Sunday, June 8, 2014

It's More than Metadata

Originally from April 29, 2014

Edited and updated September 29, 2014

First of all, what is metadata?  The Guardian tells us, based on what you use. (again thanks to Rayne)

  • phone number of every caller
  • unique serial numbers of phones involved
  • time of call
  • duration of call
  • location of each participant
  • telephone calling card numbers
  • sender's name, email and IP address
  • recipient's name and email address
  • server transfer information
  • date, time and timezone
  • unique identifier of email and related emails
  • content type and encoding
  • mail client login records with IP address
  • mail client header formats
  • priority and categories
  • subject of email
  • status of the email
  • read receipt request
Web Browser
  • your activity including pages you visit and when
  • user data and possibly user login details with auto-fill features
  • your IP address, internet service provider, device hardware details, operating system and browser version
  • cookies and cached data from websites
Google Searches

  • your search queries
  • results that appeared in searches
  • pages you visit from search
  • your name, location, language, profile bio information and url
  • when you created your account
  • your username and unique identifier
  • tweet's location, date, time and timezone
  • tweet's unique ID and ID of tweet replied to 
  • contributor IDs
  • your follower, following and favorite count
  • your verification status
  • application sending the tweet
  • your name and profile bio information including birthday, hometown, work history and interests
  • your username and unique identifier
  • your subscriptions
  • your location
  • your device
  • activity date, time and timezone
  • your activities, likes, checkins and events
  • photographer identification
  • creation and modification date and time
  • location where photo was taken
  • details about a photo's contents
  • copyright information
  • camera make and model
  • camera settings: shutter speed, f-stop, focal length and flash type
  • photo dimensions, resolution and orientation

John Oliver asks Keith Alexander "then why are you collecting it?"
Watch the interview here from YouTube


I particularly liked the end where Alexander likes the "NSA listens" motto, since they sued over this satirical emblem.

(Now in October, John has been doing excellent investigative journalism on the show.)

Sunday April 27 was the first night of John Oliver's new show on HBO, and his first guest was retired NSA director Keith Alexander.  Kevin Gosztola has a great piece describing how Oliver was the first journalist (fake or real) to grill Alexander since the Snowden revelations last June.

Kevin writes that
One exchange stood out, however, because it seemed to be the first time on a television program that Alexander had been asked about wanting the NSA to “collect everything.”
The New York Times wrote a review of the show, but besides showing a photo of the interview with Alexander,
the article didn't discuss the interview, only saying that "There was a sit-down interview."

Oliver brought up phone metadata collection under Section 215 of the PATRIOT ACT, although not mentioning it by name, saying that NSA was looking for needles in a haystack, but also collecting the farm, town, county and state. Alexander responded that "NSA doesn't do this alone" saying again as many NSA defenders do that "it's all legal" because Congress, FISA Courts oversee the program.  When he says "NSA doesn't do this alone" can also refer to the fact that NSA collects for FBI, as we see in the Verizon 215 order.  Most stories fail to mention or explain collections under the FISA Amendments Act Section 702 as well as Executive Order 12333 collections, which Senator Ron Wyden just mentioned again as collecting data on Americans in an interview on Meet The Press (see 1:36 where he mentions medical records and purchases as some examples)

The one part of the interview that stood out for me was the part where Oliver recognizes a key part of the debate that I feel has not had too much attention paid to it, at least this clearly in discussing the 215 program---why would NSA collect US metadata if it didn't find it important?? It's not only about reading everyone's emails or listening on phone calls---it's about the collection in the first place.  EFF and other internet security experts have shown that a list of all the calls you made can often be more than enough to compromise your privacy.
What they are trying to say is that disclosure of metadata—the details about phone calls, without the actual voice—isn't a big deal, not something for Americans to get upset about if the government knows. Let's take a closer look at what they are saying:
  • They know you rang a phone sex service at 2:24 am and spoke for 18 minutes. But they don't know what you talked about.
  • They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.
  • They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour. But they don't know what was discussed.
  • They know you received a call from the local NRA office while it was having a campaign against gun legislation, and then called your senators and congressional representatives immediately after. But the content of those calls remains safe from government intrusion.
  • They know you called a gynecologist, spoke for a half hour, and then called the local Planned Parenthood's number later that day. But nobody knows what you spoke about.
Sorry, your phone records—oops, "so-called metadata"—can reveal a lot more about the content of your calls than the government is implying. Metadata provides enough context to know some of the most intimate details of your lives.  And the government has given no assurances that this data will never be correlated with other easily obtained data.
So while we debate whether Snowden is a traitor or a hero, or tell people "if you aren't doing anything wrong you have nothing to fear," Oliver is the first to directly challenge Alexander by pointing out that they wouldn't be collecting it if they didn't think there was a value in metadata.

The Running List of What NSA can do so far, from WNYC's The Brian Lehrer Show

  • It can track the numbers of both parties on a phone call, as well location, time and duration. (More)
  • It can hack Chinese phones and text messages. (More)
  • It can set up fake internet cafes. (More)
  • It can spy on foreign leaders' cell phones. (More)
  • It can tap underwater fiber-optic cables. (Clarification: Shane Harris explains that there were reports the NSA was trying to tap directly into cables using submarines, but is now more likely trying to intercept information once it has reached land.) (More)
  • It can track communication within media organizations like Al Jazeera. (More)
  • It can hack into the UN video conferencing system. (More)
  • It can track bank transactions. (More)
  • It can monitor text messages. (More)
  • It can access your email, chat, and web browsing history. (More)
  • It can map your social networks. (More)
  • It can access your smartphone app data. (More)
  • It is trying to get into secret networks like Tor, diverting users to less secure channels. (More)
  • It can go undercover within embassies to have closer access to foreign networks. (More)
  • It can set up listening posts on the roofs of buildings to monitor communications in a city. (More)
  • It can set up a fake LinkedIn. (More)
  • It can track the reservations at upscale hotels. (More)
  • It can intercept the talking points for Ban Ki-moon’s meeting with Obama. (More)
  • It can crack cellphone encryption codes. (More)
  • It can hack computers that aren’t connected to the internet using radio waves. (Update: Clarification -- the NSA can access offline computers through radio waves on which it has already installed hidden devices.) (More)
  • It can intercept phone calls by setting up fake base stations. (More)
  • It can remotely access a computer by setting up a fake wireless connection. (More)
  • It can install fake SIM cards to then control a cell phone. (More)
  • It can fake a USB thumb drive that's actually a monitoring device. (More)
  • It can crack all types of sophisticated computer encryption. (Update: It istrying to build this capability.) (More)
  • It can go into online games and monitor communication. (More)
  • It can intercept communications between aircraft and airports. (More)
  • (Update 1/18) It can physically intercept deliveries, open packages, and make changes to devices. (More) (h/t)
  • (Update 1/18) It can tap into the links between Google and Yahoo data centers to collect email and other data. (More) (h/t)
  • (Update 4/2) It can monitor, in real-time, Youtube views and Facebook "Likes." (More)
  • (Update 4/2) It can monitor online behavior through free Wi-Fi at Canadian airports. (More)
  • (Update 4/2) It can shut down chat rooms used by Anonymous and identify Anonymous members. (More)
  • (Update 4/2) It can use real-time data to help identify and locate targets for US drone strikes. (More)
  • (Update 4/2) It can collect the IP addresses of visitors to the Wikileaks website. (More)
  • (Update 4/2) It can spy on US law firms representing foreign countries in trade negotiations. (More)
  • (Update 4/2) It can post false information on the Internet in order to hurt the reputation of targets. (More)
  • (Update 4/2) It can intercept and store webcam images. (More)
  • (Update 4/2) It can record phone calls and replay them up to a month later. (More)
  • (Update 6/2) It can harvest images from emails, texts, videoconferencing and more and feed it into facial recognition software. (More)
Instead of asking "Is Snowden a Traitor or a Patriot?" they can decide to take 5 minutes and tell us what he revealed. And no, it's not just phone metadata.

No comments:

Post a Comment