Taking the “Meh” out of Metadata

How the government can discover your health problems, political beliefs, and religious practices using just your metadata.

Woman talks on mobile phone at night
How much can the government really learn about us without knowing what we’re saying in our calls and texts?

Photo by Thinkstock

This week brought a new round of revelations about yet another National Security Agency surveillance program, this one created to hoover up details about how individual Americans use the Internet. The new disclosures were met by most observers with a fatalistic shrug. After all, we’ve quickly grown accustomed—or at least desensitized—to the fact that the government is looking at much of the information we voluntarily provide to others. And the material being collected in this case was only “metadata”:  the details of when, where, and how we used the Internet—not what we actually read or wrote.

Should NSA sweeps of our “to” and “from” lines be fair game? How much can the government really learn about us without knowing what we’re saying in the text?

The legality of the “telephony metadata” program—the initiative revealed by Glenn Greenwald in the Guardian in June that showed the government collecting telephone records of Americans on a mass scale—will be considered by a federal district judge in Manhattan on Friday. According to the now disclosed orders of the secret Foreign Intelligence Surveillance Court, such “metadata” includes “the originating and terminating telephone number and the time and duration of any call.” It also includes information about the location of both parties to the call and the international mobile subscriber identity (IMSI) and international mobile station equipment identity (IMEI) numbers, which allow Uncle Sam to “identify the user or device that is making or receiving a call.” But because it doesn’t include the content of the phone calls, the story goes, there’s no invasion of our privacy. Nothing, therefore, to worry about?

As Professor Edward Felten, director of the Center for Information Technology Policy at Princeton University, explains in a declaration filed in that phone records case, our metadata in fact tells the government a lot more about us than we might realize, especially when different types of metadata are aggregated together. Consider calls to single-purpose hotlines: NSA collection of our metadata means the government knows when we’ve called a rape hotline, a domestic violence hotline, an addiction hotline, or a support line for gay teens. Hotlines for whistleblowers in every agency are fair game, as are police hotlines for “anonymous” reports of crimes. Charities that make it possible to text a donation to a particular cause (say, Planned Parenthood) or political candidate or super PAC could reveal an enormous amount about our political activities. And calling patterns can reveal our religious beliefs (no calls on Sabbath? Heaps of calls on Christmas?) or new medical conditions. If, for instance, the government knows that, within an hour, we called an HIV testing service, then our doctor, and then our health insurance company, they may not “know” what was discussed, but anyone with common sense—even a government official—could probably figure it out.

But there’s more, says Felten: By analyzing our metadata over time, the government can separate the signal from the noise and use it to identify behavioral patterns. The government can determine whether someone is making lots of late-night calls to someone who isn’t his spouse, for example. When those calls cease, the government might reasonably conclude that the affair has ended. Metadata may reveal whether and how often someone calls her bookie or the American Civil Liberties Union or a defense attorney. And by analyzing the metadata of every American across a span of years, the NSA could learn almost as much about our health, our habits, our politics, and our relationships as it could by eavesdropping on our calls. It’s not the same thing, but the more data the government collects, the more the distinction between metadata and actual content disappears.

And that’s just telephony metadata. This week’s disclosures confirmed that the government has collected years’ worth of our Internet metadata as well. And there’s little reason to believe that other species of metadata have not also been vacuumed up—perhaps our financial records, software metadata, and the potential goldmine of our everyday commercial transactions. We might well think we don’t have an expectation of privacy in information we separately provide to Amazon, Bank of America, Costco, Facebook, and Walgreen’s, but only the government is in a position to aggregate all of that data and thereby build a comprehensive accounting of our lives by examining everything but the “content.” The Obama administration has insisted that it is not actually accessing these vast stores of data without some kind of individualized suspicion. But such restraint is not required under any statute, and future administrations may not feel similarly circumspect. In any event, every new round of NSA disclosures brings with it fresh reports of “compliance incidents,” where such records were accessed despite such promises.

These concerns highlight the significance of the pending legal challenges to the telephony metadata program. We may not get as excited about the government’s sweeping collection of our metadata as we have been over eavesdropping, subway searches, or stop-and-frisk policies, but that may only be because we don’t fully appreciate just how invasive and intrusive these separate data streams can become, once someone is in a position to put them all together.