It has been fascinating to watch the debate over metadata after it was revealed the U.S. government is obtaining records of apparently every phone call made in the United States. One of the things that always surprises me is the lack of imagination that people have for how even small amounts of data could be potentially used for larger purposes.
For example, I used to work at a company where I had a corporate credit card. Occasionally, the person in charge of administering that program would need to send a message about some change or another to everyone who had a company credit card.
And so every couple months I’d receive an email from that administrator which was CC’d to several hundred people who also had company credit cards. Everyone on that list was then in possession of a map of everyone with a corporate credit card–information no one on the list needed and therefore whose distribution would at best end up being mildly annoying and at worst could have been used by a clever employee for nefarious purposes.
I see this sort of thing all the time–organizations will go to great lengths to protect obvious (and fairly easy to protect) data, while leaving trails of data they don’t consider meaningful unprotected and ripe for exploitation.