“We kill people based on metadata”
When justifying the ever-spreading reach of dragnet surveillance into of all aspects of our digital lives, governments are keen to stress that “only” metadata is collected, not the actual contents of communications. This, however, is a deliberately misleading distinction. As NSA General Counsel Stewart Baker has openly acknowledged,
‘Metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.’
Metadata includes stuff such as who you call, when you can, how often, and how long. Two researchers from Stanford University have demonstrated how dangerous even basic phone log metadata can be…
The researchers collected phone metadata belonging to 823 volunteers via an Android app. This app was also able to access the Facebook accounts of the volunteers, which the researchers used to verify the accuracy of their results.
They collected metadata relating to 250,000 phone calls and 1.2 million texts. Unlike the NSA, only data immediately relating to the volunteers (“1 hop”) was available. Until May last year the NSA was able to examine data from up to three hops away – that is, belonging not just to a target, but to anyone they contacted, plus anyone they contacted.
The researchers calculate that from just a single phone number, NSA analysts had access to metadata belonging to millions of people. New restrictions limit the NSA to 2 hops and an 18-month limit, but this still gives them access to the metadata of some 25,000 people from a single number!
- By performing basic analysis of volunteers’ phones, the researchers:
- Identified 82 percent of peoples’ names.
- Identified the names of business they had called.
- Approximated the volunteers’ addresses – this was calculated by plotting the businesses individuals contacted on a map. In 57 percent of cases the researchers correctly placed volunteers in the correct city, and in nearly 90 percent they correctly placed their home addresses within a 50-mile radius. Researcher Patrick Mutchler attributes at least some of the misses to people not updating their Facebook profile (or example when leaving home to go to university).
- Determined whether they were in a relationship with a significant other
- And if so, the name of the individual they were in a relationship with
When they delved even further, the researchers were able to determine that volunteers had contacted hospitals, pharmacies, religious groups, legal services, firearms retailers and repair firms, marijuana dispensaries, and sex establishments.
From such details, extraordinarily intimate vignettes of people’s lives could be drawn. It was easy to determine, for example, that one volunteer was a drugs user (thanks to series of calls to a lock shop, a hydroponics supplier, and a head shop in the space of three weeks). One volunteer was discovered to be pregnant, and another to suffer from multiple sclerosis.
Lessons about metadata
If two researchers using only the most basic phone metadata can discover so much personal information about individuals, what can an organisation such the NSA, with almost unlimited resources and the ability to collect metadata from emails and web browsing discover? As Mutchler notes,
“All of this should be taken as an indication of what is possible with two graduate students and limited resources. Large-scale metadata surveillance programs, like the NSA’s, will necessarily expose highly confidential information about ordinary citizens. To strike an appropriate balance between national security and civil liberties, future policymaking must be informed by input from relevant sciences.”
The lesson is clear – metadata is very dangerous, and for governments to suggest otherwise is a very deliberate misrepresentation of the highly disturbing facts…