Industry Buzz discussed, earlier this year, President Obama’s speech regarding reform of the National Security Agency. Addressing the nation on January 17, Obama said he would recommend that the bulk collection of phone records be removed from the hands of the government and possibly into the hands of multiple, private third parties in addition to creating further restrictions on the use of National Security Letters. At the time, he instructed the Justice Department to construct proposed legislation by March 28th, this Friday, that would tackle those issues.
According to The New York Times, the new proposal expected soon to hit the floor of Congress would end the NSA’s bulk collection of Americans’ phone records and would allow phone companies to retain such data as they always have. Phone companies would also not be required to retain customer data for any longer than they normally do. Furthermore, the proposal would limit the NSA’s access to such data. The agency would need to get permission from a judge and obtain a new type of court order before pursuing phone companies.
Even if all branches of government immediately pass the proposal, expansive changes to the NSA’s practices may not take effect for 90 days following its approval. In addition to the proposed changes outlined above, the Obama administration will ask the Foreign Intelligence Surveillance Court to approve continuance of the current program for an additional 90 days while aspects of the legislation are put in order.
Assuming that everything goes to plan, the legislation would place further regulations upon the shoulders of the phone companies as well as the NSA. The Times says phone companies persuaded by court order to deliver phone data to the NSA would be required to hand over data “swiftly” and in a “technologically compatible data format.”
The NSA would be limited to seeking out records only two “hops” removed from a suspicious person. So, a court order may grant the agency the phone records of a suspicious person, a person he or she has called, and a third person that a second person has called. The granting of two hops is down from the previously-allowed three hops, this proposal formalizing a reduction the President said in January that he would immediately mandate of related government agencies.
The government has long argued that the collection of phone data is largely harmless to U.S. citizens because the NSA is only collecting metadata — phone numbers and call duration, but not citizens’ names. A recent study by a Stanford graduate student Jonathan Mayer, however, contradicts the claim by New York District Judge William H. Pauley that any possible inferences gained by looking at metadata constitutes a “parade of horribles.”
In essence, the study finds that metadata can, in fact, reveal sensitive information about callers and that such revealed information has not been cherry-picked to demonstrate what could happen in a small variety of cases. On the contrary, the ability to find sensitive information is not just possible but arguably is easy.
Mayer instructed 546 participants to install his MetaPhone app on their Android smartphones. The app collected information about phone calls the participants made as well as information related to their social networking habits on Facebook. Across the course of the study, the MetaPhone found that the participants contacted 33,688 unique phone numbers. And by matching those phone numbers with information from public Yelp and Google Places directories, Mayer was able to find the identity of the people who owned 6,107 (18%) of those numbers.
By making “straightforward inferences,” such as expecting callers’ religious or political affiliations to match up with their at-length calls to related institutions, Mayer listed affiliations he expected callers to have. He then compared those expectations with data available on the callers’ Facebook pages. In one instance regarding religious affiliation, he provides this statement:
“The case of religious organizations gave us an opportunity to check the precision of our inferences. Since the MetaPhone app collects a user’s religion from his or her Facebook profile, we could compare phone metadata inferences against ground truth. There were 15 participants with both a well-defined religious status on Facebook (including atheism) and phone contact with a religious organization. Using just the naïve assumption that a person’s most-called religion is their own religion, we accurately identified the religious status of 11 of the 15 (73%).”
He was also able to corroborate one user’s medical condition (cardiac arrhythmia) and a second user’s firearm ownership (semi-automatic rifle) by analyzing their respective calls to medical centers and firearms manufacturers by similarly matching up their phone records to public information. Mayer’s research group also contacted both participants to verify that their inferences about the medical condition and gun ownership were true.
The coming weeks will be telling for how the various branches of government handle proposed legislation related to the issue of phone records and data collection. Mayer’s inferences about the sensitivity of such information makes the change seem all the more necessary but perhaps a little too late.
Image courtesy of Ildar Sagdejev via Wikimedia Commons