Heart conditions, gun ownership, religious affiliation, romantic entanglements — Stanford grad students show what the NSA can really glean from telephony metadata.
LOS ANGELES — Since whistleblower Edward Snowden exposed the National Security Agency’s bulk telephone collection program last year, the government has repeated a familiar mantra to ease the privacy concerns of Americans.
“You have my telephone number connecting with your telephone number,” President Barack Obama said in a PBS interview last June. “There are no names, there’s no content in that database.”
“As you know, this is just metadata,” Sen. Dianne Feinstein, chairwoman of the Senate Select Committee on Intelligence, said at a news conference in June 2013. “There is no content involved.”
As the President’s Review Group on Intelligence and Communications Technologies has noted, the argument that “the collection of bulk telephony meta-data does not seriously threaten individual privacy, because it involves only transactional information rather than the content of the communications. Indeed, this is a central argument in defense of the existing program.”
The official mantra, though, may now be sounding a little hollow — thanks to two enterprising Stanford University students.
In November, Jonathan Mayer and Patrick Mutchler launched a study to determine the sensitivity of telephone metadata. “Like many computer scientists, we strongly disagree” that the metadata program has little impact on privacy, they announced on the website of the Center for Internet and Society at Stanford Law School. “Phone metadata is inherently revealing. We want to rigorously prove it — for the public, for Congress, and for the courts.”
Reverse-engineering the NSA’s approach, the Stanford team collected the phone metadata of more than 500 volunteers who had installed an Android app that copies a device’s call logs and basic data from a person’s Facebook account.
They then used data-mining techniques to find out what details of the volunteers’ lives — as recorded in their Facebook data — could be revealed by examining just their calling and texting logs.
The data-mining identified, among other things, who volunteers were dating. Mayer and Mutchler also deduced that one participant in the study suffered from cardiac arrhythmia and another from relapsing multiple sclerosis. Another volunteer was outed as a gun owner.
“The notion that [metadata] is just a phone number seems quite inaccurate,” Mayer, a law school graduate who is now pursuing a PhD in computer science, told MintPress News in an interview.
He and Mutchler are now writing up their findings so they can be published in a peer-reviewed academic journal. And attorneys seeking constitutional protection for phone metadata in lawsuits against the government are regularly citing their work in court arguments.
“This kind of research … is very important to privacy advocates, in terms of both how we talk about these issues to the public and how we develop our arguments to courts,” Brett Max Kaufman, a fellow with the American Civil Liberties Union’s National Security Project, told MintPress.
Bringing science to the debate
In the post-Snowden era, the ACLU and other legal advocacy groups have generally relied on such established experts as Edward Felten, a professor of computer science at Princeton University, to counter the government’s claims that metadata collection does not compromise privacy.
“Telephony metadata can be extremely revealing, both at the level of individual calls and, especially, in the aggregate,” Felten said in a court declaration for the ACLU last year.
“Although this metadata might, on first impression, seem to be little more than ‘information concerning the numbers dialed,’” he continued, “analysis of telephony metadata often reveals information that could traditionally only be obtained by examining the contents of communications. That is, metadata is often a proxy for content.”
Felten, though, did not cite any empirical studies of what metadata might reveal. The work of Mayer and Mutchler, another computer science doctoral candidate, appears to be the first of its kind.
“The lovely thing about Jonathan’s research is that it made the sensitivity of phone metadata concrete,” Aleecia McDonald, the director of privacy for the Center for Internet and Society, told the Stanford News Service. “The country was told that phone metadata were not worth constitutional protection, and now Jonathan’s research confirms otherwise.”
Mayer has been interested in the intersection between law and technology since his undergraduate days at Princeton. His senior thesis examined web privacy, balancing computer science research with law and policy issues.
According to Mayer, he is the first Stanford student to simultaneously pursue a JD in law and a PhD in computer science. He was admitted to the California State Bar earlier this month.
“You really do need to understand the computer science to be an effective attorney” in the area of electronic privacy law, he said. “I see them as very complementary.”
The metadata study, Mayer explains, grew out of a discussion he and Mutchler had with their adviser shortly after the Snowden revelations. “At a minimum, we were taking a skeptical view” of the government’s claims that metadata collection is harmless, he recalled. “We wanted to bring some science to the debate.”
They initially tried requesting metadata from telecom companies. Those records, however, are only provided to the NSA under court order, so they came up with the idea of getting metadata voluntarily through crowdsourcing.
To that end, the Stanford team created the “MetaPhone” app, which, when installed on an Android phone, would enable them to build a profile of the phone’s user similar to what the NSA compiles.
“We tried to replicate the information that would be available to a government agency under court order,” Mayer said.
He and Mutchler thought they would be lucky if 50 to 100 people accepted their invitation to install the “MetaPhone” app. In the event, they collected information from 546 volunteers that included phone numbers called, call lengths, and calls received. Those volunteers contacted 33,688 numbers. Using online directories, a commercial data broker and other resources, the researchers were able to match 6,107, or 18 percent, of the contacted numbers to an identity.
“We did not anticipate finding much evidence one way or the other, however, since the MetaPhone participant population is small and participants only provide a few months of phone activity on average,” they announced on Mayer’s “Web Policy” blog in March.
“We were wrong,” they said. “We found that phone metadata is unambiguously sensitive, even in a small population and over a short time window.”
According to the study, 8 percent of the volunteers made at least one call to religious organizations. Of that group, there were 15 participants who had a well-defined religious status on Facebook, including atheism. “Using just the naïve assumption that a person’s most-called religion is their own religion, we accurately identified the religious status of 11 of the 15,” the study reported.
By analyzing a pattern of calls, they were able to identify the medical condition of a volunteer who spoke at length with cardiologists at a major medical center and placed short calls to a home reporting hotline for a medical device used to monitor cardiac arrhythmia. The gun owner was identified from calls to a firearm store that specializes in the AR semiautomatic rifle platform and to the manufacturer of an AR line.
If two researchers with limited data can discover such details of people’s lives, Mayer says, “Imagine what a well-funded government agency could do” with its resources.
Mayer and Mutchler didn’t address the political or legal implications of their findings. But they have already been enlisted in support of the argument that the NSA’s metadata program is unconstitutional under the Fourth Amendment.
Only a day after Mayer posted the results on his blog, attorneys with the Electronic Frontier Foundation cited the study in asking the U.S. 2nd Circuit Court of Appeals to reinstate an ACLU suit against the NSA.
“The revelatory nature of even a relatively limited sample of call records is not merely hypothetical,” the foundation said in an amicus brief, and “metadata from even a tiny sample of calls can provide an intimate lens into a person’s life.”
In a case that challenges the FBI’s use of national security letters in terrorism investigations, an amicus brief says the Stanford team had “demonstrated that substantial personal information could be revealed through a single phone call.”
Most recently, the study appeared in Sen. Rand Paul’s lawsuit over metadata collection. “As the Stanford Study concluded … ‘Reasonable minds can disagree about the policy and legal constraints that should be imposed on [phone record] databases. The science, however, is clear: phone metadata is highly sensitive,’” Paul said in a brief opposing the government’s motion to dismiss the case.
Mayer says he has also been answering questions from Obama administration officials and legislative staffers in Washington, D.C. “There seems to be a genuine interest in … understanding what the facts are,” he said.
The response to his research has inspired Mayer to start working on opening an information technology think tank in the nation’s capital. “Maybe there should be some geeks in Washington,” he suggested.