Some would argue that metadata is pretty harmless. It’s just ingoing and outgoing phone numbers, plus the length of those calls, right? The NSA is “not looking at people’s names, and they’re not looking at content,” President Obama told reporters last June.
According to the official narrative, monitoring metadata is no big deal. But two Stanford University researchers wanted to see how “sensitive” metadata actually was. So they enlisted hundreds of volunteers to install an app called “MetaPhone” on their Androids to pick up that metadata over several months. What they found shocked them.
“The degree of sensitivity among contacts took us aback,” co-authors Jonathan Mayer and Patrick Mutchler wrote on Web Policy, Mayer’s blog. “Participants had calls with Alcoholics Anonymous, gun stores, NARAL Pro-Choice, labor unions, divorce lawyers, sexually transmitted disease clinics, a Canadian import pharmacy, strip clubs, and much more.”
The point is, they found, it’s actually really easy to identify names and infer very intimate details about a person’s life just from phone metadata. And things got a lot creepier, and potentially devastating, when researchers posted real samples of what these metadata-informed stories could tell. Take, for example, Participant E:
Participant E had a long, early morning call with her sister. Two days later, she placed a series of calls to the local Planned Parenthood location. She placed brief additional calls two weeks later, and made a final call a month after.
The researchers’ write-up cites several other examples like the one above. But take a minute to consider how a breach of privacy might affect Participant E. Whatever kind of service she sought from Planned Parenthood, whether it be an abortion or a routine sexual health check-up, patients and doctors have received threats for even stepping inside a Planned Parenthood clinic. Someone wielding that information about her, and those patterns of calls, could potentially do her serious harm. Moreover, it’s Participant E’s legal right to access safe reproductive care, and it’s her legal right to keep that private under the HIPAA privacy rule–though HIPAA does make an exception for vague “lawful intelligence” purposes.
Should that lawful intelligence include the trawling of millions of phone metadata records?
“Phone records held by the NSA and telecoms span millions of Americans over multiple years,” researchers concluded. “Reasonable minds can disagree about the policy and legal constraints that should be imposed on those databases. The science, however, is clear: phone metadata is highly sensitive.”