Sophos Cloud Optix
Following Edward Snowden’s revelations about surveillance, officials have downplayed its programs as being concerned not with the actual content of email or phone calls, but “just” with collecting metadata, as if metadata didn’t reveal just about as much about us as does the content itself.
Metadata, when it comes to phone communications, includes who we call or text, who they contact (that’s called a “hop”), when we call or text, and the duration of each call or length of each message.
Since the surveillance revelations, there have been various studies about how much can be gleaned about us from metadata. The answer: a lot.
Now, researchers at Stanford University in the US have done another study, and their findings confirm that basic, supposedly anonymous phone logs can be used to glean people’s names, where they live, their partners’ names, and intimate personal details.
A sample of the researchers’ vignettes show the type of things they managed to infer:
- Somebody’s planning to grow weed. Within less than 3 weeks, the subject made calls to a hardware outlet, locksmiths, a hydroponics store, and a head shop.
- Somebody’s got heart problems. The evidence included a long call from the cardiology group at a regional medical center, brief calls with a medical laboratory, several short calls from a local drugstore, and brief calls to a self-reporting hotline for a cardiac arrhythmia monitoring device.
- Somebody’s pregnant. Early one morning, the subject was on the phone with her sister for a long time. Two days later, she called a nearby Planned Parenthood clinic several times. Two weeks later, she placed more brief calls to Planned Parenthood, and she placed another short call a month after.
The study involved 823 participants who volunteered to have their metadata collected via an Android app on their phones. The researchers also required participants to have a Facebook account, so as to verify that they were over the age of 18, as well as to verify the accuracy of their results.
Using the default Android API (application program interface), the app collected call and text metadata logs that showed when the call or text was made, whether messages were incoming or outgoing, the other phone number on the call or text message, and the duration of the call or length (in characters) of the text message.
From Facebook, the researchers collected personal information to be used as “ground truth” data for their prediction algorithms. That included gender, relationship status, political leanings, religious affiliation, occupation, current city, check-ins, and interests.
Using the crowdsourced telephone logs and social network information, the researchers said that they found telephone metadata to be “densely interconnected, susceptible to reidentification, and [that it] enables highly sensitive inferences.”
As such, it kicks the stool out from under the US government’s laissez-faire approach to protecting metadata, they said. Whereas disclosure of content requires law enforcement or intelligence agencies to comply with “extensive substantive and procedural safeguards,” telephone calling records can be had with a mere subpoena: basically, a formal letter from an investigative agency.
The National Security Agency (NSA) had been collecting phone records of millions of Americans until the program was brought to a close by the November 2015 passage of the USA Freedom Act.
The records were supposed to be purged three months later. But that doesn’t mean the data’s actually gone anywhere.
As the Washington Post noted in November, civil litigation brought over the surveillance program may have meant that some or all of the records would have been retained for discovery purposes.
At any rate, the Stanford study has confirmed what the NSA has known for a while: metadata is a treasure trove about individuals’ private lives.
Stewart Baker, NSA former general counsel, in the aftermath of Snowden’s revelations:
Metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.
General Michael Hayden, former director of the NSA and the CIA, called Baker’s comment “absolutely correct.” Not only correct, but an understatement, given his assertion that
We kill people based on metadata.
Patrick Mutchler, a computer security researcher at Stanford, told the Guardian that while the intelligence agencies get it, the public’s largely in the dark about the power of metadata.
The Stanford study is the evidence needed to prove how powerful metadata is, he said:
Now we have hard evidence we can point to that didn’t exist in the past.
