Are you still hearing, “But they’re just collecting metadata!” when the subject of the NSA’s rampant collection of information about us comes up? There is no such thing as “just metadata.” With enough different data points, your life becomes an open book that a variety of government agencies can examine at will. “Just metadata” is a big lie that supports the surveillance state, and makes a mockery of our expectation of privacy under the Fourth Amendment.
Last week the ACLU of Northern California Technology and Civil Liberties Project released Metadata: Piecing Together a Privacy Solution, a policy paper that explains some reasons why lawmakers originally decided to give metadata less protection than content, why those reasons are no longer valid, and what we can do to address the problem.
Keep in mind that metadata is information generated as you use technology. For phone calls, metadata includes the phone number of callers, serial numbers of phones involved, time and duration of call, and location of each participant. For emails, metadata includes (among other technical information) the sender’s and recipient’s name and email address, the sender’s IP address, the subject of the email, and the date, time and time zone. For Google searches (Google is so dominant in search engines that “to Google” has become a verb), metadata includes not only search queries and results but also pages you visit from those results. We generate metadata every time we use technology, and mostly we are blissfully unaware of it.
The introductory paragraphs of the policy paper paint a chilling scenario:
Imagine bringing a date home for dinner. You put the laptop away and mute your phone. You prepare a gourmet home-cooked meal for two, queue up a selection of romantic songs and pick out a movie to watch after dinner. As the evening winds down, your heart races a bit as you go in for a kiss and wonder how your night will end.
Now imagine that someone is monitoring each and every event of your evening. Oh, don’t worry, they’re not actually watching you or listening in on your conversation. They just know who you emailed or called just before you put your computer away. They know what you bought for dinner and how you prepared it. They know who came over, where he or she came from and how long he or she stayed. They know what time you started the movie and which songs you listened to. They even know what time you turned off the lights — and whether or not the music was still playing when you did. And they know all of this without ever getting a search warrant.
The ACLU report describes just how much metadata reveals about a person, a fact that government agencies know quite well but don’t want to admit to the public. The entire report is eye-opening and well worth reading, especially by anyone who still buys into the NSA’s attempt to deflect scrutiny by claiming they are “just collecting metadata.”
The report proposes five strong principles to guide the protection of metadata (abbreviated here):
➤ Protect Sensitive Information Regardless of Form
In order to adequately protect individual privacy, legal protections must apply to all sensitive personal information, regardless of the type or category of that information. This is the only way to produce a forward-looking regime that is capable of keeping pace with the rapid evolution of technology.
➤ Protect Sensitive Information Regardless of Possessor or Storage Location
The idea of robust privacy protections for metadata is fundamentally inconsistent with the third party doctrine. While there are various types of metadata that individuals generate and retain on their own device or otherwise in their possession, the overwhelming majority of metadata is created or captured by third parties.
➤ Protect Sensitive Information Derived from Data Aggregation
Comprehensive protection of metadata must also take into account the fact that large sets of data can reveal sensitive information that cannot be inferred from any specific element in that set. This means that privacy protections need to apply not only to data directly collected from an individual but also to any inferences or derivative information generated through the analysis of that data.
➤ Provide Tools and Guidance for Law Enforcement Access to Metadata