Why Logging Metadata is Bad
TL/DR: Logging Metadata is bad because it compromises your security and privacy.
Logging any kind of data, either directly or just metadata will always compromise security and privacy as it allows a person to be identified as well as their usage.
For example, if a VPN company logs metadata this means they will log:
What country you connected from
Amount of data transferred per day
Which app you are using (which also reveals OS)
Which version of the app you are using
Imagine this (hypothetical) scenario:
- A customer wants to download a copyrighted file.
- A customer can connect to their VPN (which logs metadata) and then the customer downloads a file that is exactly 3,215MB.
- Law enforcement requests the logs from the logging VPN
- The VPN company responds to Law Enforcement with;
"The customer in question connected to our VPN on that day, from his home connection in America, through his ISP Comcast, and he transferred 3,312MB that day, and his email address is [email protected]".
- Law Enforcement then contacts Google a requests his info.
- Google check their records and on that day, they also connected to Gmail and transferred 53MB in total.
- Law Enforcement also sees an email from his Facebook account, so they request that data and learn that the customer transferred 44MB of data on that day.
So, now Law Enforcement knows that the suspect used a VPN that day, and transferred 3,312MB, with 97MB going to Gmail and Facebook, which leaves 3,215MB of transfers - the size of the movie in question.
The metadata logs from the VPN Provider show he was a Comcast user which is factual.
The metadata logs from the VPN Provider show that the copyrighted file was downloaded by someone with an IP in Uruguay belonging to the VPN Provider.
The customer has now been identified through the use of metadata logs which were used to circumvent the security and privacy of the user.