to work out your closest friends and colleagues because these would be the people with whom you have most frequent contact. And I would be able to work out what you’re talking about from the subject lines of emails. I would be able to see if you’re close to your family, by looking at how often you communicate with them. I would be able to work out your political and religious views by looking at the websites you visit. I would be able to work out your hobbies from what you buy and read online. If you’re communicating with a doctor, lawyer, your bank, a psychologist, a fertility clinic, or a marriage counsellor, I would also be able to work out that you were having family, health, legal or mental problems. Metadata allows someone to find out a lot about us without needing to spend time reading through our emails or watching videos of our conversations.

National laws plug the gap

Our governments actually passed a law through the European Union that required all internet and phone companies to collect and keep (retain) our metadata for a number of years. This law was called the Data Retention Directive. In 2014, the EU's Court of Justice decided this law was illegal because it invaded the privacy of everybody. It's not that the court said that police can't monitor a person. But there has to be evidence that the target in question might be doing something illegal. Governments aren't allowed to treat the general population like criminal suspects entitled to no privacy.

Instead of abolishing the practice of mass surveillance, most governments just decided to create their own national laws to plug the gap left when the Data Retention Directive was declared illegal. In 2016, the EU's Court of Justice decided on a second case, which said that these new national laws are also illegal. But this hasn't stopped several governments moving ahead with laws that allow mass surveillance, for example in the UK and the Netherlands. Sadly, the European Commission, which is supposed to make sure that national governments obey EU law, has said it is 'neither opposing, nor advocating' the creation of new national laws on data retention. Maybe the Commission thinks that mass surveillance is playing a valuable role in keeping us safe from terrorism. Unfortunately, all the evidence says that mass surveillance is useless at stopping terrorists. More on this soon.

If you’d like more in-depth information or would like to follow up on the evidence and studies we refer to, you can take a look at our full report ‘Security through Human Rights’ here.