DOJ Tells Court To Toss Lawsuit Over NSA Spying Because 'It's Just Metadata'; Professor Ed Felten Then Explains Why They're Wrong
from the take-a-lesson dept
The ACLU's lawsuit over the NSA's program collecting all phone call information under Section 215 of the Patriot Act is just one of many lawsuits over the recently revealed details of the NSA's surveillance activities, but it's definitely one of the key ones to watch. This week there were a flurry of filings in the case from both sides, many of which are embedded below, including the ACLU's initial motion for a preliminary injunction to get the government to cease the data collection, and various declarations in support of that. There's also the US government's motion to dismiss. The argument from the government is, more or less, that even if it does collect the data on private phone calls to and from the ACLU, without proof that anyone ever looked at that data, there's no standing. Furthermore, it pulls out the old "it's just metadata" so there's no privacy violations there.Both arguments are ridiculous. As the ACLU notes, the government can't just seize your personal journal without a warrant by claiming that it won't look at it. That's not how it works. But the "it's just metadata" argument is especially pernicious. As we've pointed out, anyone claiming "it's just metadata" doesn't know what metadata is, and should be asked to publish their own such data. Hell, if there's nothing to be concerned about because it's "just metadata," why won't the DOJ itself allow the metadata on how many people they spy on to be published?
However, the ACLU has gone even further, having professor Ed Felten (who was also, until recently, the FTC's first CTO, focused in part on privacy issues) submit a wonderful declaration totally blowing apart the idea that "just metadata" isn't a privacy violation. You should read the whole thing, but here's a key part:
Telephony metadata can be extremely revealing, both at the level of individual calls and, especially, in the aggregate.Good stuff, though much of it has been discussed elsewhere. Felten then takes it even further, noting how a large aggregation of phone metadata can be even more revealing and privacy invading:
Although this metadata might, on first impression, seem to be little more than “information concerning the numbers dialed,” analysis of telephony metadata often reveals information that could traditionally only be obtained by examining the contents of communications. That is, metadata is often a proxy for content.
In the simplest example, certain telephone numbers are used for a single purpose, such that any contact reveals basic and often sensitive information about the caller. Examples include support hotlines for victims of domestic violence and rape, including a specific hotline for rape victims in the armed services. Similarly, numerous hotlines exist for people considering suicide, including specific services for first responders, veterans, and gay and lesbian teenagers. Hotlines exist for suffers of various forms of addiction, such as alcohol, drugs, and gambling.
Similarly, inspectors general at practically every federal agency—including the NSA— have hotlines through which misconduct, waste, and fraud can be reported, while numerous state tax agencies have dedicated hotlines for reporting tax fraud. Hotlines have also been established to report hate crimes, arson, illegal firearms and child abuse. In all these cases, the metadata alone conveys a great deal about the content of the call, even without any further information.
The phone records indicating that someone called a sexual assault hotline or a tax fraud reporting hotline will of course not reveal the exact words that were spoken during those calls, but phone records indicating a 30-minute call to one of these numbers will still reveal information that virtually everyone would consider extremely private.
In some cases, telephony metadata can reveal information that is even more sensitive than the contents of the communication. In recent years, wireless telephone carriers have partnered with non-profit organizations in order to permit wireless subscribers to donate to charities by sending a text message from their telephones. These systems require the subscriber to send a specific text message to a special number, which will then cause the wireless carrier to add that donation to the subscriber’s monthly telephone bill. For example, by sending the word HAITI to 90999, a wireless subscriber can donate $10 to the American Red Cross.
Such text message donation services have proven to be extremely popular. Today, wireless subscribers can use text messages to donate to churches, to support breast cancer research, and to support reproductive services organizations like Planned Parenthood. Similarly, after a policy change in 2012 by the Federal Election Commission, political candidates like Barack Obama and Mitt Romney were able to raise money directly via text message.
In all these cases, the most significant information—the recipient of the donation—is captured in the metadata, while the content of the message itself is less important. The metadata alone reveals the fact that the sender was donating money to their church, to Planned Parenthood, or to a particular political campaign.
Although it is difficult to summarize the sensitive information that telephony metadata about a single person can reveal, suffice it to say that it can expose an extraordinary amount about our habits and our associations. Calling patterns can reveal when we are awake and asleep; our religion, if a person regularly makes no calls on the Sabbath, or makes a large number of calls on Christmas Day; our work habits and our social aptitude; the number of friends we have; and even our civil and political affiliations.
For instance, metadata can help identify our closest relationships. Two people in an intimate relationship may regularly call each other, often late in the evening. If those calls become less frequent or end altogether, metadata will tell us that the relationship has likely ended as well—and it will tell us when a new relationship gets underway. More generally, someone you speak to once a year is less likely to be a close friend than someone you talk to once a week.He goes on to discuss how that is a major concern for the ACLU, where they are often working with whistleblowers of all kinds, including against the government. Furthermore, they often work with anonymous "John Doe" clients -- but, of course, with aggregate metadata, it's not difficult to identify just about any John Doe.
Even our relative power and social status can be determined by calling patterns. As The Economist observed in 2010, “People at the top of the office or social pecking order often receive quick callbacks, do not worry about calling other people late at night and tend to get more calls at times when social events are most often organized (sic), such as Friday afternoons.”
At times, by placing multiple calls in context, metadata analysis can even reveal patterns and sensitive information that would not be discoverable by intercepting the content of an individual communication.
Consider the following hypothetical example: A young woman calls her gynecologist; then immediately calls her mother; then a man who, during the past few months, she had repeatedly spoken to on the telephone after 11pm; followed by a call to a family planning center that also offers abortions. A likely storyline emerges that would not be as evident by examining the record of a single telephone call.
Likewise, although metadata revealing a single telephone call to a bookie may suggest that a surveillance target is placing a bet, analysis of metadata over time could reveal that the target has a gambling problem, particularly if the call records also reveal a number of calls made to payday loan services.
With a database of telephony metadata reaching back five years, many of these kinds of patterns will emerge once the collected phone records are subjected to even the most basic analytic techniques.
Another good read is the Declaration from Michael German, a former FBI agent and whistleblower, who now works for the ACLU, discussing how strict confidentiality is absolutely necessary for whistleblowers. Hopefully the court recognizes just how serious this is, and just how ridiculous the DOJ's claims are as well.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: doj, ed felten, metadata, nsa, nsa surveillance, privacy
Companies: aclu
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
It's just metadata, what's the big deal?
Maybe instead of saying it's "just" metadata, they could be truthful and say it's extremely valuable metadata.
Did I say truthful? Oh, wait. This is the government. Nevermind.
[ link to this | view in thread ]
Simple solution?
If the information is not private and not sensitive, then simply say "Hey, DOJ guys, release your metadata records for the world to see, so that you can show us why they do not matter and should be able to be harvested".
Would that not give people confidence, and show the DOJ means what they say about the metadata being unimportant?
[ link to this | view in thread ]
http://arstechnica.com/tech-policy/2013/08/how-cell-tower-dumps-caught-the-high-country-bandi ts-and-why-it-matters/
[ link to this | view in thread ]
If you're not doing anything illegal, huh?
Of course, since all of that's legal, there must be no reason to hide any of it, right?
I mean, it's not like there's a social stigma for seeing a psychologist, or getting an abortion in some areas of the United States or...
Well, you get my point, I hope.
[ link to this | view in thread ]
What's the point, when all available "legally" from 3rd party sources?
SPYING IS SPYING. It's pointless, or worse, to focus on just NSA.
Also, LAW IS DULL, and worse, giving people the notion that someone else is doing all that's possible (especially with corporations as "champions" for privacy) leads to yet more passivity. We need to first change attitude that regards for-profit commercial spying as acceptable.
The phony deal that evil people (and gullible fools) try to force on us: You can't have the benefits of technology unless give up all privacy.
[ link to this | view in thread ]
Anyone who's played a game that involved guessing like "Guess who?", "Mastermind" or even "Battleships" should know that you can derive a lot of solid and reliable information with just a few queries yielding non-specific information.
[ link to this | view in thread ]
Re: What's the point, when all available "legally" from 3rd party sources?
We don’t do the same with the NSA/government because those entities shouldn’t have our information without a damn good reason (e.g. a legitimate investigation into illegal acts).
Don’t get me wrong: I loathe the idea of Google, Facebook, et al giving up so much as a fraction of our information (freely offered or otherwise) to the government without our consent or knowledge. But the information would still exist even if we all moved to different service providers for email, social networking, and so on.
The problem doesn’t lie in the information existing. It lies in the government harvesting that information (possibly in an illegal and certainly unethical manner) for no good reason at all.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: What's the point, when all available "legally" from 3rd party sources?
[ link to this | view in thread ]
Re: What's the point, when all available "legally" from 3rd party sources?
The government has the DUTY to protect the law and to abide by it. They have the power to enforce it and to change it - a power trusted to them by the people who elected them.
The corporations merely must abide by the law, like any citizen. In the eyes of the law, they don't have any more power than you or me*.
This means that until you fix the government - the makers and enforcers of the law - it is pointless to fix the corporations. If the rules of the game are crooked, you won't fix the game by punishing the "bad" players.
Fix the government, and everything else will almost fix itself.
* The fact that, in practice, they do have more power, is just a symptom of a broken system
[ link to this | view in thread ]
Re: If you're not doing anything illegal, huh?
[ link to this | view in thread ]
Call it what it is...
[ link to this | view in thread ]
If the data is meaningless, then why waste our taxdollars collecting it?
[ link to this | view in thread ]
I would be completely fine with metadata getting collected if it is impossible to chain it to personally identifiable data. Unfortunately a phonebook is far too easy to use to connect the dots without a courtorder! If they did not get the telephone number but anonymized phone ids instead, it would make it harder to abuse unless you have access to the business data records for the phone company...
Alas, metadata is completely unproblematic in a vacuum, but in reality any possible chaining to personally identifiable data will completely nullify that argument and more!
[ link to this | view in thread ]
Meta vs Raw
Example, statistical analysis can determine what you are saying over an encrypted link if you use compression, because the compression leaks information. That information is meta data.
Another thing to think about. Meta data includes relational data. Guess how the human brain works. Everything your brain does is based on relational information. Our brain converts raw data into meta data and stores it as meta data.
Nutshell: Meta data is worse than raw data when it comes to privacy.
[ link to this | view in thread ]
Re:
Even the bare metadata that your browser reveals to every web site you visit (the OS you're using, the version of the browser, etc.) is enough to identify you personally in a surprisingly high percentage of cases even though it doesn't reveal your name, address, phone #, etc.
[ link to this | view in thread ]
I have a hard enough time trusting politicians with all the money they get from companies, and now this.
This is one of the reasons that I really hate what they have done, they broke what little trust we had left in our system, that little piece in me that still had hope that the game wasn't rigged.
[ link to this | view in thread ]
Metadata Privacy
In a corporate context, I noted this problem in the "Computer Security Handbook, 3rd Edition" (1995). Seemingly simple requests for copies of subordinates' email are problematical when one considers what might be stored in their mail files (e.g., communications with the IG, Compliance, Ethics, HR, and other internal entities; as well as incidental personal correspondence which may cover particular areas that are legally protected).
[ link to this | view in thread ]
Re: What's the point, when all available "legally" from 3rd party sources?
[ link to this | view in thread ]
Then he can have all the journalists or anyone he feels is anti-government shoved into prison...oh wait he ALREADY orders journalists to be detained/imprisoned (just ones from other countries).
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
Perhaps because he's not a king and cannot pass legislation of any sort?
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Call it what it is...
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Oh shoot!!!
Now they are tracking me?
[ link to this | view in thread ]
How The Law Works
Merely showing that metadata leads to lots of info about a person simply isn't relevant.
Following a person around in an unmarked police car reveals lots of info about a person too, even more if you watch them with binoculors at every opportunity. However, such behavior CLEARY doesn't implicate the 4th ammendment under existing precedent no matter how long or systematically you do it (GPS is treated differently for unclear reasons). Theoretically, the government could use half the population to follow the other half around, note everything that half did and feed it all into a big data mining solution and not implicate the 4th at all even though that would reveal tons of info about sensitive matters.
The reason the government's argument isn't absurd is that existing precedent does distinguish between metadata and data to some extent, in particular it distinguishes the content of your conversation from the numbers used to dial a phone call. THE ISSUE HERE ISN'T HOW MUCH INFO IS REVEALED BUT WHOSE INFO. Since the phone company keeps numbers dialed in the normal course of business (billing) they would appear to be the phone companies business data and not anything you even have a 4th ammedment interest in.
YES, THE CURRENT PRECEDENT DOESN'T GIVE A RATS ASS WHAT IS IN THE INFO IF IT DOESN'T BELONG TO THE PERSON WHOSE 4TH AMENDMENT RIGHTS ARE AT ISSUE!!!
Don't get me wrong, I don't think the government's position is the one that should prevail but their motion is not absurd.
[ link to this | view in thread ]
ACLU Trying To Break New 4th Amendment Ground
I think new law SHOULD be made here but one has to recognize that it is an uphill battle. The statutory arguments seems stronger and doesn't have anything to do with the 'just metadata' issue.
[ link to this | view in thread ]
Re: Call it what it is...
[ link to this | view in thread ]
Re: Re: What's the point, when all available "legally" from 3rd party sources?
Only laws get changed when there is enough influence (money) involved.
are you that naive to not see the relationship between corporations and government?
[ link to this | view in thread ]