Metadata is often described as everything except the content of your communications. You can think of metadata as the digital equivalent of an envelope. Just like an envelope contains information about the sender, receiver, and destination of a message, so does metadata. Metadata is information about the digital communications you send and receive. Some examples of metadata include:
the subject line of your emails the length of your conversations the time frame in which a conversation took place your location when communicating (as well as with whom)
Historically, metadata has had less privacy protection under the law in some countries—including the U.S.—than the contents of communications. The police in many countries can obtain the records of who you called last month more easily, for instance, than they can arrange a wiretap of your phone line to hear what you’re actually saying.
Those who collect or demand access to metadata, such as governments or telecommunications companies, argue that the disclosure (and collection) of metadata is no big deal. Unfortunately, these claims are just not true. Even a tiny sample of metadata can provide an intimate lens into a person’s life. Let’s take a look at how revealing metadata can actually be to the governments and companies that collect it:
They know you rang a phone sex line at 2:24 am and spoke for 18 minutes. But they don't know what you talked about. They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret. They know you got an email from an HIV testing service, then called your doctor, then visited an HIV support group website in the same hour. But they don't know what was in the email or what you talked about on the phone. They know you received an email from a digital rights activist group with the subject line “Let’s Tell Congress: Stop SESTA/FOSTA” and then called your elected representative immediately after. But the content of those communications remains safe from government intrusion. They know you called a gynecologist, spoke for a half hour, and then called the local abortion clinic’s number later that day.
It can be difficult to protect your metadata from external collection because third parties often need metadata to successfully connect your communications. Just like a postal worker needs to be able to read the outside of an envelope in order to deliver your message, digital communications often need to be marked with source and destination. Mobile phone companies need to know roughly where your telephone is in order to route calls to it.
Services like Tor hope to limit the amount of metadata that is produced via common online communication methods. Until laws are updated to better deal with metadata, and the tools that minimize it become more widespread, the best thing you can do is to be aware of what metadata you transmit when you communicate, who can access that information, and how it might be used.