With Obama recently announcing his plans to amend the electronic surveillance program at the National Security Agency, it is a good time to look more closely at what the NSA has been doing with some of the data it has been collecting on Americans for the last decade or so. But first some background.
As Edward Snowden's information about the NSA began to emerge in June 2013, Obama made the following statement:
Nobody is listening to your telephone calls. That's not what this program is about. As was indicated, what the intelligence community is doing is looking at phone numbers and durations of calls. They are not looking at people's names, and they're not looking at content. But by sifting through this so-called metadata, they may identify potential leads with respect to folks who might engage in terrorism.
(Obama also said in that same remark "Now, with respect to the Internet and emails -- this does not apply to U.S. citizens and it does not apply to people living in the United States," a statement which we now know, from Snowden's revelations, is untrue. But that's another column.)
Dianne Feinstein backed up the president that same day, telling nervous Americans "This is just metadata. There is no content involved."
(Feinstein also said in June 2013, "To my knowledge, we have not had any citizen who has registered a complaint relative to the gathering of this information." But that's another column.)
What is Metadata?
Metadata in 2013 was not a term widely-known to the general public. A quick definition might be that metadata is information about data-- when and where the data was created, perhaps who created it, how long it took to create, that sort of thing. The metadata for this article might be something like "Created in New York City at 11:33 on April 2 by user Peter Van Buren." Using this, while a snoop would not with the metadata alone know what I wrote, s/he could indeed place me at a specific location engaged in a specific task at a specific time with a specific computer. Potentially valuable information, especially in the aggregate.
If the metadata was for an interactive thing, like a phone call, then the snoop would also know to whom I was talking. Metadata can serve as a giant index to allow the snoop to know which "content" is worth looking at in detail. Matching a phone number to a business or person is painless within the U.S. and many other countries. It can done by most people over the internet (reverse directories) and has long been available using more sophisticated systems by law enforcement.
But let's focus on the metadata alone, as did the Stanford University Security Lab. Scientists there asked subjects to voluntarily collect and share the same metadata about their cell calls as the NSA collects from them involuntarily. The scientists did this via an app one could download, a kind of willful piece of malware like the NSA could install on phones where it does not already have access to the full network (as it does in the U.S. and most allied nations.)
To Catch a Whistleblower
So what did Stanford find among all that metadata? They began with some simple, common-sense assumptions, primarily that the more calls you made to a specific place (i.e., a political group or a friend) and the longer in duration those calls were, the more significant the connection. If that same source called you back, frequently or for long durations, the connection was more or less confirmed. Mistakes could be made, but there is always some collateral damage in these things.
Let's play along. Jennifer holds regular conference calls during business hours with the same set of people at numbers that resolve to an office in the Pentagon. She makes a significant set of short calls to an Anti-War organization during after-work hours, followed by another set of very long calls to a law office known to represent whistleblowers. She occasionally calls a journalist whose number resolves to New York City, often only speaking for a few seconds. Is Jennifer planning to blow the whistle on something and is setting up meets with a NY journalist? Let's kick down her door tonight at 2 am and find out.
Looking to gather data that might be used to identify vulnerabilities, blackmail or character-assassinate someone? The Stanford people wrote "The degree of sensitivity among contacts took us aback. Participants had calls with Alcoholics Anonymous, gun stores, NARAL Pro-Choice, labor unions, divorce lawyers, sexually transmitted disease clinics, a Canadian import pharmacy, strip clubs, and much more."
Knowing Everything
Let's go deeper. Stanford found:
Participant A communicated with multiple local neurology groups, a specialty pharmacy, a rare condition management service, and a hotline for a pharmaceutical used solely to treat relapsing multiple sclerosis.
Participant B spoke at length with cardiologists at a major medical center, talked briefly with a medical laboratory, received calls from a pharmacy, and placed short calls to a home reporting hotline for a medical device used to monitor cardiac arrhythmia.
Participant C made a number of calls to a firearm store that specializes in the AR semiautomatic rifle platform. They also spoke at length with customer service for a firearm manufacturer that produces an AR line.
In a span of three weeks, Participant D contacted a home improvement store, locksmiths, a hydroponics dealer, and a head shop.
Participant E had a long, early morning call with her sister. Two days later, she placed a series of calls to the local Planned Parenthood location. She placed brief additional calls two weeks later, and made a final call a month after.
What Do They Know?
What could someone do with that kind of information about you? What if that someone also had, as we know the NSA does, access to your social media, email, snail mail, credit card data, travel information, air reservations, and bank records? Orwell was an amateur. Metadata is the key to stripping away the haystack so that the needle is just sitting there.
The Stanford metadata research program appears to still be up and running; volunteer to help by downloading their app. The NSA program is most certainly robustly ongoing.