Big Metadata and Big Government
Jay Stanley and Ben Wizner, privacy experts at the ACLU, argue that metadata is more sensitive than we think.
Jay Stanley and Ben Wizner, privacy experts at the ACLU, argue that metadata is more sensitive than we think.
[A]ny suggestion that Americans have nothing to worry about from this dragnet collection of communications metadata is wrong. Even without intercepting the content of communications, the government can use metadata to learn our most intimate secrets – anything from whether we have a drinking problem to whether we’re gay or straight. The suggestion that metadata is “no big deal” – a view that, regrettably, is still reflected in the law – is entirely out of step with the reality of modern communications.
So what exactly is metadata? Simply, if the “data” of a communication is the content of an email or phone call, this is data about the data – the identities of the sender and recipient, and the time, date, duration and location of a communication. This information can be extraordinarily sensitive. A Massachusetts Institute of Technology study a few years back found that reviewing people’s social networking contacts alone was sufficient to determine their sexual orientation. Consider, metadata from email communications was sufficient to identify the mistress of then-CIA Director David Petraeus and then drive him out of office.
The “who,” “when” and “how frequently” of communications are often more revealing than what is said or written. Calls between a reporter and a government whistleblower, for example, may reveal a relationship that can be incriminating all on its own.
Repeated calls to Alcoholics Anonymous, hotlines for gay teens, abortion clinics or a gambling bookie may tell you all you need to know about a person’s problems. If a politician were revealed to have repeatedly called a phone sex hotline after 2:00 a.m., no one would need to know what was said on the call before drawing conclusions. In addition sophisticated data-mining technologies have compounded the privacy implications by allowing the government to analyze terabytes of metadata and reveal far more details about a person’s life than ever before.
As technology advances, the distinction between data and metadata can be hard to distinguish. If a Website’s content is data, is the Website’s address metadata? The government has argued it is.
But like the list of books we check out of a library, the sites we “visit” online are really a list of things we’ve read. Not only do URLs often contain content – such as search terms embedded within them – but the very fact that we’ve visited a page with a URL such as “www.webmd.com/depression” can be every bit as revealing as the content of an email message.
They’re of course right. But, as I’ve argued before, this is only worrisome if the government is permitted to access these data at the individual level. Petraeus was found out, not through a data mining operation, but because of a specific FBI investigation that, one presumes, had the proper warrants to comb through his emails, phone calls, and the like. If the NSA is simply combing through all metadata using computer algorithms and looking for patterns related to terrorist activity, I’m hard pressed to get excited about it. If they’re going on fishing expeditions into people’s personal lives for reasons unrelated to terrorism, it’s an epic scandal.
This, however, is worrisome:
[L]aw enforcement and intelligence agencies have long appreciated the value of metadata, and the outdated view that metadata surveillance is far less invasive than eavesdropping has allowed those agencies to use powerful surveillance tools with relatively little judicial oversight.
They can do this because, decades ago, long before the Internet altered all aspects of modern communication, the Supreme Court ruled that when we voluntarily divulge personal information to any third party, we waive our privacy rights and lose all Fourth Amendment protection over that information.
That decision would make sense if it was about, for example, why we can’t reasonably expect something to remain private when we loudly boast about it in a bar. But the court extended that logic to phone calls. The argument was that since we “share” the phone numbers we dial with the phone company – which needs that information to connect the call – we can’t claim any constitutional protection when the government asks for that data.
That’s crazy. Alas, the courts have pretty consistently sided with law enforcement—even outside the context of terrorism—in construing the 4th Amendment’s protections against unreasonable searches and the 5th Amendment’s protections against self-incrimination in the narrowest possible way.
David Sirota pushes back against the notion that the government’s having access to this information is no worse than the various corporations who already have it.
Like so many carefully sculpted political talking points, it sounds logical, except when you remember the key facts being omitted — in this case, the fact that the government is using its law enforcement power to obtain the data without the public’s permission. Yes, that’s right: unlike a company with which you personally do business — and with which you sign an agreement about your personal information — the Obama administration is using the government’s unilateral power to simply grab your information across multiple platforms.
That’s hardly, as the dismissive phrase goes, a “distinction without a difference.” As I noted on CNN, when it comes to civil liberties, the Bill of Rights is all about constraining the power of the government to encroach on our freedoms. It does this because the founders recognized that the government isn’t just another institution in society — it isn’t, say, just a private bank or a polling firm. It is granted special powers (subpoena, warrants, etc.) that those other institutions don’t have — but it was granted those powers in exchange for that authority being properly constrained. When such constraints are removed, our liberties are inevitably restricted (this, by the way, is why Senator Obama sponsored legislation to outlaw what President Obama is now doing).
Belcher and other Obama officials likely know all this, but also know that the best way to at once defang the NSA scandal and normalize the government’s assault on civil liberties is to pretend it’s the same as any other company using data in the creepy ways we’ve all gotten accustomed to. It’s the old “nothing to see here, move along” trick. The only question is: Will America fall for it?
I’m pretty sure that we have. For understandable reasons, presidents of both parties push the envelope in the name of national security. And most of the Congressional leadership is eager to go along, especially in the post-9/11 universe.
But it’s not simply scaredy-cat tendencies. The sophistication of modern communications technology makes it very easy for organized terrorist outfits to operate in secret. Given the diffusion of these cells, with many manifesting few open signs of their orientation before launching their first attack, the intelligence community naturally wants the tools to keep up. While I think we’ve traded too much liberty in the name of this fight, I’m not persuaded that this particular trade-off is excessive. But, as I keep emphasizing, it’s not at all clear that we know what precisely it is we’re trading.
Sorry, not buying the “we only capture the meta-data” argument. Not one little bit. There is absolutely no way to confirm what is being captured or how it is being used. Secret program, secret court, people who love to keep secrets, people who would never tell us what they are doing, even under a court order, which cannot be obtained, because the program does not exist.
Secure meshnets are coming.
Yes to everything written above, but so what?
The American people have decided the freedom to not be blown up by Muslims is more important the freedom from their metadata being picked over by computers. Until someone can convince the citizenry this is a bad exchange, this is how things will be for the foreseeable future.
As an aside, I’m finding it darkly amusing to read the national-security and civil-liberties reporters’ freak-outs as they come to terms that their fellow Americans think they’re on the wrong side of the War on Terror.
@James in Silverdale, WA: Yeah, we don’t know. That it’s only metadata strikes me as plausible precisely because it’s so valuable and much easier to comb that actual conversations.
@Gold Star for Robot Boy: Oh, I’ve long been aware of that on everything from airport screening to drones. As a theoretical matter, as Sirota notes, the Constitution trumps the popular will. But if the elected leaders trample on the Bill of Rights and the courts go along, political will is all that matters.
@ James
Like I said yesterday, does any of this surprise anyone? This is the world we made. A lot of people were cheering at the top of their lungs while the foundation for all of this was laid.
It’d be funny when someone figures out congressmen and senator personal phone numbers, clone them on burner phones, and make lots of calls to ‘questionable’ and embarrassing phone numbers.
Umm, it was always very easy for organized terrorist outfits to operate in secret — in many ways, it was even easier in the past. The “sophistication of modern communications technology” isn’t what allows them to operate in secret; rather, what allows them to operate in secret is simply what allows anyone to operate in secret — you keep your plans to yourself.
I don’t think the average reader really grasps “mirroring.”
We could add to that “provide full anonymous access by government, without giving government write privileges back to the source.”
Yes, the NSA has specific rules for when they make FISA queries against the Google database, but we know that with Verizon they have a mirror. They have a private copy of the metadata.
James:
You are still thinking in terms of individual, and fine grained, FISA requests. The NSA needs to make no such requests to access their own private copy, the mirror. Once the mirror is made, it is theirs.
We also learned this week that companies which are more grudging still use the mirror mechanism. It is a rule based mirror rather than a full copy. Each FISA (however broad it is with them) adds a rule and makes the mirror a bit bigger.
So after umpteen FISAs the NSA does not have “direct access” to the Google database, they “only” have direct access to a subset of the Google database.
This of it this way: a world in which a terrorist group can’t communicate in secret is, by necessity, also a world in which no one — friends, famlly, lovers, an adulterous couple, a man with a secret fetish, a woman planning an abortion, a gay-rights group, political dissidents, opposition parties, doctors and patients, a battered wife, etc. — can communicate in secret.
If you’re willing to accept that, there’s nothing I can do about it. But I’d recall Benjamin Franklin’s well-worn maxim that those are willing to trade liberty for security eventually wind up with neither.
Yes. Or they could look at the thing where they ask you which gender you’re interested in. If you’re a guy and you say, “Women,” you’re likely to be straight. But by all means, MIT, carry on.
@Rafer Janders: Well, sure. But operating secretly is only easy if it’s a handful of people. Communicating with the higher headquarters and their superior resources through websites, VOIP, various encrypted email accounts, burner phones, and so forth is a relatively new set of capabilities.
@john personna: Practically and technically, sure. But legally, not so much. The question is whether they’re following the law. The answer is: We hope so but have no way of knowing.
@Rafer Janders: But we should be able to craft rules whereby NSA and other government agencies have access only to the former without access to all the other. There’s no reason for government to be interested in our sex lives; there’s good reason for them to be on the lookout for terrorist cells planning to murder innocents.
@michael reynolds: Yeah. Increasingly, sexual orientation is not something people feel a need to keep secret.
@James Joyner:
I’m not sure I understand. Are there any laws regulating what the NSA may do with their copy of the Verizon meta-data? Is there any oversight of data that has gone across the NSA gateway and into the dark?
As I understand it, FISA inspection was considered the regulatory gateway. Everything beyond that, in the increasingly large government big data stores, is opaque.
See also:
U.S. Never Really Ended Creepy “Total Information Awareness” Program*
@ john personna
My understanding is that FISA is something of a rubber stamp. We need to ask ourselves if it is a gateway, or an onramp…
@john personna: Stewart Baker, former general counsel of the NSA, in an FP piece I quoted yesterday in another post:
And:
I don’t think it matters whether the information is on Verizon’s server or an NSA mirror; they’re not allowed to access that information.
@James Joyner:
I’m afraid I see that as contradictory with the actual data flow.
In the first quote it talks about what the NSA may not collect, but we know they already have it.
In the second quote it talks about what courts may limit, but again that is back at the FISA stage, and before the data is acquired.
(If the Verizon data stays NSA-only this may not be a huge issue. They may search it randomly without much affect for random Verizon customers. Of course, we get to interdepartmental data sharing laws at the next point, and if the NSA has all that Verizion data, when the FBI may make an interdepartmental request.)
@James Joyner:
Do these strictures restrain our overseas intelligence partners?
Another way to say it would be that if the courts were making FISA review stick for every data request, then the NSA would have no data mirror, and would have to take the path through the courts every time.
The thing is, I have a very hard time seeing this as the case. The hard part about analytics is building up the data needed for a model to score effectively. Once you’ve got the data, building more models isn’t all that difficult. The idea that the NSA only has a model built on scoring terrorist activity and not ones to score child porn distribution, drug distribution, tax evasion, insider trading, illegal downloading of movies and anything else you can think of in the next sixty seconds is nuts.
NSA management will look at the mathematicians and scientists that they have to keep around to maintain their terrorist model and think: Why not put them to work?
@rudderpedals:
I would guess so. NSA Agent X would have to jump through the hoops first to even know what to send to MI6.
@James Pearce,
Sharing is a lot more easy than you think. This is just the perspective from the Canadians. The Brits, Aussies, and Kiwis also are in on the deal.
@Al:
Why would the NSA be interested in the illegal downloading of movies or any of that other stuff?
If anything, you should be worried about the NSA sharing that info with the FBI, which could happen….but not likely with the approval of a FISA court.
@DC Loser:
Well, I think the sharing would be extremely easy.
But I do not think that foreign intelligence services will have access to this information that US intelligence services don’t. That is….MI6 may get access to this data in the end, but only after jumping through the NSA’s hoops.
@James Joyner:
Maybe we should be able to, but obviously we don’t. And given that these rules will be administered by human beings, they will always be abused.
Oh, c’mon. You’re not actually this gullible. There’s plenty of reason for plenty of people in government to be interested in the sex lives of their political opponents, their ex-wives, their girlfriends, their political enemies, the leader of the civil rights group which is threatening to sue them, the investigative journalist who’s writing articles that are making them nervous, the whistleblower, etc.
@James Pearce (Formerly Known as Herb):
Forward thinking managers will always be wondering where the next threat is coming from and what they need to do to keep their agency relevant. Building a wide variety of models is an easy way to hedge bets.
The argument could also be made that a lot of that stuff could be tangentially related. Whether or not that argument is bogus wouldn’t really be relevant.
Right, and the likelihood that FISA would deny such a request is pretty small. The only thing really stopping it from happening now is that the NSA probably wouldn’t want to share their toys with the FBI. What happens when it’s suddenly in the NSA’s interest to do so?
@Rafer Janders: @Al: But you’re accusing people of serious crimes without evidence. The IRS, for example, has a whole host of sensitive information on us. For even the president to use it against his political opponents is an impeachable offense. The fact that it could happen isn’t evidence that it’s happening.
There’s a new article on an NSA program called Boundless Informant:
http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining?commentpage=1
At the end is this gem from an NSA spokeswoman:
The continued publication of these allegations about highly classified issues, and other information taken out of context, makes it impossible to conduct a reasonable discussion on the merits of these programs.
This woman should be drummed out of public service immediately. How could we have had a discussion about these programs when she and her comrades have done everything in their power to prevent us from ever knowing of their existence? The only reason we can have a discussion is because a very brave person or persons decided to risk everything they had to make the American people aware of them.
@Rafer Janders: “Oh, c’mon. You’re not actually this gullible.”
Indeed. After the lies into war, torture, and the creation of this and other draconian extensions of the police state, the line between data and metadata is tissue-thin. What’s a little eavesdropping after the killing of hundreds of thousands in Iraq alone?
ISPs should have the freedom to opt-out of this. ISPs which resist it are going to become very popular. especially if they find a way to package easy, ubiquitous strong encryption. Demand groweth by the hour.
Only to be followed by the political pornography of President Obama claiming nothing at all wrong with the very programs Senator Obama abjured.
Gullible, aye.
I think the pipeline is that a federal agency gets FISA approval for a data set. After that it is government data, and FISA is done. Combine that with:
Officials say unified government-wide databases with shared access is the future
(James seems to think that FISA lives on, attached somehow to a data set, and restricting uses on that data going forward. That would be extremely burdensome for the data architect, and … is anyone really making him?)
@Ben Wolf:
My impression is that Greenwald and his reader/fan source are engaged in activism related to the Manning trial and Greenwald’s advocacy for Mannaing/Assange. From the NYT GG profile yesterday:
http://www.nytimes.com/2013/06/07/business/media/anti-surveillance-activist-is-at-center-of-new-leak.html
So they initially considered using the leaks to foment some sort of constitution test case on citizen or blogger ‘journalism’?
@James Joyner: The difference here is that the IRS operates in public, is up front about the data it’s collecting on me (which is all related to tax collection) and is giving me a specific purpose as to why it’s doing so. I may not particularly like it but at least I understand it.
The NSA, on the other hand, is operating in secret, isn’t divulging what it’s collecting on me (but we know it’s everything about phone calls I make, my credit card activity and somewhere between most and all of my activity on the Internet) nor what it’s doing with the data it’s collected. Its only oversight is a court that doesn’t seem to want to say “no” or even “why” and a Congress that nearly everyone in the country agrees is blindingly incompetent.
@Al:
Boy, it is easy to google up all kinds of further mile marks on the road to a surveillance society:
By taking certain steps, the IRS may share bank data it gets from foreign banks under FATCA with other US agencies
“Section 6103(i) permits disclosure of tax “return information” to “any federal agency” for use in virtually any matter over which the agency has jurisdiction.”
@Al:
Not really, Al. Pity the prosecutor who seeks to build a case based on information illegally obtained from the NSA. The bogosity of that argument is very relevant.
Also
What you really mean is that the likelihood that such a case would even be brought before a FISA court would be pretty small.
If it was, the likelihood that it would be rejected is very large.
@Ben Wolf:
I don’t know about that, Ben. I think there is definitely more to this story that didn’t make it into the Guardian or the Washington Post stories.
And I think many people will discover their first impressions were wrong. They might regret listening so closely to a guy with an axe to grind (Greenwald) or an organization obsessed with The Scoop (Washington Post).
@James in Silverdale, WA:
Don’t count on it. During the Bush presidency my ISP (Qwest) refused to hand over information. Business didn’t improve and they later sold out to a smaller company in order to stay in business.
Most consumers don’t make their decisions like this. They’re concerned with speed, price, reliability, and then way down on the list in last place is the ISP’s willingness to buck the feds.
@James Pearce (Formerly Known as Herb): I think it would be pretty straightforward to claim that drug cartels are a threat to our national security, and expand use of this data to look for patterns of drug dealers all the way up and down that food chain.
And both terrorists and drug cartels need to launder money, so now you get to look at all bank transactions for everyone even remotely connected, even indirectly.
Do we worry about someone attacking our economy? Now we can expand the vague scope of national security to cover all financial transactions, insider trading, etc.
Someone will come up with a rationale for searching for child porn aficionados (“think of the children!” usually suffices, but it may have to be modified to “Islamofascists like little boys!”)
And that is all assuming the workers are properly trained and not abusing their access to the data.
@James Pearce (Formerly Known as Herb):
So I’ve linked to descriptions of the mirrors. I’ve linked to plans for merged federal databases. I’ve linked to free sharing between departments.
Your answer is that there is secret information that makes all that innocuous.
Are you sure you are the one with a data-driven argument?
@Gustopher:
The Director of National Intelligence’s new PRISM fact sheet is interesting in this regard. The first part, on conditions for collection, is interesting because if you really believed it, they wouldn’t have ALL the Verizon metadata.
On sharing though:
“Evidence of a crime” covers most of the suggestions above. I suppose it may not be that bad in a surveillance state. Police could conceivably get a “most likely location” for a suspect, at 3 pm on a Monday afternoon. That might save lives.
It would still be a surveillance state.
@James Joyner:
No, I’m not accusing anyone of a serious crime. I’m saying that, as an undeniable fact of human nature, there are always people who will abuse their authority, and that plenty of people will, if given the chance, commit serious crimes. It will happen.
Again, c’mon. Stop playing the innocent naif.
Since the spying is all happening in secret, ipso facto there won’t be a lot of evidence. It’s a Catch-22 — they spy on us, we accuse them of it, they say prove it, we demand evidence, and they refuse to supply the evidence because of national security.
@James Joyner:
Think of Karl Rove. Let’s assume Karl Rove, when in government, got information on the sex lives of top Democratic politicians. Think there’s any way he wouldn’t use it in whatever way was most beneficial to him? Karl Rove had every reason to be interested in the sex lives of people opposed to him.
I’m not comfortable with this at all but it’s going to continue and enlarge anyway. Look at what happened with the transplant policies. The next time a stranger abducts a pretty girl and there’s a chance of these data being useful the pressure to change the law will be irresistible.
Two things that could help slightly when the time comes:
1. The FISA authorization needs to be amended to require counsel appointed by the court to flesh out and enforce minimization techniques. The advocate ad litem represents the affected but oblivious US persons caught the dragnets.
2. The people querying these databases really should be subject to monitoring themselves. The stuff is way too sensitive.
@Gustopher:
It may be less straightforward than that. The drug cartel, I presume, would have to do something more than just deal drugs to capture the NSA’s attention.
You’re assuming other agencies (the DEA, the SEC, the FBI?) will have access to this stuff. Or that the NSA will cooperate with these other agencies. I don’t think we have enough information to make that assumption.
It really seems like we’re so busy thinking about all the ways this information could be used that we’re not really thinking about how it is used.
@john personna:
Nope, not sure of anything. I’m just not jumping to the conclusion that this is as nefarious as it’s being made out to be.
Indeed, I think it’s pretty obvious that we kind of asked for this. Nay, we demanded it. We told the feds after 9-11, “Next time….connect the damn dots.”
And they said, “Will do.”
@James Pearce (Formerly Known as Herb):
If they’re smuggling goods into the US, that’s all that’s needed. After all, one could say, if they can smuggle cocaine, surely they can smuggle terrorists or weapons or even a small nuclear device.
@Rafer Janders:
I don’t know, Rafer. The federal government is nothing if not a bureaucracy. And while the common image of the bureaucracy is a bunch pencil-necked geeks making our lives harder from behind their desks, it’s actually a way of organizing tasks and functions, making sure these guys do this and those guys do that.
Maybe the NSA is doing stuff that’s outside their purview. I think the other agencies have it covered though.
@James Joyner: The whole point of this, James, is that we know they’re doing a lot, but have no ability to know else they are doing.
@Barry: Yes, Barry. I’ve made that point in every post I’ve written on the subject. I find that very troublesome. I just balance it with the notion that these people are professionals sworn to protect the Constitution and the law.