The Real Reason Why Metadata Collecting is Dangerous

It was the news that (we’re guessing) launched a million Google searches. The question: “What is metadata?”

Recent revelations that the NSA is netting tons of our metadata prompted Americans to investigate what that means, exactly. But the definition of metadata, and recent coverage, doesn’t tell the whole story of why this news is concerning. Metadata is information about your messages -- who sent and received them, when they were created, where you were when they were sent, and how they were sent.

It doesn’t contain the content of the call itself – but that’s partly why it’s dangerous: Metadata holders can manipulate it to tell almost any story about you.

If someone has the metadata from your phone, they can discern not only who you know, but how frequently you talk. They can develop a rough outline of your personal life.

We can infer a lot about you by knowing if you frequently call a plumber, pizza parlor or porn site.   What you say to them is only marginally more informative.  But, other calls are more ambiguous and loaded with meaning.

Calling a medical specialist a lot may tell me you have a chronic medical condition, or that your wife is a doctor. Calling an attorney might mean you have legal problems, or that you’re a journalist doing research for a story. Investigators, advertisers, or any other party that has it can take the metadata they’ve gathered and then cross-reference this information to make educated guesses as to your activity. Are you speaking with an oncologist or an obstetrician?  A divorce lawyer or estate planner? But again, the keyword there is guesses.

Critically, the new information about NSA spying applies to metadata that has traditionally been private. Much, possibly most, metadata is public. Public metadata can be location attached to tweets or posts and unprotected personal information on sites like Facebook. In short, law enforcement, advertisers, and militaries don’t need to know what you’re saying. With metadata, they can build a model of your lifestyle and habits with or without recordings of your phone conversations. These are the models that advertisers use to determine which ads to show you. And a surprisingly small amount of it can accurately identify most people.

How and when authorities act on this information depends on their interpretation. Sometimes, the picture they assemble of targets isn’t accurate. And that can lead to unnecessary arrests, unexplained detention, and further invasion of privacy through more searches.

The NSA has also been saying that these targets are strictly outside of the United States, because that’s all that the Foreign Intelligence and Surveillance Act allows. But metadata about communication is a two-way street, so to speak. Foreigners often call Americans and vice-versa. The NSA has claimed the same restrictions on the PRISM program, the technologically nebulous program that allows the NSA to collect content of Internet communications—supposedly on an individual basis rather than en masse. The content that falls under PRISM's collection capabilities, unlike the metadata from the phone system, does include recordings of voice and video calls, private Facebook posts, and the text of email in Gmail. While the content (along with metadata) collected by the NSA programs may be legally restricted to foreigners, merely talking about an American in an email or mentioning one in a Skype call will put the American’s name on record.

It may be true that, according to Director of National Intelligence, James Clapper, “[i]t cannot be used to intentionally target any U.S. citizen.” But intention is separate from the capability and the nature of surveillance. Americans are being surveilled by the vacuuming of metadata and the targeted collection of content, intentionally or not.

There’s  already a debate in the privacy community about whether metadata could be even more valuable to militaries and law enforcement than data itself. If that’s true, then the barriers to collect metadata should be even higher than those to collect content. Instead we have allowed the NSA to dismantle the barriers entirely.