Yet Another Study Shows That Metadata Reveals A Hell Of A Lot

from the where's-dianne-feinstein's-metadata? dept

Thu, Mar 20th 2014 2:57pm — Mike Masnick

With the NSA and its defenders still defending the bulk phone (and other) records collection programs as being about "just metadata," we've already highlighted how metadata is incredibly revealing. Now there's yet another study demonstrating this quite clearly. Jonathan Mayer and Patrick Mutchler, over at Stanford, did a study in which they convinced a bunch of people to run an app called MetaPhone, in which users agree to give up the metadata on their phone, voluntarily, for the sake of research. What these researchers found, of course, is that the metadata reveals an awful lot of details about one's lives, often much more clearly than if the actual content had been collected. The researchers give a few examples where what someone is up to becomes quite obvious very, very quickly.

Participant A communicated with multiple local neurology groups, a specialty pharmacy, a rare condition management service, and a hotline for a pharmaceutical used solely to treat relapsing multiple sclerosis.
Participant B spoke at length with cardiologists at a major medical center, talked briefly with a medical laboratory, received calls from a pharmacy, and placed short calls to a home reporting hotline for a medical device used to monitor cardiac arrhythmia.
Participant C made a number of calls to a firearm store that specializes in the AR semiautomatic rifle platform. They also spoke at length with customer service for a firearm manufacturer that produces an AR line.
In a span of three weeks, Participant D contacted a home improvement store, locksmiths, a hydroponics dealer, and a head shop.
Participant E had a long, early morning call with her sister. Two days later, she placed a series of calls to the local Planned Parenthood location. She placed brief additional calls two weeks later, and made a final call a month after.

We were able to corroborate Participant B’s medical condition and Participant C’s firearm ownership using public information sources. Owing to the sensitivity of these matters, we elected to not contact Participants A, D, or E for confirmation.

There's a lot more in the research, showing how it's relatively easy to pick out fairly sensitive information from a bunch of participants. And, remember, these participants opted-in, knowing that the information would be shared.

Of course, as we've said from the beginning, there's a pretty easy way to prove that everyone inherently knows that metadata reveals all sorts of sensitive information. Just ask any of the biggest defenders of these programs to share the metadata from their phone. They insist there's nothing sensitive in metadata, and yet, oddly they're unwilling to reveal their own.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: metadata, privacy

24 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Mason Wheeler (profile), 20 Mar 2014 @ 3:16pm

In a span of three weeks, Participant D contacted a home improvement store, locksmiths, a hydroponics dealer, and a head shop.

What's a "head shop"? Because that must be the key to this; there's nothing particularly sensitive about the other elements AFAICS.
[ link to this | view in chronology ]
- Rikuo (profile), 20 Mar 2014 @ 3:24pm
  
  Re:
  https://en.wikipedia.org/wiki/Head_shop
  
  Given the list above, D is very likely to have converted a part of his home into a weed farm.
  [ link to this | view in chronology ]
  - Anonymous Coward, 20 Mar 2014 @ 3:44pm
    
    Re: Re:
    Having acquired this metadata, the local police obtain a secret no-knock warrant and raid the place, shooting the man for "resisting arrest" and arresting everyone else in the house, only to discover that the hydroponics equipment was used for a home vegetable garden and the products from the head shop were being used to smoke tobacco legally.
    [ link to this | view in chronology ]
    - That One Guy (profile), 20 Mar 2014 @ 4:02pm
      
      Re: Re: Re:
      I'm afraid I'm going to have to call shenanigans on the realism of that scenario, 'obtain a warrant'?
      
      Really?
      
      Even a 'secret no-knock' warrant would probably be stretching it, I mean, why would they bother with all that hassle when there's a house and people in dire need of shooting?
      
      /s
      [ link to this | view in chronology ]
    - Ninja (profile), 21 Mar 2014 @ 3:40am
      
      Re: Re: Re:
      Which is precisely why metadata is dangerous. Suppose the C guy contacting weapon stores was doing a research in how the trigger mechanism works so he can use it in his project for the college (true personal story)?
      
      What about E? Is the caller pregnant? Is her sister pregnant? Or are them talking about a friend who got an unplanned pregnancy and are trying to help? What about if E herself is planning to start a family? What if it is just a school research she's helping her son/daughter with? What if the call to her sister had nothing to do with it?
      
      The list goes on. Metadata is just like statistics. If you torture the data enough it will tell you whatever you want.
      [ link to this | view in chronology ]
      - Anonymous Coward, 21 Mar 2014 @ 4:28am
        
        Re: Re: Re: Re:
        so what your actually saying is they really did not get any sensitive information, just information that would require further investigation to confirm, does this not show that mata-data by itself is not definitive anything at all, as you have to 'guess' and 'surmise', or gather further information for it to be at all useful.
        
        Guessing will simply not do.
        [ link to this | view in chronology ]
        
        Niall (profile), 21 Mar 2014 @ 6:12am
        
        Re: Re: Re: Re: Re:
        Depends how they abuse it - see the raid 'scenario' above. But just because some scenarios need more research doesn't mean that the information available won't be useful somewhere or to someone. After all, if your aunt has cancer, your insurance provider would love to know that if it may increase your risk...
        [ link to this | view in chronology ]
        
        Just Another Anonymous Troll, 21 Mar 2014 @ 6:55am
        
        Re: Re: Re: Re: Re:
        Maybe the people who knew they were being spied on and volunteered to be spied on stayed away from anything sensitive. With law enforcement being how it is these days, they barely even need probable cause, which might be just a "guess". That said, do you want people knowing who you are calling every second of every day? The point of this article is to yet again state how revealing this metadata is.
        [ link to this | view in chronology ]
  - Mason Wheeler (profile), 20 Mar 2014 @ 3:44pm
    
    Re: Re:
    Ah, that makes more sense.
    [ link to this | view in chronology ]
- Andrew Norton (profile), 20 Mar 2014 @ 3:34pm
  
  Re:
  It's where you can buy Cheech+chong, Harold and Kumar, and Jay and Silent Bob merchandise (especially the full range of Bluntman and Chronic gear)
  [ link to this | view in chronology ]
- Anonymous Coward, 21 Mar 2014 @ 10:36am
  
  Re:
  It's a shop that stocks pot paraphernalia.
  [ link to this | view in chronology ]
- Winterbourne, 21 Mar 2014 @ 10:58am
  
  Re:
  A head shop is a place where people buy the gear and accessories needed to smoke various herbs like tabacco and cannibis. Looking at that list, you can assume he is building a locked hydroponics weed farm pretty easily.
  [ link to this | view in chronology ]
- Anonymous, 22 Mar 2014 @ 7:33pm
  
  Re:
  I went into a "head shop" once, but I couldn't get any head there.
  [ link to this | view in chronology ]
Anonymous Coward, 20 Mar 2014 @ 3:16pm

Mike Masnick Should Reblog This
I know it's not a response to the above article, but the bloggers at Volokh Conspiracy have reported that the Illinois Supreme Court just struck down a broad ban on audiorecording of conversations (part of IEA?)

http://www.washingtonpost.com/news/volokh-conspiracy/wp/2014/03/20/illinois-supreme-court-strik es-down-broad-ban-on-audiorecording-conversations/
[ link to this | view in chronology ]
- That One Guy (profile), 20 Mar 2014 @ 3:24pm
  
  Re: Mike Masnick Should Reblog This
  The link you're looking for is at the bottom of the page, the 'Submit a story' one. Much more likely to be noticed than just posting a comment in one of the articles.
  
  http://www.techdirt.com/submitstory.php
  [ link to this | view in chronology ]
Anonymous Coward, 20 Mar 2014 @ 4:23pm

Pause for a moment and consider this ....
You get a call from your credit card provider about a suspicious transaction. How do they deduce that? Metadata.

Dunno about the rest of you, but for me they've been correct in their calls for the last three-four years.

Metadata. Fear it.
[ link to this | view in chronology ]
- Rikuo (profile), 20 Mar 2014 @ 4:49pm
  
  Re: Pause for a moment and consider this ....
  Yeah...but look again at what you're saying. That is YOUR credit card provider, who is authorized by YOU to look at YOUR data and to warn you of something nasty. Your credit card provider doesn't look at the activities of cards operated by a competitor.
  
  Last I checked, the NSA doesn't exactly go out of its way to ask permission from the US (and other nations') citizenry before spying them on them "for their protection".
  [ link to this | view in chronology ]
  - Anonymous Coward, 20 Mar 2014 @ 8:19pm
    
    Re: Re: Pause for a moment and consider this ....
    GP wasn't arguing about the appropriateness of his credit card company doing that. He was stating that, without knowing anything about him other than public records plus his account history, they have repeatedly and accurately categorized activity on his card as to whether it was fraudulent. He implies that they correctly flagged some suspicious activity, in addition to correctly not flagging activity he authorized. From this, we see that the metadata about his account is accurate enough to predict whether a given new purchase is fraudulent.
    [ link to this | view in chronology ]
Anonymous Coward, 21 Mar 2014 @ 2:24am

If metadata holds no form for power and control, the NSA wouldn't be interested in it, or be fighting tooth and nail to keep the unconstitutional bulk spying program alive.

We keep hearing from National Security Maximalists, that it's just "phone numbers" being collected.

For just being "phone numbers", the Stanford research group seems to have had no problems linking phone numbers to businesses and individuals.

Not bad for civilians. Now imagine what governments can cross reference. I'll give you a hint, everything.
[ link to this | view in chronology ]
Anonymous Coward, 21 Mar 2014 @ 4:25am

I call bullshit
is this what passes for 'reporting' now, or is masnick just trying to make some stupid joke?

"Participant B spoke at length with cardiologists at a major medical center" ...

BULLSHIT, how do they know he spoke to a cardiologist, and not someone else 'at a major medical center'??

Nor have you actually been able to draw any conclusions, but 'makes guesses', and it is clear these people were informed of this 'survey' and made calls appropriate.

As usual is this just another TD lie? and an attempt to get page hits.. I guess its not that hard to confuse the morons who hang off TD's every word, like it is the truth !!
[ link to this | view in chronology ]
- Niall (profile), 21 Mar 2014 @ 6:16am
  
  Re: I call bullshit
  This story comes from somewhere else, and depending how the data was collected it may be publically deducible that the number called was a cardiologist.
  
  If Mike was after clickbait, all he'd have to do is post an article that would have the trolls foaming in - anything about Kim Dotcom, the RIAA/MPAA, or anything partisan-sounding.
  
  So where's YOUR evidence for your hate-filled bile?
  [ link to this | view in chronology ]
- John Fenderson (profile), 21 Mar 2014 @ 6:45am
  
  Re: I call bullshit
  "how do they know he spoke to a cardiologist, and not someone else 'at a major medical center'?"
  
  Perhaps because they called the cardiologist's phone number. At major medical centers, every department (and usually every doctor) has their own phone number.
  [ link to this | view in chronology ]
- silverscarcat (profile), 21 Mar 2014 @ 10:33am
  
  Re: I call bullshit
  BULLSHIT, how do they know he spoke to a cardiologist, and not someone else 'at a major medical center'??
  
  Reverse phone book.
  
  Seriously, I can type any number into a search data base and get the answer with ease.
  [ link to this | view in chronology ]
GEMont (profile), 21 Mar 2014 @ 10:58am

Ya think!
Silly rabbit!

Logic 101:

If metadata did NOT reveal a ton of information, NSA would NOT bother collecting it.
[ link to this | view in chronology ]