Digital trust, privacy and why metadata matters

By Kevin Shepherdson 

I was preparing to teach an advanced certificate course on digital records management when I came upon the topic of metadata – which simply means data about data – or the context around data (e.g. information about the authors and production processes of digital content and documents).

While metadata has many benefits, such as enabling easier access and retrieval of information, I couldn’t help but think of the implications to digital trust and online privacy if it is abused.

Metadata matters

Let’s say you use a messaging app such as WhatsApp or Messenger, these companies will not see the contents of your messages, as they are encrypted.

However, if they were to analyse the metadata of all your messages, they could determine whom you are close to and how often you communicate with them; they could learn the duration of your interaction, your social circles and where they are located.

All of this information can be monetised to feed the multi-billion-dollar online behavioural advertising industry.

The same approach could also be applied to your email messages when it comes to descriptive metadata relating to your contacts such as “From, To, Cc, Subject, and the timestamp”. Or if you were to call someone, the telephone number you entered, the time and duration of your call, and so forth, would all be recorded.

Now imagine if you were to attach a file in your messaging app or email and share it with your recipient. If it’s a document, there’s metadata relating to author tracking, document properties, comments and tracked changes (that may not have been deleted).

Or if it’s a photograph, there would be metadata relating to the date and time the photo was taken, where it was taken, the author, file name, content, themes that were included (in addition to other technical data relating to the camera and software used).

These could be metadata that you never intended to share. Yet the service providers and others you share the digital file with may be privy to it and able to infer information about you.

What about the weblinks shared in your chats, emails and social media that you click on?

A cookie (a text file that contains information about your device, which may even contain personal information) constantly tracks your online behaviour, serving you relevant advertisements based on an online profile created and collated by sophisticated adtech companies and platforms, which in turn serve multiple advertising agencies and advertisers.

Besides tracking you, metadata also causes you to leave a digital trail behind whenever you conduct any kind of online search. This means that the search engine provider or portal would know your likes and preferences.

So, the question is, can you trust the digital services available to you today?

Specifically, the online service providers that collect, use, disclose and store your personal information? Are they being transparent about what they really do with your data in the privacy notices they declare, the same ones that many of us do not bother to read?

Learn how good data governance can not only help you protect data in your organisation, but derive even greater value from it, by taking the modules of the Advanced Certificate in Data Governance Systems.

What is Digital Trust?

Digital trust is the confidence users have in the ability of people, technology and processes to create a secure digital world, one that also respects individuals’ right to privacy.

As technology advances and startups aggressively launch new products where their business models are built around leveraging data, user confidence may be eroded if such use of data is left unregulated.

The above examples involve what is called passive data – data collected and generated about you without you specifically providing it, being aware or even involved.

While the actual digital content you exchanged or shared might be kept confidential, metadata blatantly provides the contextual meaning of all your activities, often without your consent. You certainly wouldn’t want your smartwatch-cum-fitness tracker to track your heartbeat in your most intimate moments in the wee hours of the night and share that with relevant advertisers, would you?

As technologies progress in today’s post-pandemic world, how metadata is being used in digital services should be questioned by users and explained by the service providers if they want to be seen as trustworthy.

Think about applications using artificial intelligence, machine learning, and those in data science, with such data being mined to discover new insights and behavioural patterns.

Notice that we haven’t even talked about active data. This refers to the personal data you actively or voluntarily share for example, in an online application or feedback form.

Besides such personal data being hacked or leaked, we also read about how online service providers – shopping portals, mobile apps and SaaS – are excessively processing our personal information beyond their appropriate and necessary purposes.

Putting aside metadata, can you trust service providers to safeguard the personally identifiable information that you provide them with and that they will act ethically and responsibly while doing business with you? Digital trust matters, especially when it concerns your personal information – including the metadata that goes with it.

Look at data through an ethical lens and learn how to manage large streams of data by taking our Data Ethics and AI Governance Frameworks course.

Data protection is a key part of Digital Trust

That is the reason why there are data protection laws, such as the Personal Data Protection Act (PDPA) and the General Data Protection Regulation (EU GDPR) in Europe, that give us the right to control how our personal data is collected, used, disclosed and transferred, as well as stored or disposed of.

Whenever our personal data (including metadata) is being processed, we should reasonably expect transparency. We cannot stand to have our personal details being shared without our knowledge or consent.

For companies, it is not enough to pay lip service where adherence with the law is being handled mainly by the compliance department. Digital trust matters even more in today’s new normal and “surveillance” economy.

There needs to be operational compliance where companies demonstrate accountability – ownership, responsibility and providing evidence of compliance – if their digital services are to be trusted.

In the meantime, a lot still needs to be done by these organisations to gain the trust of their users. For users of digital services, the following quote from former US President Ronald Reagan provides the best advice: “Trust, but verify”.

For access to news updates, blog articles, videos, events and free resources, please register for a complimentary DPEX Network community membership, and log in at dpexnetwork.org.

Kevin Shepherdson is the author of “99 Privacy Breaches to be Aware of”. He is the CEO and Founder of Straits Interactive.