Every text, location check-in, or blockchain transaction leaves behind a trail of metadata — data about your data. It doesn’t need to show content to expose who you are. It can reveal who you talk to, when, where, and how often, building a clear picture of your life. For example, a photo of you in a white room reveals little until the metadata tells where it was taken, when, and with what device.

Content surveillance is expensive and often encrypted. Metadata isn’t. Intelligence agencies have long favored metadata surveillance because it sidesteps many legal safeguards applied to content.

Programs like the NSA’s PRISM and Stellar Wind collected bulk metadata (including phone records, IP logs, and email headers) without warrants. Unlike full wiretaps, metadata taps could be authorized under looser standards like the third-party doctrine, which assumes users forfeit privacy when they share metadata with service providers.

Even after the 2015 USA FREEDOM Act curtailed the NSA’s domestic bulk collection under Section 215, surveillance didn’t stop — it just changed form. In 2024, U.S. Senator Ron Wyden revealed that the NSA now routinely purchases metadata from commercial data brokers. These purchases include Americans' browsing histories and telecom data, obtained without user consent or judicial oversight.

The heatmaps of a fitness tracker have exposed people’s exercise routines and military bases. Even anonymized fitness metadata can reveal private details when combined with public location info.

Strava, a popular fitness app, collects vast amounts of GPS metadata to track users’ exercise routes. In 2017, the company published a global heatmap based on three trillion GPS points. Analysts quickly discovered that this map unintentionally revealed the layouts of U.S., Russian, and Turkish military bases in conflict zones, such as Syria and Afghanistan. Even though no personal data was exposed directly, the aggregated metadata revealed patrol routes, base perimeters, and operational zones.

More recently, in 2022, journalists from Le Monde showed how Strava’s social features could be weaponized. By creating fake running routes near Israeli military bases, they triggered Strava’s “nearby athlete” function and scraped metadata from exposed profiles. This allowed them to identify Israeli soldiers, track their routines, and even observe their off-base movements in civilian life.

In Singapore, the TraceTogether app, meant for COVID-19 tracing, was later repurposed for criminal investigations. It’s a cautionary tale of how quickly metadata can be weaponized.

Singapore’s TraceTogether app, launched during the COVID-19 pandemic, used a Bluetooth-based protocol called BlueTrace to anonymously log close contacts between users. While the app promised privacy through rotating IDs and centralized contact storage, it was later revealed that law enforcement had access to the system. In 2021, Singapore’s Minister of Home Affairs admitted that police had used TraceTogether data in at least one criminal investigation, including a murder case.

This revelation contradicted earlier government assurances that the data would be used exclusively for public health. Although users were required to provide personal details to activate the app, the assumption of anonymity led many to adopt it, only to learn later that the central authority could deanonymize their metadata.

Even pseudonymous transactions leave metadata behind. Forensics firms use transaction patterns, IP leaks, and network analysis to tie wallets back to real identities.

While Bitcoin is often seen as private, its public ledger records every transaction, creating a rich source of metadata. Forensic tools like Chainalysis and Bitquery track transaction patterns, IP leaks, and wallet behavior to link pseudonymous addresses to real identities. Law enforcement uses them to investigate fraud and money laundering. But these same tools can also expose the identities of whistleblowers, activists, or anyone relying on Bitcoin for privacy.

Academic research shows that only a few metadata points are needed to deanonymize users. In one case, researchers identified individuals by correlating Bitcoin transactions with IP addresses and wallet reuse patterns. Additional vulnerabilities arise from network-level metadata: if a user’s wallet connects to a known set of entry nodes or leaks IP information during a broadcast, they can be identified even without name-based identifiers. This breaks the common assumption that using new wallet addresses provides true anonymity.

AI accelerates metadata analysis, helping governments and private actors identify, profile, and target individuals faster than ever. Israel’s surveillance exports offer a glimpse of what’s possible and what’s already happening.

In Gaza, Israel has reportedly deployed AI systems like Lavender and The Gospel to automate military decision-making based on metadata. Lavender processes phone records, geolocation data, and social graphs to identify individuals associated with Hamas. According to +972 Magazine, the system can autonomously generate strike targets with minimal human oversight, often using metadata like call patterns or cell tower connections rather than confirmed intelligence.

The Gospel, another metadata-based tool, is used to decide which buildings to target, using heatmaps built from mobile phone data to estimate civilian presence. Critics, including Human Rights Watch and UN experts, warn that this kind of automation lowers the threshold for deadly force. When metadata is used without full context or the nuance of human intelligence, mistakes are easy, and the consequences can be fatal.