ACLU Report On Metadata Details Law Enforcement Abuse, Shows There's No Clear Cutoff Between Content And Data

from the you-have-a-friend-request-from-GOVERNMENT dept

The ACLU of California has put together a thorough report on metadata, the information harvested daily by the NSA, as well as by several private contractors working in conjunction with law enforcement and investigative agencies.

Those involved in this harvesting often downplay the true impact of this information, which is often accessed without a warrant, claiming that what's gathered amounts to nothing more than tiny, abstract data points. This couldn't be farther from the truth, but pushing this narrative allows the Third Party Doctrine (information voluntarily given to third parties carries no expectation of privacy) to be invoked and the Fourth Amendment (protection against unreasonable searches) to be buried.

The report goes into great detail on just how much metadata can reveal about a person, something these agencies know but are in no hurry to admit to the public. The entire report is an eye-opening read -- the sort of thing that should be put in the hands (or eyes, I suppose) of anyone out there who's still buying into the deflection tactics deployed by the NSA and others.

The ACLU makes a very good point about how the delineation between metadata and content isn't nearly as clear as surveillance proponents make it out to be.

Although this distinction may appear clear, it quickly becomes blurry on closer examination. For example, technically speaking, a URL is very much a “delivery instruction;” it specifies the address of the web page that you are requesting. But it is also content: requesting a web page essentially means sending a message saying “please send me back the page found at this URL.” In addition, a single URL reveals exactly which page was sought, and thus exactly what content was received…

In addition, whether information is content or metadata can depend not only on the type of information but also on the context in which it is created or used. This means that exactly the same information can be content in one situation and metadata in another. For example:

Your location may or may not be content depending on context. If you call your friend and say “I am at Starbucks,” the words you speak are content. If you use your smartphone to “check in” with Foursquare, that check-in is also content. But many courts have held that your cell carrier’s record of the location of your phone at the exact same moment is not content. And what if you take a picture or post a Tweet that you tag (intentionally or unintentionally) with your current GPS coordinates?

The identity of your friends and contacts may or may not be content depending on context. If you write an email stating that “John is my friend,” that statement is content. But it is less clear whether the fact that John is on your Facebook friend list is also content, even though it conveys exactly the same message.
The agencies helping themselves to this data are wholly unconcerned that this data could also be considered content. The laws governing these "records" have declared it all fair game. As the report points out, even Mike Morrell, the former CIA official, has admitted there's no clear distinction.
“There’s not a sharp difference between metadata and content. . . . It’s more of a continuum.”
But the law says they can have it, and so they take it.

Further on in the report, the ACLU points out that this cavalier attitude towards metadata, coupled with the ease of access, greatly encourages abusive "fishing expeditions."
In 2010, Michigan police sought information about every single phone located near the site of a planned labor protest without a warrant.

A Tennessee sheriff requested the location of his daughter when she was out past her curfew.

A police chief in South Carolina obtained four “tower dumps” providing information about every cell phone within range of two separate cell towers after his personal vehicle was burglarized.
As the ACLU states, these incidents are only the tip of the iceberg. Many more abuses of collected data are happening, most of which won't be exposed until long after the abuse has taken place. This isn't an indictment of law enforcement specifically, but a cautionary statement of what will happen and continue to happen until better legal safeguards are put into place. Easy access combined with a wealth of information is abuse waiting to happen.

While the focus of the past several months has been the NSA's surveillance programs, the most frequent requests for data come from law enforcement agencies. This means that even if the NSA has no interest in your metadata, there are a ton of agencies that might find it more fascinating.

Just as certainly as Target can figure out you're pregnant by tracking your shopping habits in its stores, agencies can draw plenty of their own conclusions from the wealth of metadata that's only a subpoena away (at most). And with news surfacing more and more frequently that law enforcement and security agencies are equating dissent with terrorism, this non-stop collection of metadata has the potential to drag those that are simply unhappy with the status quo into their ever-widening surveillance nets -- and quite possibly into the gears of the criminal justice system itself.

There's no such thing as "just metadata." Given enough data points, anyone's life is an open book -- one that can be perused at will by a variety of government agencies. The fact that these agencies rely on outdated decisions and make clunky, dusty comparisons (no more expectation of privacy than the outside of an envelope!) clearly exposes the hypocrisy at play: they love the advantages technological advances give them (and the massive amount of metadata these generate) but they have no desire to update the laws governing these so-called "business records." "Just metadata" is a lie -- a lie that services the surveillance state and makes a mockery of the phrase "expectation of privacy."

Reader Comments (rss)

(Flattened / Threaded)

  1. identicon
    Scote, Mar 3rd, 2014 @ 10:07am

    Search URL's **are** the content

    With searches the URL request **is** the content. If I search for "What are my rights under the Constitution?" a search string that includes the exact search terms is sent to Google, along with information on my browser set up.

    The search terms show up like this:

    URLs are content, for sure, showing some of our most private information, such as searches for health information.

    reply to this | link to this | view in thread ]

  2. icon
    AricTheRed (profile), Mar 3rd, 2014 @ 10:46am

    So what ackloo is saying is...

    ...that everyone that has access to my search metadata data i.e. ""

    knows that I slept with an un-clean woman?

    Man we really need to get this privacy stuff sorted, before I finish this prescription I'm on!

    reply to this | link to this | view in thread ]

  3. identicon
    Scote, Mar 3rd, 2014 @ 10:56am

    Re: Not a problem...

    Not a can just search Google for how to keep it a secret...

    There, fixed it for you :-)

    reply to this | link to this | view in thread ]

  4. icon
    MadAsASnake (profile), Mar 3rd, 2014 @ 11:16am

    Of course, they are collecting content too... you just need to look at the term "content metadata". This is information pointing to information within the content. This can often be the entirety of the message - and NSA has by a childish sleight of hand rebranded it as takeable. This stuff is, and always was content.

    reply to this | link to this | view in thread ]

  5. identicon
    Anonymous Coward, Mar 3rd, 2014 @ 11:39am

    "In 2010, Michigan police sought information about every single phone located near the site of a planned labor protest without a warrant."

    Why does a single phone need a warrant to be near a planned labour protest? What if the phone is not single?

    reply to this | link to this | view in thread ]

  6. identicon
    Anonymous Coward, Mar 3rd, 2014 @ 12:41pm

    Just a Record

    What you say is private.
    A record of what you say isn't.
    Makes perfect sense.

    reply to this | link to this | view in thread ]

  7. identicon
    Michael, Mar 3rd, 2014 @ 1:16pm

    Re: So what ackloo is saying is...

    What the ACLU is saying is if you have metadata like:

    1) Your search URL
    2) Your $50 ATM withdrawal
    3) Your previous search for action on Craigslist
    4) The telephone call between you and a woman you have never contacted before
    5) The GPS coordinates of your phone in an alley behind Friendly's

    they can identify what happened with near 100% accuracy.

    If they actually had telephone recordings of all calls in the US for the past 10 years (which no longer seems like a stretch to imagine), it would be useless until you mined the calls for meta-data. They don't have any interest in listening to billions of phone calls - knowing who called who and when is FAR MORE USEFUL when you have to do analysis of this scale.

    reply to this | link to this | view in thread ]

  8. identicon
    Anonymous Coward, Mar 3rd, 2014 @ 1:50pm


    Sorry, but marrying your phone is only legal in Hawaii.

    reply to this | link to this | view in thread ]

  9. identicon
    Tom Holsinger, Mar 4th, 2014 @ 1:29pm


    The NSA's secret data mining software of today will be smart phone apps in 15 years.

    reply to this | link to this | view in thread ]

  10. identicon
    George, Mar 4th, 2014 @ 3:53pm

    Re: Re: So what ackloo is saying is...

    1, 2, 3 are content. 4 is metadata. 5 can be either, depending on where and why the data was sent.

    It is really very simple to seperate content from metadata. Metadata is the information you need to give to your phone company/ISP to allow them to provide the service. Content is the part that they do not care about.

    A URL is content. The fact that you opened a TCP connection to IP a.b.c.d on port 80 and sent N bytes, receiving R bytes is reply is metadata.

    reply to this | link to this | view in thread ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Insider Shop - Show Your Support!

Hide this ad »
Essential Reading
Techdirt Deals
Techdirt Insider Chat
Techdirt Reading List
Hide this ad »
Recent Stories
Hide this ad »


Email This

This feature is only available to registered users. Register or sign in to use it.