Jan 15, 2015 · 2 minutes

One might think an assortment of journalists, politicians, and military officers would know better than to trust an open WiFi network during a Swedish defense conference. One would also be wrong, as the Swedish Pirate Party's Gustav Nipe showed last week when he set up a network which monitored the sites the conference's attendees visited.

The stunt was used to protest wide-reaching surveillance programs from the National Security Agency and its Swedish counterpart, the National Defence Radio Establishment. Nipe claims that he's able to use little more than the websites visited by the conference's attendees to identify -- or at least come close to identifying -- who accessed his network.

I don't doubt it. Government claims that "only" collecting metadata (stuff describing a message like an email's sender, recipient, and subject line) instead of content (what that email actually said) have never stood up to criticism. As one study concluded last March:

At the outset of this study, we shared the same hypothesis as our computer science colleagues—we thought phone metadata could be very sensitive. We did not anticipate finding much evidence one way or the other, however, since the MetaPhone participant population is small and participants only provide a few months of phone activity on average.

We were wrong. We found that phone metadata is unambiguously sensitive, even in a small population and over a short time window. Turns out that knowing who someone's calling is often all that's required to make some conclusions about their intent. Like I noted in my report on the study, researchers saw that one participant called a “hotline for a pharmaceutical used solely to treat relapsing multiple sclerosis" and another "placed a series of calls to the local Planned Parenthood."

Nipe told Swedish media that conference attendees weren't always focused on whatever was happening around them: at least some of them monitored an online bidding war, and one searched for "forest hikes," which presumably had nothing to do with a presentation given during a conference about the national security apparatus and defense industries.

Those little snippets of information might seem innocuous, but if they can be used by a single activist to identify conference attendees who should know better than to trust open WiFi networks, what might intelligence agencies gathering much more data find out? If this experiment and the study I mentioned are any indicators, a whole lot, actually.

[illustration by Brad Jonas]