“We Kill People Based on Metadata”

2014-03-14 President ObamaWhen it comes to telephone calls… nobody is listening to your telephone calls. That’s not what this program is about. As was indicated, what the intelligence community is doing is looking at phone numbers, and durations of calls. They are not looking at people’s names, and they’re not looking at content. But by sifting through this so-called metadata, they may identify potential leads with respect to folks who might engage in terrorism. – President Barack Obama

It’s just metadata, folks. Not names or content. No big deal, right? On the other hand:

But metadata alone can provide an extremely detailed picture of a person’s most intimate associations and interests, and it’s actually much easier as a technological matter to search huge amounts of metadata than to listen to millions of phone calls. As NSA General Counsel Stewart Baker has said, “metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.” When I quoted Baker at a recent debate at Johns Hopkins University, my opponent, General Michael Hayden, former director of the NSA and the CIA, called Baker’s comment “absolutely correct,” and raised him one, asserting, “We kill people based on metadata.”

So, yeah. Guess President Obama’s “it’s only metadata” comfort isn’t so comforting after all. The rest of the article from whence that quote came is a description of the USA Freedom Act: what’s good, and where it doesn’t go far enough. I’m not sure I really follow all of the arguments. I do agree with the author, David Cole, that we need to balance safety against civil liberties, and that merely saying “people will die if we don’t record everyone’s metadata” is not, all by itself, enough to justify recording everyone’s metadata. But they key word there is balance.

I’m not sure that effectively rolling the clock back to the 20th century and pretending that Big Data isn’t a thing is really the way forward, either. There is immense power in the aggregation and analysis of vast quantities of data, and this isn’t just about terrorism. It’s about tracking disease outbreaks, learning more about the economy, making traffic safer and more efficient, and applications we haven’t even thought of. The potential to make the world a better place or a worse place based on data analysis is too big to ignore and, quite frankly, too enticing to resist.

Just like the European Union and their sadly laughable “right to be forgotten,” laws based on trying to pretend that the data isn’t there or force people to not use it are likely to only succeed in making sure that the folks who harness and use the data that is already there do so in the shadows. And that’s creepy, whether it’s the NSA deciding who to kill based on metadata or Target sending pregnancy-related advertisements to teenager girls. Rather than prohibition, what I think we need is more clarity about how to collect and use the data in a way that is transparent and commensurate with a new understanding of what privacy really means in the 21st century.

The one thing we can be sure of? It won’t mean what people are used to it meaning. That’s OK. After all, in Scandinavian countries like Sweden, Finland, and Norway, every citizens individual tax returns are published publicly every year. Very different from what we’re used to, sure, but no one really cares over there. I’m not saying we should move to that model. I’m just saying that what certain folks have in mind when they think of “privacy” as a civil liberty is actually a lot less like an inalienable right and a lot more like an individual cultural preference. But if we can’t have a conversation about radically new understandings of privacy to go along with our radically new capacity to aggregate and analyze data, then we can’t take a hand in choosing our own fate.


How Sensitive is Phone Metadata? Very.

2014-03-14 President Obama

President Obama, assuring people that NSA vacuuming up huge amounts of phone metadata isn’t as creepy as it sounds:

When it comes to telephone calls, nobody is listening to your telephone calls.  That’s not what this program is about.  As was indicated, what the intelligence community is doing is looking at phone numbers and durations of calls.  They are not looking at people’s names, and they’re not looking at content.  But by sifting through this so-called metadata, they may identify potential leads with respect to folks who might engage in terrorism.  If these folks — if the intelligence community then actually wants to listen to a phone call, they’ve got to go back to a federal judge, just like they would in a criminal investigation.

So I want to be very clear — some of the hype that we’ve been hearing over the last day or so — nobody is listening to the content of people’s phone calls.  This program, by the way, is fully overseen not just by Congress, but by the FISA Court — a court specially put together to evaluate classified programs to make sure that the executive branch, or government generally, is not abusing them, and that it’s being carried out consistent with the Constitution and rule of law.

And so, not only does that court authorize the initial gathering of data, but — I want to repeat — if anybody in government wanted to go further than just that top-line data and want to, for example, listen to Jackie Calmes’ phone call, they would have to go back to a federal judge and indicate why, in fact, they were doing further probing.

You got that? They are only getting metadata. No big deal, right? If they really want the juicy goods, then they’ve got to go back to a federal judge. This argument rests on the premise that phone metadata is not, in and of itself,  highly sensitive data. Which, when you think about it, is not really a hypothetical or philosophical question. It’s an empirical one. It’s something you could test. So… what kind of info can you glean from a person’s metadata?

The folks at Web Policy set out to answer the question. They used metadata gathered from a small number of volunteers over just a few months to see what they could learn about those volunteers looking only at metadta. Turns out, they could learn quite a lot.

The degree of sensitivity among contacts took us aback. Participants had calls with Alcoholics Anonymous, gun stores, NARAL Pro-Choice, labor unions, divorce lawyers, sexually transmitted disease clinics, a Canadian import pharmacy, strip clubs, and much more. This was not a hypothetical parade of horribles. These were simple inferences, about real phone users, that could trivially be made on a large scale.

This, ladies and gentlemen, is the kind of information your government can collect on you without a warrant or notification or really any restriction of any kind. But that’s not all.

  • Participant A communicated with multiple local neurology groups, a specialty pharmacy, a rare condition management service, and a hotline for a pharmaceutical used solely to treat relapsing multiple sclerosis.
  • Participant B spoke at length with cardiologists at a major medical center, talked briefly with a medical laboratory, received calls from a pharmacy, and placed short calls to a home reporting hotline for a medical device used to monitor cardiac arrhythmia.
  • Participant C made a number of calls to a firearm store that specializes in the AR semiautomatic rifle platform. They also spoke at length with customer service for a firearm manufacturer that produces an AR line.
  • In a span of three weeks, Participant D contacted a home improvement store, locksmiths, a hydroponics dealer, and a head shop.
  • Participant E had a long, early morning call with her sister. Two days later, she placed a series of calls to the local Planned Parenthood location. She placed brief additional calls two weeks later, and made a final call a month after.

Nothing to worry about, right? It’s just metadata, after all. It’s not like they’re listening to your calls, or something.

Groklaw Follows Lavabit, Shuts Down to Avoid Betraying Users to NSA

2013-08-20 Groklaw

Gizmodo has a really ominous piece on the recent shutdown of Groklaw. It’s ominous because unlike Lavabit or Silent Cirlce which help users exchange secure emails, Groklaw is not primarily a platform for individual user communication. It is–or it was–“an award-winning website covering legal news of interest to the free and open source software community” (Wikipedia).

There’s no indication that the NSA was gunning for Groklaw in particular. Founder Pamela Jones simply explains that, in a world where emails are not private, there’s no way to carry on the collaborative communication necessary for the site to continue its 10-year tradition. She goes even farther, writing:

My personal decision is to get off of the Internet to the degree it’s possible. I’m just an ordinary person. But I really know, after all my research and some serious thinking things through, that I can’t stay online personally without losing my humanness [because] it’s not possible to be fully human if you are being surveilled 24/7.

An extreme reaction? Maybe. But Jones’s reaction underscores the simple reality that the Internet is first, foremost, and last about communication. The NSA’s snooping could never have been confined to only secure email providers even if that was their intent (not that it was). Shake the foundation, and the whole edifice trembles.

This Is Why You Can’t Have Nice Things, NSA

The Washington Post has a pretty simple graphic explaining one of the really fundamental problems with NSA spying:

2013-08-16 NSA Breaches

The excuses of politicians (both parties) about all the safeguards ring sort of hollow when it’s obvious that the NSA can’t follow it’s own rules. (To say nothing of sharing national defense intelligence with law enforcement agencies…)