Government sponsored organizations (GSOs), hackers and cybercriminals adversaries) use various tracking techniques to locate, identify and assess targets of interest. One widely used technique is traffic flow analysis (TFA).
Adversaries use TFA to gather metadata regarding communications between parties. In computer communications this metadata includes source addresses, destination addresses, source ports, destination ports, time of day, duration and the quantity of data or traffic flows in communication sessions. With these metadata, adversaries can infer the relationships, activities and identities of communicating parties.
Adversaries typically collect this information directly from carrier networking equipment or by surreptitiously placing monitoring equipment at key locations in networks (i.e. tapping). Prime tapping locations include the 24 or so major Internet Exchange Points (IXPs) around the world.