Jump to content
Welcome, welcome! Come in and register, and have some developer coffee. 👨‍💻 ×

Why should we care about metadata as both individuals and developer?


Recommended Posts

Metadata is often describes as details/information about data. Imagine that you are using whatsapp/signal this kind of application to chat, hmm it's end to end encrypted.. You won't have to worry about the content being able to seen by third party or middle man, but rather, you have to worry about something called metadata. Your contacts, your chatting duration, when you chat with your friends, what are your contacts mostly made up from (is it mostly normies? is it mostly serious contacts like insurance or bankers?) What are your gender? What are ur real life/online name? What kind of product category do you like to buy the most? Is it gaming? Is it cooking stuffs? See? I don't even need to know your chatting content as most of the metadata I collected is well enough to me to describe who you are, what's ur behavior, what's ur likes and dislikes. These are critical and sensitive personal information that could be leaked through metadata collection and analyzing.
 
Now think about the potential metadata that the service we use, Firebase, Microsoft SQL(on their servers not count on the SQL that installed on your own VPS), given just only the metadata of the database(database names, database table names, database columns name) alone, I can simply work out what kind of system you are trying to develop. If your database is worthy for me to break or hack, pretty much, you are the one for me to hack or break ur database which can then indirectly causes huge unstoppable data leakage.
 
     Possible potential ways to stop it
    There're no known effective ways to stop this in my opinion, the only way to stop it is to try and confuse people by putting random and nonsense non password like random generated ASCII characters when you want to think about a database name and its corresponding database metadata, this way if they don't have access to your system's code, they can't possibly know is it worthy to break or hack your database
Edited by chrono_legionnaire
Link to post
Share on other sites

that's why some company spend a lot of money to maintain offline system which does not connect to network to handles sensitive data.

other solution is to use internal database with encryption and user only permitted to access via middle way / stored procedures, with 'content level' permission.

🙂

 

Link to post
Share on other sites

p/s : once you upload data on the Internet, you are facing the risk of data leaking. 

 

company who concern about ta security will setup their own servers, only access via VPN. 

only non critical / non core secret services on cloud. 

 

🙂

 

Link to post
Share on other sites

indeed it's .. but they are still prone to insider's attack don't they? Assuming that all things won't go wrong by just asking the staffs to sign NDA(Non Disclosure Agreement) is naive in my opinion. The best system design even for SMB/SME given though it's offline, is to assume that all things can goes wrong, signing NDA wouldn't help. It's also naive in my opinion to fully prevent from insider's attack from happening, that's why partially reduce or prevent it is good enough in my opinion. 

This is also the reason why stuffs like endpoint encryption, endpoint storage, end to end encryption, prevention of MFA and metadata from being collected plays a crucial part in maximizing the damage reduction after data leakage/breach. I wouldn't want to stop data leakage/breach as it's deemed to happened, the best is to provide security and privacy even after data leakage happens.

But by doing so, it will means it's anti big data or anti data analyst. How many company/corporate will do that? The honest answer and reply will be not many.. As it violates their rights to earn money through analyzing those collected user data(be it consent/not consent). It seems funny to me that pretty much every major research their funding goes into centralized security rather than decentralized security(each has pros and cons).

Link to post
Share on other sites

I feel like it is an intrusion into my privacy whenever those data analysts study my behavior through this metadata.

They claim to use it for better personalization (of ads, news feeds, search suggestion, etc) but I am well aware that they might use this metadata or information against me, in the event when authority requests for it.

Edited by FlierMate
  • Sad 1
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...