Opinion: infer ad Infinitum

Danfox Davies's picture

p { margin-bottom: 0.25cm; line-height: 120%; }

Danfox Davies / Southampton / 15.1.2016


“A wise man knows that confidentiality equals profit” - The 30th Ferengi Rule of Acquisition, Star Trek: Deep Space Nine


In the last few years, corporate and governmental attitudes to the collection, handling and profitability of our personal data and, in circumvention of protections for our data, of our metadata, have been laid bare as leak after leak, document after document, terms, conditions and policies, legislation and opinions have been updated, released, scrutinised and imposed. Often, we as members of the common people, the public, individuals of the Great Unwashed Masses, find ourselves having to fight tooth and claw to protect our explicit personal details from exploitation by all sorts of nebulous and potentially nefarious distant entities, corporate and governmental alike, whilst at the same time being rebuffed as unworthy to know what these same entities plan to do with our data, because that information is 'confidential'. This is not a uniform situation; sometimes we have more privacy and/or success in obtaining information about our data's fate than others, but the overall picture is not good, and the trend is worsening.


There are false distinctions drawn frequently by the Powers That Be which perpetuate this scenario. The first is that a corporate or governmental entity somehow has more entitlement to privacy and confidentiality than an individual person does, even when this pertains to the handling of individuals' information; and the second is that metadata is somehow free of the risks associated with the data itself/themselves (delete according to your level of pedantry).


STOP. How is either of those distinctions in any way beneficial to society, or anything other than short-sighted profit and the retention of power? Inference is not to be ignored. Since intelligence agencies do not care if the inferred information is true, as truth is not their main motivation (boosting the numbers to reach their paycheck target quotas is), they have every reason to prefer metadata for giving them an easier job, with no burden of strong proof attached.


With metadata, you can bullshit anyone into any court for anything.


Metadata is by no means the sanitised, harmless, data-less data they want you to think it is. Metadata is non-specific, it is hand-wavy. It provides a million loopholes of wriggle room just by its very nature. But that does not keep it from being used to infer you were involved in something. It just keeps you from having the right to know why, because no-one's going to own up to what a bodge any investigation of it is. Laws that prevent access to specific details but allow access to metadata can be used as excuses. Big Brother flails dangerously with a blindfold on one of his many eyes, and tries to persuade you that this is why you should let him see.


I will now attempt to prove that metadata matters, simply by writing and publishing the following true story in the context of this article (assuming the intended audiences ever all read it).


A few years ago a certain legal person had employment at a certain corporation which provided technical support call centre services for several large companies around the world, making money both from a small surcharge on the incoming calls for support, and from the sale of data about the problems that callers had with the products these companies sold, both to these companies and on the wider markets. Ostensibly, these data were anonymised before being sold, essentially by removing customer names and addresses. Other information, such as the make and model of the devices being called about, and the details of the problems had with the devices, along with any and all other notes saved in the database, were sold. These data were referred to on occasion as 'metadata' or as 'anonymised data' and little was explained in corporate training to the employees whose job it was to collect these data, other than to assure them that they could assure the customers that their data was safe. Most of the employees in the call centre were the sorts of people with low aspirations in life, or who were there temporarily as an obvious means to an end, to get some money to go launch careers elsewhere or get into university. These employees largely had no real interest in or knowledge of the way that the corporation functioned beyond their day to day jobs.

However, the legal person mentioned here felt that something was not quite right. They saw that the software used for the database was Lotus Notes, which is no longer supported or updated by any official provider or even community of open source developers. It was long-since outdated proprietary software. They also saw that the IT department of the company, members of which with whom they occasionally conversed, was attempting to reverse engineer this software in order to fix a couple of mission critical bugs just to maintain basic database functionality (a bare minimum sort of thing), purely for internal use. They noticed this gradually taking place over the course of a couple of years, and they changed their job to part time to focus on studies. The corporation was taken over by a larger corporation famous for photocopying supplies and equipment. With far more layers of management above their head, the legal person mentioned realised that this would have the effect of rendering a bad situation worse. New, irrelevant training materials started showing up, and ineffective incentives were circulated which were lost on the call centre staff. Importantly, any talk of upgrades to software was kicked into the long grass, as it would take years of time to merge into the larger corporation's existing structures of management before any technological decisions would begin again to be made.

It was summer and the legal person mentioned here handed in their notice to the firm, and only had a few weekends to work. They had a moment on lunch break one day to read up a bit about the (at the time fresh) revelations from Edward Snowden, and a trail of links and thinking led to an article from 1997 about Lotus Notes, showing that a big backdoor had been left in its encryption by the NSA, and this had been revealed publicly at that time. A new (and final?) version of Lotus Notes, an update, had been released in 2001. It was noted in comments made at the time by technical users that nothing had been done to close this loophole, which allowed full access to the database BEFORE any 'anonymisation' efforts were made.

The legal person herein mentioned then went straight to their team leader, and requested an emergency meeting. This meeting was held and the team leader agreed that this was big and needed to be taken to the top, and they would contact the person when any news came of that. Of course, the top was no longer the top and the corporate takeover was still in full swing. Halfway through the week that followed, the legal person, who at the time lived in a flat over a shop and had no garden, received a phone call. “I've heard back from the higher management and this did reach the CEO [of the original company, not the bigger one that took over]. They said you should take the remaining time until you leave us off on paid Gardening Leave.” TL;DR: STFU and GTFO.

What a mature response from a corporation that cares about its customers' privacy and professes to uphold a strong Corporate and Social Responsibility to respect everyone, people and planet before profit and all. Sorry, let me wipe that oozing sarcasm off there.


The above true story, for a start, shows the importance of gathering evidence and making sure it is sequestered at home and elsewhere too before even taking internal actions. The legal person mentioned here did not do that, lacking the time and forethought. However, this need not consign the telling of this story to the realm of conjectures and conspiracy theories. It still serves as a general warning, for a start, relatable as it is in its 'anonymised' form to so many corporations and employees out there.


There is a danger, of course, which is embodied in this 'anonymisation', that freedom of speech has been compromised here. As blogger or political journalist, if I reveal the names of the persons or corporations involved, I or my source am/is liable to be sued, and this is something I can not afford and nor can my source. However, 'anonymisation' in this case only serves to further my point.


If that corporation or anyone claiming to represent or be linked to it decides to sue me or my source, they will simultaneously prove that metadata inference matters, thus destroying their claims of anonymised data being safe and so prove that they were lying to their customers and clients about how safe their systems were, because why would inference matter if they had proof that intelligence agencies were not intercepting or accessing these metadata?


If they do not sue me or my source for this, they are happy that we can do them no harm through my inferable metadata magazine article/true story and thus presumably do not mind if I tell the world's technical support line callers that their data is NOT SAFE and is stored in outdated database software with intelligence-agency-inserted security holes that have been known about for DECADES. Since customers are not allowed by that corporation to know which of their technology companies use which corporation's call centres, we have to assume that all are as bad as the weakest link in the chain of companies in this category. If you are from such a corporation and want to see heads roll over this, and KNOW for a FACT that your company is not the one mentioned here, turn your attention sideways to your competitors and hold them to account. It's a 'self-policing' industry out there, or will be by the time TTIP and TPP and CISA pass.


So if you call for help with a gadget, be sure to think first about how you will avoid the misuse of your data whilst still utilising the warranty, which needs a name and address for the jiffy bag to be sent out to you. Be sure to think about why these companies refuse you physical access to their repair centres to drop things off or pick them up in person. Postage and packaging is not convenient for you, so who is it convenient for?


Remember that the security hole described allows access to the database BEFORE 'anonymisation'. Remember that even after 'anonymisation', plenty of information about you which can be used to track you and your data-carrying devices, is still out there on the open market.


Thank you for calling technical support, have a lovely day. (The boss of the company will with their collection of supercars - and that's before the takeover payoff).