In his January speech regarding the NSA’s surveillance activities, President Obama called for an end to the controversial metadata collection program “as it currently exists.” Vague as it is, that statement did signal that the administration would attempt to reshape the NSA’s activities for the better.
However, Obama’s statement didn’t make a crucial distinction: whether or not the US government still believes that metadata is anonymous, and thus not harmful to collect—whether bulk records are stored with the government, as is the case now, or with a third party, as an Obama-appointed review group suggested.
The reason the NSA was allowed to collect millions of phone records in bulk (andshare it with agencies like the FBI) was the ruling that metadata is anonymous, and thus can be stored on servers without consequence to its owners until a suspect pops up. The only problem with that logic is that metadata is absolutely not anonymous at all.
In January, I wrote about the MetaPhone project being run by Jonathan Mayer and Patrick Mutchler of the Stanford Security Lab. Via an opt-in app, MetaPhone scrapes metadata from users’ phones, which the research duo then used to map user connections and, more importantly, put names to the phone numbers in users’ phones. The early results were simple: Adding a name to anonymous metadata is a Google away.
Yesterday, Mayer and Mutchler published an update that hammers home just how concerning metadata connections can be that’s the result of further refinement of their metadata-identifying program.
“We’ve been able to build upon our prior work, so in that sense, we’ve been getting better at analyzing phone metadata,” Mayer said in an email. “We’re still just a pair of grad students, though.”
The NSA has offered a number of factual defenses for its phone metadata program. They don’t appear to hold up.
Their method to gleaning info is simple: They gleaned 33,688 unique numbers from the call records of 546 study participants, and cross-referenced them with Yelp and Google Places. With that work alone, they were able to identify 6,107 (18 percent) of those numbers.
Those records included medical establishments, religious organizations, firearms retailers, adult establishments, weed dispensaries, and anything else you can think of. As the researchers write:
Participants had calls with Alcoholics Anonymous, gun stores, NARAL Pro-Choice, labor unions, divorce lawyers, sexually transmitted disease clinics, a Canadian import pharmacy, strip clubs, and much more. This was not a hypothetical parade of horribles. These were simple inferences, about real phone users, that could trivially be made on a large scale.
And by mapping those numbers with their frequency, they were able to infer incredibly detailed private information. For example, one study participant (or someone close to him or her) appears to be dealing with major health issues:
Participant A communicated with multiple local neurology groups, a specialty pharmacy, a rare condition management service, and a hotline for a pharmaceutical used solely to treat relapsing multiple sclerosis.
Another sound like he or she is getting ready to start a new weed growing operation:
In a span of three weeks, Participant D contacted a home improvement store, locksmiths, a hydroponics dealer, and a head shop.
Remember, these inferences are solely based on phone metadata, which includes phone numbers and call time. Phone metadata is an extremely powerful tool—the NSA wouldn’t be so dedicated to collecting it if it wasn’t—and it’s absolutely, unequivocally isn’t anonymous. As the researchers write, it’s “unambiguously sensitive, even in a small population and over a short time window.”
I asked Mayer if there was anything he’s seen that people could do to limit the usability of their metadata. The answer was pretty simpe: Unless you stop making calls, there’s nothing you can do. “Not really,” he said. “For all the advancement in information technology, Americans still live much of their lives by phone.”
The entire MetaPhone post is worth a read if you’re interested in the full results; they’re uniformly eye-opening. And remember, this is just a pair of researchers cross-referencing phone numbers with two directories. The NSA collects billions of public interactions to develop their social maps, which makes metadata even more sensitive.
It’s clear that metadata isn’t anonymous, then the legal argument for its collection is no longer valid, which would make the NSA’s metadata programs illegal, as a federal review board found. Never mind the fact that the NSA collects hundreds of millions of texts a day and every other shocking headline; what’s truly stunning is that one of the NSA’s core programs is based on a complete falsehood.
“The NSA has offered a number of factual defenses for its phone metadata program—there’s only authority to look at a little, there aren’t names, it’s not sensitive,” Mayer said. “Our research has attempted to assess those factual claims with scientific rigor. They don’t appear to hold up.”