Metadata Reveals Sensitive, Private Information

The President and other apologists for the NSA have defended the NSA’s illegal mass surveillance of US telephones by arguing that it’s “only” metadata, so “nobody is listening to our telephone calls.” But where, when, how long and to whom customers make phone calls does reveal information that could easily be used to blackmail, stifle and control. A group of computer scientists at Stanford’s Security Laboratory gathered information from volunteers who agreed to have an app on their cell phone mimic what the NSA collects. Here is an initial report.

At the outset of this study, we shared the same hypothesis as our computer science colleagues—we thought phone metadata could be very sensitive. We did not anticipate finding much evidence one way or the other, however, since the MetaPhone participant population is small and participants only provide a few months of phone activity on average.

We were wrong…The degree of sensitivity among contacts took us aback. Participants had calls with Alcoholics Anonymous, gun stores, NARAL Pro-Choice, labor unions, divorce lawyers, sexually transmitted disease clinics, a Canadian import pharmacy, strip clubs, and much more. This was not a hypothetical parade of horribles. These were simple inferences, about real phone users, that could trivially be made on a large scale.

…Though most MetaPhone participants consented to having their identity disclosed, we use pseudonyms in this report to protect participant privacy.

  • Participant A communicated with multiple local neurology groups, a specialty pharmacy, a rare condition management service, and a hotline for a pharmaceutical used solely to treat relapsing multiple sclerosis.
  • Participant B spoke at length with cardiologists at a major medical center, talked briefly with a medical laboratory, received calls from a pharmacy, and placed short calls to a home reporting hotline for a medical device used to monitor cardiac arrhythmia.
  • Participant C made a number of calls to a firearm store that specializes in the AR semiautomatic rifle platform. They also spoke at length with customer service for a firearm manufacturer that produces an AR line.
  • In a span of three weeks, Participant D contacted a home improvement store, locksmiths, a hydroponics dealer, and a head shop.
  • Participant E had a long, early morning call with her sister. Two days later, she placed a series of calls to the local Planned Parenthood location. She placed brief additional calls two weeks later, and made a final call a month after.

We were able to corroborate Participant B’s medical condition and Participant C’s firearm ownership using public information sources. Owing to the sensitivity of these matters, we elected to not contact Participants A, D, or E for confirmation.

In other news, a former president believes that his email is being monitored. He is probably correct. Monitoring presidential candidates is all too realistic.

Fortunately, President Obama has announced that the bulk collection of phone calls will end. Dismantling that illegal program is a start. Obviously, this would not have happened without the revelations of Edward Snowden.


If the whole population were outraged by this (if!) they could render much of the spying useless by having everyone phone pox doctors, gun clubs and so on.

Shhhh... They're listening.

...which places no extra burden on anyone, much less the pox doctors et al.

Or pass legislation.

Only if everyone is willing to take the time to carry on real conversations. There's a much different inference drawn from a 3 second phone call than from an hour-long one.

Of course, much of the commercial software that tracks phone company metadata in the United States isn't written in America, but in a country that enjoyed a large infusion of Russian talent a couple of decades ago. This fact that may help explain why the president of that foreign country enjoyed 29 standing ovations the last time he addressed the guilty consciences in our Congress:

And sit down for this one: A lot of the code in the operating systems, network stack and runtime libraries that the software sits on was written in India, Russia and Pakistan. Then on top of that most of the microprocessors in those servers that run all of this were fabbed in Taiwan, Korea, even China. And a lot of the metals in those microprocessors were mined in Iran, Venezuela, and the Congo. There's simply no telling how many sketchy countries have access to the NSA data. Because if our own government is messed up, it's most definitely somehow the fault of shifty foreigners, and has absolutely nothing to do with our own partisan politicians and apathetic electorate.

Try following the link before opinionizing. You'll learn some things.

I'm generally a big of your stuff, particularly your Taki articles which are usually excellent, but that piece was definitely one of your weakest. I'm sorry to say, it's a sprawling, unfocused, mess of half conjectures combined with un-researched second-hand facts reaching harebrained conclusions. Do you really think a shadowy cabal of Israelis are blackmailing most of the US Congress and Wall Street in some sort of vast conspiracy that no doubt must involve tens of thousands of people maintaining absolute silence? Honestly, what probability value do you assign this hypothesis to being true?

I'll just address the article's aspects about Wall Street since I know that best. You imply that the basically the entire US financial industry is structured around the attainment and transmission of illegal insider information, since you can't get rich according to the Efficient Market Hypothesis otherwise. This betrays a gross misunderstanding of the EMH, the legal definition of insider trading, and the general function of the firms making up "Wall Street." First most financial industry products are not generated in a way that has anything to do with the EMH. Most Wall Street activity takes place on the "sell side" which involves raising capital for new investments, making markets and providing liquidity, brokering trades, structuring derivative products, managing deposit and loan reserves, extending credit, etc.. None of these people are trying to "beat the market" in any sense.

Second you very mistakenly presuppose that any "insider trading" under the definition of the EMH constitutes insider trading in the legal sense. This is blatantly wrong, the EMH only says you need to have information not available to the general marketplace. Illegal insider information falls under the much stricter definition of requiring a breach of fiduciary duty, and material non-public information. For example hedge funds can and have flown helicopters above oil refineries and used infrared cameras to measure the amount of oil being refined. They then used this to estimate the oil refiners revenue ahead of its quarterly earnings announcements. Perfectly legal. Another example you can buy direct data feeds from stock exchanges and get price information before those on the national feed get it. Again perfectly legal. You can also meet with corporate executives in sit-down meetings, notice that they're fidgety and tired. You can combine this with public rumors that the company may possibly have a huge lawsuit on its hand. Trading on this is perfectly legal under Mosaic Theory. You can pay someone to stand on the docks of Taiwan and count how many containers Nvidia loads on its ships. You can hire twenty five mathematicians and build a super-complex model to predict stock prices, giving you an edge that the vast majority of investors don't have. You can build robots that read news announcements faster than any human can and trade in front of regular people. You can be Warren Buffet and have a nuanced understanding on the value of companies informed by decades of experience, that very much constitutes "information" not available to the general public.

And on and on it goes. All of them perfectly sound strategies to beat the market and circumnavigate the EMH. None involving insider trading in the legal sense. Very little Wall Street investing activity involves illegal insider trading. Even in the case of SAC Capital which was notorious, the convicted example constituted less than 1% of their trading activity. The reality is there's far more legal and available ways to construct an "uneven playing field" as investor. Trying to build a fortune on illegal trading is pretty damn hard, because you need to bring more and more people in on it to trade more money. Eventually some of them are going to slip up and bring you down. Much better to avail yourself of the many many avenues of perfectly legal, but in some sense unfair, advantages that major hedge funds have.

"Do you really think a shadowy cabal of Israelis are blackmailing most of the US Congress and Wall Street in some sort of vast conspiracy that no doubt must involve tens of thousands of people maintaining absolute silence?"

You've got the dynamic backwards. The Israelis haven't maintained absolute silence. The Israeli military-industrial-intelligence complex benefit from the widespread assumption among well-informed people in Washington that Israel has some dirt on them, so it's better to play along with Israel's desires.

Next, I'll probably be spouting some crazy conspiracy theory about how Steve Jobs, Meg Whitman, Eric Schmidt, and Michael Dell conspired together against their own employees.

"I’m sorry to say, it’s a sprawling, unfocused, mess of half conjectures combined with un-researched second-hand facts reaching harebrained conclusions."

Why do you only recognize this in this article, and not all Steve's articles? It's his modus operandi.

The first part of the article is good enough. Does Israel have a backdoor to U.S. intelligence? I just assumed everybody checks the yes box on this one.

The link to Wall St. is strange, tenuous and forced. Also we wouldn't expect Wall St to get whittled down to a "low-margin commodity business" if EMH holds. Big portion of revenue and profits come from trading and underwriting. They are negatively impacted by more money moving into passive management and the resulting loss of commissions from buy-side firms, as well as lower trading turnover and fees. Also some have asset managment arms themselves (e.g. JP Morgan, UBS). But go tell Goldman Sachs that if EMH holds then they'd have the economics of a tomato stand. Nowhere close. In fact, if EMH holds, then we can assume active management is alive and well and therefore trading commissions, research fees, etc... are doing O.K.

For example, how many Republican Congressmen are in-the-closet homosexuals? Probably not an insignificant number, right? Now, how much would it be worth to have proof from phone metadata followed-up by incriminating photographs?

Plenty of DC open secrets never make it back to break out big in Alabama because no one that can make it happen has an interest in doing so. Foreign intelligence services don't have much leverage for legislator extortion in those circumstances.

For many years it was a fairly widely known open secret that former Republican Congressman Mark Foley was gay. No one much cared until it became known that he was flirting (or worse) with teenage boys in the page program. Things don't seem to have changed much, metadata, hackers, etc. notwithstanding. Nowadays the greatest threat of MoCs becoming embroiled in a sex scandal is posed by themselves, a phone camera, and a twitter account.

I am sorry but how slow on the up take do you have to be?

I remember AOL's great cock up when they released everyone's search records. They thought it was a good idea and they removed people's names. It took seconds to identify pretty much anyone from the meta-data. You are what you search.

Now keep in mind how long ago it was that AOL was actually worth anything or had any users.

More specifically two seconds of googling produces:

No one knew this? No one knew that meta-data tells you a hell of a lot about your target? Come on. They can't be this dumb.

I have not heard a lot of acclaim for the long-term memory of the general populace, or even presumably highly educated people. Housing prices never go down, only up, remember?

Are you talking about Obama and the intelligence folks telling everyone that it is only metadata? Dumb?

Chris - The general population might have the attention span of gnat, but the media ought to have some professionals who know what they are talking about. It is not as if what the NSA was doing was a secret. After all, Echelon goes back decades:

Derek - I am not sure whether Obama is being deliberately obtuse or he really is that dumb. Given he has just said that Putin represents a regional power I am going to have to go with stupid.

But is meta-data such a big deal? If the government was keeping a list of all the people you sent Christmas cards to, would it be a problem? Yes, they can tell a lot from this data. And Google does. But we volunteer to give it to them.

So, nobody in the U.S. was paying much attention to this in 2011, were they? Because it isn't the 'NSA' collecting this information, it is your cell phone provider.

'The seminal electronic band Kraftwerk was well ahead of the curve musically, but even the lyrics to their 1981 song "Computerwelt" can seem uncannily prescient. "Interpol and Deutsche Bank, FBI and Scotland Yard, Flensburg and the BKA, they’ve got all our data squirreled away." What was unimaginable 30 years ago later sounded rather threatening. But today, the words are downright silly.

While government authorities like the BKA, Germany’s Federal Office of Criminal Investigation, (and the country’s database of traffic violations in Flensburg) do indeed have a trove of information about us, the greatest source of data about our lives is much more banal. The real snitch is in our pocket – our own mobile phone betrays us. That’s why the Chaos Computer Club has rechristened the powerful mini-computers we carry around with us as "tracking devices" revealing where we’ve been and what we’ve been doing.

In a report prepared for Germany’s Constitutional Court in July 2009 , the hacker group described what kind of information could in theory be collected according to the country’s data retention (Vorratsdatenspeicherung) rules and what could be gleaned from it. The court later stopped data retention as it was practiced at the time, but law enforcement officials and the government have by no means abandoned the concept. The possibilities offered by such seemingly harmless data are just too seductive. In the next few weeks, the German government is set to decide on new data retention rules.

Most people’s understanding of what can actually be done with the data provided by our mobile phones is theoretical; there were few real-world examples. That is why Malte Spitz from the German Green party decided to publish his own data collected from August 2009 to February 2010. However, to even access the information, he had to file a suit against telecommunications giant Deutsche Telekom.'

Carl Cannon ran a four part series on Fox New in 2001 documenting how Israeli telecom billing firms linked to military intelligence appeared to have written in backdoors allowing them to extract your metadata. It was hot enough stuff for Fox to quickly shove it down the memory hole, but fortunately some people made recordings:

Part of Glenn Greenwald's promotional genius was that he kept Edward Snowden's revelations about Israel spying on Americans under wraps for a long time. People like Cannon and James Bamford blundered by bringing up Israel's role in metadata years ago, so Americans went into crimestop mental mode. Nothing scares influential Americans more than learning something worrisome about Israel.

"Nothing scares influential Americans more than learning something worrisome about Israel"


"Crimestop refers to the ability to stop short of any thought that might be heretical or unorthodox before it is even thought, as if by instinct. It is the ability to misunderstand analogies, fail to perceive logical errors, and be repelled or bored by any train of thought or conversation that might be inimical to Ingsoc."

I understand all of this, as do more people than you might expect.

But the first-order reasons for this are not intelligence-related, but support and development-related. The cloud app I manage collects tons of usage data and I primarily use it to see what features are popular, what patterns of use cause problems for our infrastructure, and if any users may be abusing the system.

Take this away from me and my site will be much worse, and I will not be able to tell my managers (and by proxy the shareholders) that I can effectively manage the software.

The younger generation has already answered this question: So what, yolo. Here's a picture of me and by bro's playing beer pong.

I think one reason the public does not care is they have no idea what "meta" means. Most of the boobs on TV have no idea so they are not explaining it to the boobs watching them. Another reason, I suspect, is a healthy minority find comfort in the fact the government knows all and sees all. It's like having Santa keep an eye on everyone. The dominant political religion of our day is based on the all-encompassing state, after all. That necessarily means constant supervision.

The old Chinese curse has suddenly become relevant to every American. That is, "May the government become aware of you."

One reason people don't care is they know all of us have small embarrassments & peccadillos and there's too many of us & I'm too unimportant for the government to go after me.

The way many Americans perceive this is as a sadistic glee at seeing the important guys sweat it out. The potential downside to a big guy is a lot worse than the average man on the street. NSA knowing a senator is a closet homosexual is a lot more likely to be used than about some affair I've had.

Until a poor schmuck joins a group that doesn't want to see the President reelected.
Then they care.

Most people aren't worth blackmailing. Getting power over them wouldn't be worth much.

United States Senators, however ...

Mayor Bloomberg's firm let Bloomberg News reporters spy on Bloomberg's $20,000 per year dumb terminal customers on Wall Street via their Bloomberg terminals:

According to the Efficient Markets Theorem, nobody should be able to get as rich as Mayor Bloomberg ... unless he has inside information. But how would the man who owns all the terminals on Wall Street acquire inside information? It's a riddle wrapped in a mystery inside an enigma.

lol mayor Bloomberg is not a trader. The Efficient Markets doesn't apply to him. Traders lose money all the time. 95% of funds underperformed the market and they have access to the most advanced data and equipment money can buy.

Yeah, Bloomberg's wealth is well accounted for by the sale of Bloomberg terminals. If Bloomberg was running some secret trading operation based on stolen information it would quickly be revealed in 13F filings given the size of the multi-billion portfolio. Not only that but since trading on insider information requires huge turnover, this multi-billion secret insider information powerhouse fund would be well known to virtually every sell-side institution on the street. So it'd be hard to keep the hypothetical shadow fund a secret.

Plus it would be retarded for a man already making hundreds of millions every year risk-free selling over-priced crappy terminals to risk destroying that business and going to jail for decades just to earn a slightly higher return on his invested wealth.

Are you ignorant or trolling? Surely you know that EMT talks about trading. No one ever suggested that an enterpreneur can't get incredibly rich by selling expensive things, assuming he can find a lot of buyers. And there really isn't a whole lot of doubt that Bloomberg is selling expensive things and that they buyers are legio, is there?

This, by the way, is what miffs me about people's opinion on Warren Buffet. He isn't a great trader. He is a great entrepreneur. He identifies companies that are badly managed, buys a controlling stake, makes sure the company is turned around by either telling management what to do or replacing management, and then sells the stake at a profit. This isn't trading, and is not contrary to any version of EMT. (He does "pure" trading as well. Profits from that are very likely not sensational.)

That's not entrepreneurship, that's private equity, but your point stands that Buffett is not a 'trader'.
He's a public equity private equity guy.

No- you're describing a KKR model. Buffett generally loves management in companies he buys, and he's not interested in spitting these companies out 5 years later. He's playing a long game.

What could be a better business than renting dumb terminals for 20x per year what they'd cost to buy?

Yet, you might think that Invisible Hand of Creative Destruction would eventually get around to providing alternatives to Bloomberg terminals, and/or the feds would sue for anti-trust violations ... unless, say, Mayor Bloomberg has some means of persuasion that you and I might not be wholly cognizant of. (Of course, it didn't seem to hurt Bloomberg's net worth that for 12 years he controlled what he boasted of at MIT as a 44,000 person "private army.")

Christ, Steve, just stop talking about things you're completely clueless about.

"According to the Efficient Markets Theorem, nobody should be able to get as rich as Mayor Bloomberg "

Whatever you do, don't write finance textbooks.

Yeah, Sailer knows a lot about a little, and it ain't finance.

He's also upgraded a hypothesis to a theorem.

Sigh. People, don't fall for the crude games; nothing actually changes. Snowden doesn't change anything except the optics charade.

All the metadata will still be collected, stored, and instantly digitally queryable by the government under various law enforcement and intelligence authorities. No piece of information will be stored for less time than under the current system. The only thing that PPD-28 changed was the reduction of network degrees of separation from an entity of interest from 3 to 2. And it hardly requires a Straussian to read between the directive's lines and realize that this 'change' represents a trivial impediment to expanding the scope of any particular search, since you can just nominate one of the 1-degree-removed entities to become a new entity of interest.

The far-right wants it both ways. Understandably so, they want the borders secured to prevent terror threats, but eyes-off the email and Facebook. If you're not engaging nefarious activity there's nothing to fear. The NSA doesn't care about your weekend BBQ plans or your recent breakup. NOt being facetious's just not something to lose much sleep over imho

To repeat myself: Until a poor schmuck joins a group that doesn't want to see the President reelected.
Then they care.

Whatever you think about immigration policy securing the borders is in no way equivalent to monitoring someone's entire electronic communications. Border security is highly defined, transparent and specific. The only invasion of privacy occurs for 5 minutes while passport control asks you the purpose of your visit and checks your passport. And you know exactly what to expect beforehand and when to expect it. After that there's no further intrusion into your life. In contrast in 2013 virtually your entire life is conducted electronically. Absent living a totally backwards life there is no way to protect your privacy on virtually any serious matter.

I don't think you are being facetious. That would require the ability to understand the difference between maintaining a nation's borders and running a police state. That's a distinction apparently lost on you.

the difference between maintaining a nation’s borders and running a police state

For some reason, these two tend to go hand in hand.

Depends if the border policy is to keep out strangers, or to keep in your citizens.

Yes, if you are law abiding and not a trouble maker you won't have any problems.

That is what a german woman said to me about the Nazi regime. The streets were much safer.

First off, we are all lawbreakers now.

Second, if you question the regime's paranoia underlying spying on everyone, according to Cass Sunstein and the establishment, you are now a de facto troublemaker.

Thirdly, the selective revelation in Alex's post makes it clear how easy it is to manipulate the data, even metadata, to present a wrong impression of someone, perhaps in order to escalate further selective investigation and revelation to pursue lawbreakers and troublemakers.

Fourth, almost no actual terrorist plots or things the public has been marketed these powers for have been tackled. No actual terrorist attacks have been halted by the FBI, save one, sort of. The real ones proceed fine. The fake FBI ones are probably just to scare the casual observer into giving them more power. All the powers have been directed at broad collection of everyday people- maybe just because they can, but it has nothing to do with terrorism.

Fifth, essentially the only people prosecuted by the intelligence community have been whistleblowers- people who make trouble by breaking the law by telling the voters what their democracy has been doing to them.

Unless of course your ex-boyfriend/girl-friend works at NSA.


What DO they care about?

Of course they don't care about your BBQ. They care once you stop BBQing.

What HAVE they ACTUALLY used the data for?

I'll give you a hint, it hasn't really been for what they claim.

Nice post, Alex.

Terry Gilliam's "Brazil" has become reality.

"Fortunately, President Obama has announced that the bulk collection of phone calls will end."


If it wanted to, I expect that China could set up wireless eavesdropping stations in, for example, Washington DC and collect meta data on everyone who makes a cell phone call in the Washington area.

Similarly, I expect that a sufficiently motivated person with ten million or so dollars to spend could collect meta data on all of Wall Street.

The NSA is not the only meta data threat - they have the easiest access but also the least motive to actually use the data for nefarious purposes. Focusing on Washington or New York, it would only take about 25 bits of information (in the information theory sense) to associate a cell phone with a person.

I find it entertaining, and immensely ironic, that some on here justify the NSA surveillance by assuming the government's good intentions. They must also believe that the IRS did not target Tea party non-profits for political purposes, despite the facts that make it obvious that they did. I find it sad that others argue that since it won't be their front door that they kick-in at 3am, that there is no reason for them to bother themselves. Finally, I am amazed of the widespread acceptance that only "meta" data was/is collected without ANY fact based details of what that actually entails, as well as the willful ignorance of several (supposedly) now discontinued programs (which were/are almost certainly illegal) run by the same people. Power corrupts. The Intelligence Courts are a joke when it comes to balancing our rights with government's claimed needs. The evidence shows the judges do not. We need either to limit the scope of this snooping, or install far more robust (adversarial) balance into the process. It is so clearly unreasonable search and seizure (BOTH, obviously) of our information that its hard to believe anyone can conclude otherwise. For US citizens communicating with others in the USA, the meta data that the government can collect should be precisely defined, including both voice and internet data. Then we can discuss it democratically. In my opinion, if it is not expressly approved for government to collect, then it should be illegal. It wasn't so long ago that our government was torturing detainees, after they reclassified some of the previously agreed to torture processes. Point is, the only limit on government reach is us and what we are willing to tolerate.

"They must also believe that the IRS did not target Tea party non-profits for political purposes, despite the facts that make it obvious that they did."

The facts make it obvious that they didn't, but whatever.

They did even if they didn't. Wasn't the whole justification for delaying them that they were thought to be too political for the status sought?

Yes, of course, if the government abuses its power, bad things happen. We've seen that lately at the IRS. But in an era when Target sends baby coupons to teenagers so newly-pregnant that her parents don't know about her new status, freaking out about one more avenue of privacy loss seems overdone.

The power of the pattern recognition algorithms grows ever stronger. The number of data streams grows ever more diverse. Do the math and get over yourself.

Translation: because you have your neighbors over for coffee a couple times a week, the police should be able to let themselves into your house and have a look around whenever they feel like it. Geez, you're already letting people into your house. Get over yourself.

"Fortunately, President Obama has announced that the bulk collection of phone calls will end. Dismantling that illegal program is a start. Obviously, this would not have happened without the revelations of Edward Snowden."

The credulity on display is more than the usual amount from pro-Snowden types. The bulk collection of phone calls will not end. Your phone company will still collect the records and the government can still gain access to them without much effort and in a way that renders "unconstitutional" claims moot.

If I sent my thank you card to the Kremlin, do you think Snowden will get it eventually?

Not necessarily. The Supreme Court will likely revise the third party and pen register nonsense. Even so, say the SupCo farks the pooch again. So what? That is what "is a start" means.

Toward one anti-snowden Red Herring, If we don't want Iranians to have our Terminator technology, let's not lose one over their country. Likewise, if we didn't want Snowden to take his hilariouslyl easily stolen powerpoint slides to the USSR we shouldn't have been spying on people...shouldn't have chased Snowden there...maybe not given access to such a disaster to such low-level employees with criminally poor opsec...I could go on and on and on and on.

They are spying on us, US citiziens, not Russia, really. And where went the laser focus on International Islam? We shift our bogeymen pretty quickly. This is because the bogeyman is the marketing so they can have the power to spy on us so they can use selective presentation and parallel construction.

Feel free to prove me wrong. You can't.

"The Supreme Court will likely revise the third party and pen register nonsense."

In which case will this be decided?

"if we didn’t want Snowden to take his hilariouslyl easily stolen powerpoint slides"

Snowden didn't just take the slides. He stole almost 2 million classified files from at least 3 different countries. The info from the slides is all that's been published so far.

"They are spying on us, US citiziens, not Russia, really."

Here's the mistake you are making here. You are assuming that because US citizens were spied on, that only US citizens were spied on. You should not make that assumption, then say things like "Prove me wrong."

Because that should be relatively easy....

Comments for this post are closed