Metadata and Madison

Nicholas Weaver
3 min readAug 26, 2015

Brian Krebs recently identified a significant party of interest in the Ashley-Madison case, “Thadeus Zu”, and located the associated Twitter account and FaceBook Profile (although the profile photos are bogus, as those are of model Rob Evans). Although there is no concrete evidence, there is significant circumstantial evidence in the deuszu Twitter feed (including the only posting of the hack source-code seen on twitter , an announcement of the data dump a day before Wired reported it, and a discussion of setting up replication servers just before the hack announcement, while playing Thunderstruck) suggesting this account’s involvement, almost certainly at the level of “probable cause” for getting warrants.

At this point, it may be a near-dead-end for public data, but law enforcement can take these profiles and obtain a significant amount of private information. Beyond simply obtaining a copy of the accounts themselves (including all direct messages), there are other items that law enforcement should ask for with the appropriate subpoena or search warrant, enough to create a detailed profile of Thadeus Zu.

Other identifiers: Both Twitter and Facebook may have other email address or phone numbers for Thadeus Zu on file, and the warrant should provide this information. In particular, either the Facebook or Twitter account may include a verified phone number. Both accounts are also rather old, so historical identifiers might also prove useful.

Historical login data: Thadeus Zu doesn’t appear to exclusively use the Tor browser, as seen in the many screenshots posted in his feed. Thus unless he was careful and always used a VPN, historical login data might find IP addresses he used to access both Twitter and Facebook.

The IP address and browser user-agent which posted each tweet: Many of the tweets themselves appear to be part of a conversation, but a conversation where there is no @-replies, making them seem disconnected. One possibility is that the account was used by multiple individuals. If this is the case, looking at the IPs for each tweet should disambiguate the conversation.

Historical friendship data: The other possibility for a conversation is a mutual-follower relationship. I checked the current follower graph to see if there was anyone he followed who also followed him, although I was unable to find a mutual conversation in the current graph. But this could simply be due to the relationship being no-longer current. Thus knowing who followed and unfollowed deuszu, and who he followed and unfollowed over time, may find another part of the conversation.

History from the Like and Tweet This Buttons: The Like button and related elements don’t just track a person when they click “like”, they also record the pageview even if the user does nothing. Thus a request for the IP address, time, browser user-agent, and referrer of every view of the Like or Tweet This button for Thadeus Zu will reconstruct a huge amount of his browsing history.

Chain to Google: But the analysis doesn’t need to stop with Facebook and Twitter. Start by examining the pageviews and select a representative set of unique pages which contain either DoubleClick advertisements or Google’s +1 button. Then submit a warrant to Google demanding the Google ID or “anonymous” tracking cookies also associated with those pageviews (identified by IP, time, user-agent, and referrer). Once these cookies are obtained, now demand the search history, email contents (if any), and page-view history for the newly identified Google accounts.

Cellphone Metadata: If the Twitter account included telephone verification, this provides a lead on Thadeus Zu’s cellphone. A subpoena or warrant for his call history (including tower location) provides a treasure trove of information.

Taken together, all this information should paint a fairly comprehensive picture of Thadeus Zu’s online activity, including what systems he uses (from both IP and user-agent), what pages he visits, what he searches for, and tons of other clues towards identifying the man behind Thadeus Zu.

Edited to ad: This is not to say that I actually like the idea that law enforcement can get this information. I find the amount of data collected by private companies overly and dangerously broad. And one of those dangers is that governments can demand this data.



Nicholas Weaver

Researcher: International Computer Science Institute & Lecturer @ UC Berkeley