Metadata Not Anonymous at All, Stanford Researchers Show
If you're not concerned about government surveillance of your phone because the National Security Agency (NSA) only collects metadata, think again. A study from Stanford University shows that connecting "anonymous" metadata to compromising personal information is trivially easy.
Documents leaked in June by former NSA contractor Edward Snowden revealed that the organization was collecting metadata about calls placed to and from Verizon telephone lines. Although this revelation was potentially troubling, metadata collection is, in theory, not cause for concern.
The metadata about your phone calls does not reveal your name or identity, or the content of your conversations, but it does track the numbers you call, how long the calls last, and which other companies have your phone number in their directories.
Although the specific documents leaked in June concerned Verizon landlines, the NSA has since admitted that it collects metadata about mobile telephone calls and text messages as well.
Sen. Dianne Feinstein (D-Calif.), who heads the Senate Intelligence Committee, has said that collecting metadata is "not surveillance." Because the information, by itself, cannot identify individuals, Feinstein and the NSA hold that it is practically harmless for the government to collect it.
A research team operating out of Stanford University disagrees, and hopes to prove its point with a new Android app called MetaPhone. By accessing your phone number and your Facebook page, this app does what any NSA program could do: It acquires your metadata, then correlates it with your social-media information to see how much it can learn about you.
"Phone metadata is inherently revealing," wrote Jonathan Mayer and Patrick Mutchler, the app's designers, on a Stanford Law School blog. By using MetaPhone, you can submit your information to a Stanford research project so that Mayer and Mutchler can determine how easy it is for organizations to glean personal information from your supposedly non-revealing metadata.
When Tom's Guide tried the app, we found that the results supported Stanford's assertion: Dozens of different organizations had the phone number we tried on file. The NSA — or worse, a cybercriminal — would be able to find our name, our geographic location, our bank, our medical facilities and even our eating habits with just a simple cross-check online.
Whether the NSA is actually cross-referencing individual metadata is another question. The process is simple, but by no means efficient. Uploading and cross-checking data takes time, and to find more complex information, like a home address, would likely take some human oversight.
Like most NSA surveillance programs, you probably have nothing to worry about unless you're conspiring with terrorists or planning some kind of criminal activity. The question of whether the NSA should have access to such revealing data from everyday citizens, though, is a legitimate privacy concern.
Aside from participating in the MetaPhone study, there are a few things the average user can do to protect him or herself. Not listing your phone number on your Facebook or Twitter profile makes you harder to track down.
If you're really paranoid, ditch your smartphone and use a new disposable phone every month. Forget about landlines; they're even easier to track than cellphones.