DOJ Tells Court To Toss Lawsuit Over NSA Spying Because 'It's Just Metadata'; Professor Ed Felten Then Explains Why They're Wrong

from the take-a-lesson dept

Thu, Aug 29th 2013 10:08am — Mike Masnick

The ACLU's lawsuit over the NSA's program collecting all phone call information under Section 215 of the Patriot Act is just one of many lawsuits over the recently revealed details of the NSA's surveillance activities, but it's definitely one of the key ones to watch. This week there were a flurry of filings in the case from both sides, many of which are embedded below, including the ACLU's initial motion for a preliminary injunction to get the government to cease the data collection, and various declarations in support of that. There's also the US government's motion to dismiss. The argument from the government is, more or less, that even if it does collect the data on private phone calls to and from the ACLU, without proof that anyone ever looked at that data, there's no standing. Furthermore, it pulls out the old "it's just metadata" so there's no privacy violations there.

Both arguments are ridiculous. As the ACLU notes, the government can't just seize your personal journal without a warrant by claiming that it won't look at it. That's not how it works. But the "it's just metadata" argument is especially pernicious. As we've pointed out, anyone claiming "it's just metadata" doesn't know what metadata is, and should be asked to publish their own such data. Hell, if there's nothing to be concerned about because it's "just metadata," why won't the DOJ itself allow the metadata on how many people they spy on to be published?

However, the ACLU has gone even further, having professor Ed Felten (who was also, until recently, the FTC's first CTO, focused in part on privacy issues) submit a wonderful declaration totally blowing apart the idea that "just metadata" isn't a privacy violation. You should read the whole thing, but here's a key part:

Telephony metadata can be extremely revealing, both at the level of individual calls and, especially, in the aggregate.

Although this metadata might, on first impression, seem to be little more than “information concerning the numbers dialed,” analysis of telephony metadata often reveals information that could traditionally only be obtained by examining the contents of communications. That is, metadata is often a proxy for content.

In the simplest example, certain telephone numbers are used for a single purpose, such that any contact reveals basic and often sensitive information about the caller. Examples include support hotlines for victims of domestic violence and rape, including a specific hotline for rape victims in the armed services. Similarly, numerous hotlines exist for people considering suicide, including specific services for first responders, veterans, and gay and lesbian teenagers. Hotlines exist for suffers of various forms of addiction, such as alcohol, drugs, and gambling.

Similarly, inspectors general at practically every federal agency—including the NSA— have hotlines through which misconduct, waste, and fraud can be reported, while numerous state tax agencies have dedicated hotlines for reporting tax fraud. Hotlines have also been established to report hate crimes, arson, illegal firearms and child abuse. In all these cases, the metadata alone conveys a great deal about the content of the call, even without any further information.

The phone records indicating that someone called a sexual assault hotline or a tax fraud reporting hotline will of course not reveal the exact words that were spoken during those calls, but phone records indicating a 30-minute call to one of these numbers will still reveal information that virtually everyone would consider extremely private.

In some cases, telephony metadata can reveal information that is even more sensitive than the contents of the communication. In recent years, wireless telephone carriers have partnered with non-profit organizations in order to permit wireless subscribers to donate to charities by sending a text message from their telephones. These systems require the subscriber to send a specific text message to a special number, which will then cause the wireless carrier to add that donation to the subscriber’s monthly telephone bill. For example, by sending the word HAITI to 90999, a wireless subscriber can donate $10 to the American Red Cross.

Such text message donation services have proven to be extremely popular. Today, wireless subscribers can use text messages to donate to churches, to support breast cancer research, and to support reproductive services organizations like Planned Parenthood. Similarly, after a policy change in 2012 by the Federal Election Commission, political candidates like Barack Obama and Mitt Romney were able to raise money directly via text message.

In all these cases, the most significant information—the recipient of the donation—is captured in the metadata, while the content of the message itself is less important. The metadata alone reveals the fact that the sender was donating money to their church, to Planned Parenthood, or to a particular political campaign.

Although it is difficult to summarize the sensitive information that telephony metadata about a single person can reveal, suffice it to say that it can expose an extraordinary amount about our habits and our associations. Calling patterns can reveal when we are awake and asleep; our religion, if a person regularly makes no calls on the Sabbath, or makes a large number of calls on Christmas Day; our work habits and our social aptitude; the number of friends we have; and even our civil and political affiliations.

Good stuff, though much of it has been discussed elsewhere. Felten then takes it even further, noting how a large aggregation of phone metadata can be even more revealing and privacy invading:

For instance, metadata can help identify our closest relationships. Two people in an intimate relationship may regularly call each other, often late in the evening. If those calls become less frequent or end altogether, metadata will tell us that the relationship has likely ended as well—and it will tell us when a new relationship gets underway. More generally, someone you speak to once a year is less likely to be a close friend than someone you talk to once a week.

Even our relative power and social status can be determined by calling patterns. As The Economist observed in 2010, “People at the top of the office or social pecking order often receive quick callbacks, do not worry about calling other people late at night and tend to get more calls at times when social events are most often organized (sic), such as Friday afternoons.”

At times, by placing multiple calls in context, metadata analysis can even reveal patterns and sensitive information that would not be discoverable by intercepting the content of an individual communication.

Consider the following hypothetical example: A young woman calls her gynecologist; then immediately calls her mother; then a man who, during the past few months, she had repeatedly spoken to on the telephone after 11pm; followed by a call to a family planning center that also offers abortions. A likely storyline emerges that would not be as evident by examining the record of a single telephone call.

Likewise, although metadata revealing a single telephone call to a bookie may suggest that a surveillance target is placing a bet, analysis of metadata over time could reveal that the target has a gambling problem, particularly if the call records also reveal a number of calls made to payday loan services.

With a database of telephony metadata reaching back five years, many of these kinds of patterns will emerge once the collected phone records are subjected to even the most basic analytic techniques.

He goes on to discuss how that is a major concern for the ACLU, where they are often working with whistleblowers of all kinds, including against the government. Furthermore, they often work with anonymous "John Doe" clients -- but, of course, with aggregate metadata, it's not difficult to identify just about any John Doe.

Another good read is the Declaration from Michael German, a former FBI agent and whistleblower, who now works for the ACLU, discussing how strict confidentiality is absolutely necessary for whistleblowers. Hopefully the court recognizes just how serious this is, and just how ridiculous the DOJ's claims are as well.

Govt Motion to Dismiss (PDF)Govt Motion to Dismiss (Text)

2013 08 26 ACLU PI Brief (PDF)2013 08 26 ACLU PI Brief (Text)

Declaration Felten (PDF)Declaration Felten (Text)

2013 08 26 ACLU PI Brief Declaration German (PDF)2013 08 26 ACLU PI Brief Declaration German (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: doj, ed felten, metadata, nsa, nsa surveillance, privacy
Companies: aclu

32 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

kenichi tanaka (profile), 29 Aug 2013 @ 10:12am

Why is The Patriot Act passed by congress anyway? In my opinion, The Patriot Act should be a required vote put forward to all Americans. Does congress actually think that Americans should support the The Patriot Act if it were allowed to be voted on in this manner?
[ link to this | view in chronology ]
- dan lafferty, 30 Aug 2013 @ 9:18am
  
  Re:
  The Patriot Act was railroaded through by George Warcriminal Bush and has nothing whatsoever to do with patriotism!
  [ link to this | view in chronology ]
  - John Doe, 30 Aug 2013 @ 10:54am
    
    Re: Re:
    The Treason Act, er, Patriot Act was initially created by the Republicans but the Democrats and Obama in particular, has taken to it like a duck to water.
    [ link to this | view in chronology ]
DannyB (profile), 29 Aug 2013 @ 10:21am

It's just metadata, what's the big deal?
If it's "just" metadata, then why the objection to handing it over?

Maybe instead of saying it's "just" metadata, they could be truthful and say it's extremely valuable metadata.

Did I say truthful? Oh, wait. This is the government. Nevermind.
[ link to this | view in chronology ]
Lonyo, 29 Aug 2013 @ 10:21am

Simple solution?
Is there not just a really simple solution?
If the information is not private and not sensitive, then simply say "Hey, DOJ guys, release your metadata records for the world to see, so that you can show us why they do not matter and should be able to be harvested".

Would that not give people confidence, and show the DOJ means what they say about the metadata being unimportant?
[ link to this | view in chronology ]
Anonymous Coward, 29 Aug 2013 @ 10:21am

There's a wonderful Ars post on this very subject, on how metadata was used to catch bank robbers in AZ:

http://arstechnica.com/tech-policy/2013/08/how-cell-tower-dumps-caught-the-high-country-bandi ts-and-why-it-matters/
[ link to this | view in chronology ]
silverscarcat (profile), 29 Aug 2013 @ 10:26am

If you're not doing anything illegal, huh?
Dunno about you, but I'm pretty sure that people don't need to know when others are getting abortions, or when they need to see a doctor, lawyer, a lover, or a psychologist...

Of course, since all of that's legal, there must be no reason to hide any of it, right?

I mean, it's not like there's a social stigma for seeing a psychologist, or getting an abortion in some areas of the United States or...

Well, you get my point, I hope.
[ link to this | view in chronology ]
- HappyBlogFriend (profile), 29 Aug 2013 @ 10:59am
  
  Re: If you're not doing anything illegal, huh?
  I get your point, and I think it all boils down to this: metadata is as useful to an enemy as it is to an ally.
  [ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

out_of_the_blue, 29 Aug 2013 @ 10:36am

What's the point, when all available "legally" from 3rd party sources?
Have to ask yet again: Why is discussion narrowed down here at Techdirt to JUST the NSA's most direct sources, when NSA can STILL get all this same metadata "legally" as Snowden says from "Google, Facebook, Microsoft, Yahoo, Apple, and the rest of our internet titans"?

SPYING IS SPYING. It's pointless, or worse, to focus on just NSA.

Also, LAW IS DULL, and worse, giving people the notion that someone else is doing all that's possible (especially with corporations as "champions" for privacy) leads to yet more passivity. We need to first change attitude that regards for-profit commercial spying as acceptable.

The phony deal that evil people (and gullible fools) try to force on us: You can't have the benefits of technology unless give up all privacy.
[ link to this | view in chronology ]
- S. T. Stone, 29 Aug 2013 @ 10:50am
  
  Re: What's the point, when all available "legally" from 3rd party sources?
  We share a small portion of our information to Google, Facebook, et al in exchange for the services they offer and the value we perceive in said services.
  
  We don�t do the same with the NSA/government because those entities shouldn�t have our information without a damn good reason (e.g. a legitimate investigation into illegal acts).
  
  Don�t get me wrong: I loathe the idea of Google, Facebook, et al giving up so much as a fraction of our information (freely offered or otherwise) to the government without our consent or knowledge. But the information would still exist even if we all moved to different service providers for email, social networking, and so on.
  
  The problem doesn�t lie in the information existing. It lies in the government harvesting that information (possibly in an illegal and certainly unethical manner) for no good reason at all.
  [ link to this | view in chronology ]
- lucidrenegade (profile), 29 Aug 2013 @ 10:54am
  
  Re: What's the point, when all available "legally" from 3rd party sources?
  Reported and /ignore
  [ link to this | view in chronology ]
- Anonymous Coward, 29 Aug 2013 @ 10:54am
  
  Re: What's the point, when all available "legally" from 3rd party sources?
  I say you are wrong. I say that you should first fix the government and then focus on the corporations.
  
  The government has the DUTY to protect the law and to abide by it. They have the power to enforce it and to change it - a power trusted to them by the people who elected them.
  
  The corporations merely must abide by the law, like any citizen. In the eyes of the law, they don't have any more power than you or me*.
  
  This means that until you fix the government - the makers and enforcers of the law - it is pointless to fix the corporations. If the rules of the game are crooked, you won't fix the game by punishing the "bad" players.
  
  Fix the government, and everything else will almost fix itself.
  
  * The fact that, in practice, they do have more power, is just a symptom of a broken system
  [ link to this | view in chronology ]
  - trinsic, 2 Sep 2013 @ 10:48pm
    
    Re: Re: What's the point, when all available "legally" from 3rd party sources?
    Is this guy for real? Dude the government is the corporations and the corporations are the government. They do the will of corporations on every level.
    
    Only laws get changed when there is enough influence (money) involved.
    
    are you that naive to not see the relationship between corporations and government?
    [ link to this | view in chronology ]
- James Burkhardt (profile), 29 Aug 2013 @ 1:28pm
  
  Re: What's the point, when all available "legally" from 3rd party sources?
  THey can LEGALLY get it. that is the problem. The discussion hasn't been 'Narrowed down". the fact is is constitutionally, they shouldn't be able to get it. The "direct sources" ARE Facebook, google, VERISON, ect. Debates over constitutional vs legal were had back during the original leaks, and nothing new is being added to further discuss that. Now we need to discuss the current leaks and their relationship to the original leaks, that everyone already knows about and doesn't need further commentary on. The concern is over unconsitutional data gathering, not over traditional, warrent based data gathering. If you don't want a warrent to collect your data, DON'T GIVE THAT DATA. by not signing in and using VPNs, HTTPS and Privacy modes, the "3rd party sources" (which are the way most of the metadata is gathered, as described previously by techdirt), struggle to provide solid metadata. The big problem, that Techdirt noted and you, OOTB, should be crying your eyes out about is a phone, which is difficult to use without giving up significant metadata, because that metadata is necessary to make those connections and phone call anonymization software isn't as readily availible.
  [ link to this | view in chronology ]
Anonymous Coward, 29 Aug 2013 @ 10:47am

The whole "it's just metadata" excuse never sounded credible to me.

Anyone who's played a game that involved guessing like "Guess who?", "Mastermind" or even "Battleships" should know that you can derive a lot of solid and reliable information with just a few queries yielding non-specific information.
[ link to this | view in chronology ]
- S. T. Stone, 29 Aug 2013 @ 10:51am
  
  Re:
  That makes for an excellent analogy. I�ll jot it down for future use.
  [ link to this | view in chronology ]
ahow628 (profile), 29 Aug 2013 @ 11:08am

Call it what it is...
Metadata is data. Was that so hard?
[ link to this | view in chronology ]
- Anonymous Coward, 29 Aug 2013 @ 11:49pm
  
  Re: Call it what it is...
  Adding 'meta' obfuscates the true meaning, you wouldn't expect anything less from people employed to lie.
  [ link to this | view in chronology ]
- Sheogorath (profile), 2 Sep 2013 @ 8:06pm
  
  Re: Call it what it is...
  Absolutely. Metadata is data about data in the same way that metafiction is fiction about fiction. It seems as though the US government is trying to say that a self-referential fanfiction is devoid of information when we all know better.
  [ link to this | view in chronology ]
kenichi tanaka (profile), 29 Aug 2013 @ 11:42am

"Metadata" is just the government's excuse that 'it's just useless information' but if they're using the excuse 'if you're not doing anything wrong, then you have nothing to hide'. But, when you turn that argument around, the government has a lot to be concerned with if they're hiding everything in secret around the data they collect?

If the data is meaningless, then why waste our taxdollars collecting it?
[ link to this | view in chronology ]
Anonymous Coward, 29 Aug 2013 @ 11:44am

Metadata like the ones described in the article are of low value if you never look up the numbers used.

I would be completely fine with metadata getting collected if it is impossible to chain it to personally identifiable data. Unfortunately a phonebook is far too easy to use to connect the dots without a courtorder! If they did not get the telephone number but anonymized phone ids instead, it would make it harder to abuse unless you have access to the business data records for the phone company...
Alas, metadata is completely unproblematic in a vacuum, but in reality any possible chaining to personally identifiable data will completely nullify that argument and more!
[ link to this | view in chronology ]
- John Fenderson (profile), 29 Aug 2013 @ 12:34pm
  
  Re:
  The very notion of that there is "personally identifiable data" and "non-personally identifiable data" is bogus to begin with. If it reveals anything at all about you, then it's all PII when taken in aggregate.
  
  Even the bare metadata that your browser reveals to every web site you visit (the OS you're using, the version of the browser, etc.) is enough to identify you personally in a surprisingly high percentage of cases even though it doesn't reveal your name, address, phone #, etc.
  [ link to this | view in chronology ]
Bengie, 29 Aug 2013 @ 12:26pm

Meta vs Raw
I would argue that Meta data is more personnel than Raw data because Raw data is ambiguous without context and Meta data gives context. Even without the raw data, Context gives you a lot of information.

Example, statistical analysis can determine what you are saying over an encrypted link if you use compression, because the compression leaks information. That information is meta data.

Another thing to think about. Meta data includes relational data. Guess how the human brain works. Everything your brain does is based on relational information. Our brain converts raw data into meta data and stores it as meta data.

Nutshell: Meta data is worse than raw data when it comes to privacy.
[ link to this | view in chronology ]
Anonymous Coward, 29 Aug 2013 @ 12:46pm

Fact is that I just don't trust them not to be shitty and powerhungry... they have proven that themselves. How can I trust people like that to not use this data against a presidential candidate who opposes them and want to cut back or if a vote was upcoming that would set them back I really think they are powergreedy and so rotten that they would use this data in some way to tip the scale in their favor.
I have a hard enough time trusting politicians with all the money they get from companies, and now this.
This is one of the reasons that I really hate what they have done, they broke what little trust we had left in our system, that little piece in me that still had hope that the game wasn't rigged.
[ link to this | view in chronology ]
Robert Gezelter, 29 Aug 2013 @ 12:56pm

Metadata Privacy
Professor Felten's point about how pictures can be quickly be built up from metadata is well-taken.

In a corporate context, I noted this problem in the "Computer Security Handbook, 3rd Edition" (1995). Seemingly simple requests for copies of subordinates' email are problematical when one considers what might be stored in their mail files (e.g., communications with the IG, Compliance, Ethics, HR, and other internal entities; as well as incidental personal correspondence which may cover particular areas that are legally protected).
[ link to this | view in chronology ]
Anonymous Coward, 29 Aug 2013 @ 2:12pm

Why doesn't Obama just get this over with and pass the 'government knows best act'.

Then he can have all the journalists or anyone he feels is anti-government shoved into prison...oh wait he ALREADY orders journalists to be detained/imprisoned (just ones from other countries).
[ link to this | view in chronology ]
- Anonymous, 29 Aug 2013 @ 3:09pm
  
  Re:
  And now he's chomping at the bit to start a war with Syria. Yeah, no way THAT'S ever going to blow up in our faces.
  [ link to this | view in chronology ]
- John Fenderson (profile), 29 Aug 2013 @ 4:30pm
  
  Re:
  Why doesn't Obama just get this over with and pass the 'government knows best act'.
  
  Perhaps because he's not a king and cannot pass legislation of any sort?
  [ link to this | view in chronology ]
Obama, 29 Aug 2013 @ 5:02pm

I love metadata.
[ link to this | view in chronology ]
John Doe, 30 Aug 2013 @ 10:55am

Oh shoot!!!
Furthermore, they often work with anonymous "John Doe" clients -- but, of course, with aggregate metadata, it's not difficult to identify just about any John Doe.

Now they are tracking me?
[ link to this | view in chronology ]
Peter Gerdes (profile), 31 Aug 2013 @ 11:30am

How The Law Works
And this article shows a deep lack of knowledge about how the law works.

Merely showing that metadata leads to lots of info about a person simply isn't relevant.

Following a person around in an unmarked police car reveals lots of info about a person too, even more if you watch them with binoculors at every opportunity. However, such behavior CLEARY doesn't implicate the 4th ammendment under existing precedent no matter how long or systematically you do it (GPS is treated differently for unclear reasons). Theoretically, the government could use half the population to follow the other half around, note everything that half did and feed it all into a big data mining solution and not implicate the 4th at all even though that would reveal tons of info about sensitive matters.

The reason the government's argument isn't absurd is that existing precedent does distinguish between metadata and data to some extent, in particular it distinguishes the content of your conversation from the numbers used to dial a phone call. THE ISSUE HERE ISN'T HOW MUCH INFO IS REVEALED BUT WHOSE INFO. Since the phone company keeps numbers dialed in the normal course of business (billing) they would appear to be the phone companies business data and not anything you even have a 4th ammedment interest in.

YES, THE CURRENT PRECEDENT DOESN'T GIVE A RATS ASS WHAT IS IN THE INFO IF IT DOESN'T BELONG TO THE PERSON WHOSE 4TH AMENDMENT RIGHTS ARE AT ISSUE!!!

Don't get me wrong, I don't think the government's position is the one that should prevail but their motion is not absurd.
[ link to this | view in chronology ]
Peter Gerdes (profile), 31 Aug 2013 @ 11:39am

ACLU Trying To Break New 4th Amendment Ground
If you read the motion filled by the ACLU in the section on the 4th ammendment it is pretty clear they are trying to create new precedent. In particular, the fact that they go back to the original reasonableness analysis and don't cite any cases to justify their conclusion (just vague claims that it is bad and associated with totalitarian states) is a giveaway.

I think new law SHOULD be made here but one has to recognize that it is an uphill battle. The statutory arguments seems stronger and doesn't have anything to do with the 'just metadata' issue.
[ link to this | view in chronology ]