What My Droid's Metadata Says About MeMy Travels, Tastes and Even Car Troubles Revealed
Jonathan Mayer, like many privacy advocates, challenges the National Security Agency's contention that the NSA's program to collect metadata from telephone calls does not violate individuals' privacy rights.
See Also: Passwords Alone Aren't Enough
True, the NSA doesn't spy on the content of the communications, but metadata can reveal a lot about individuals by analyzing who they call.
That debate depends upon factual assumptions. Our hope is to make sure that those factual assumptions are accurate.
Mayer and fellow Stanford University Ph.D. computer science candidate Patrick Mutchler are in the midst of a half-year crowdsourcing study, in which they hope to provide data to prove the bulk collection program permitted under section 215 of the U.S. Patriot Act does violate individuals' privacy rights.
The duo created an app called MetaPhone for study participants to download and run on their Android smartphones. The app collects data from the mobile devices' logs. As of March 12, the research project attracted 546 participants who contacted 33,688 unique phone numbers; the researchers identified 6,107 of those phone numbers, or 18 percent. A day later, I decided to join the crowd by downloading the app.
Fun Times in Old San Juan
What inferences did the instant analysis of the metadata on my Droid make about me? I recently vacationed in San Juan (calls to airline, hotel, tour group, airport parking garage, rental car company), love foreign cuisines (calls to Chinese, Ethiopian, Indian and Turkish restaurants) and have medical concerns (calls to my GP, rheumatologist and pharmacist). The metadata analysis even suggests I had car problems (calls to a local mechanic and auto club emergency road service). All the inferences are true.
The app identified the businesses I called by looking up their phone numbers in online directories provided by Yelp and Google.
Mayer says a lot can be inferred by identifying who someone calls, say their political affiliation (lots of calls to a campaign headquarters) or religion.
Eight percent of study participants placed phone calls to religious organizations. "If a person speaks at length with a religious institution, it appears likely that the person is of that faith," Mayer writes in a blog. "A further inference could also be made, that the person worships at that particular institution."
Fifteen participants who stated their religion in their Facebook profiles also had telephone contact with a religious organization. "Using just the naÃ¯ve assumption that a person's most-called religion is their own religion, we accurately identified the religious status of 11 of the 15," Mayer says.
Study participants allow the app to access to their Facebook profiles so researchers can check the precision of their inferences.
'Parade of Horribles'
The revelation from my logs were benign; not so of other participating in the study. Among organizations contacted by other study participants: Alcoholics Anonymous, gun stores, NARAL Pro-Choice, labor unions, divorce lawyers, sexually transmitted disease clinics, a Canadian import pharmacy and strip clubs.
"The degree of sensitivity among contacts took us aback. ... This was not a hypothetical parade of horribles (a reference to the language used in a judicial order upholding the bulk-collection program)," Mayer says. "These were simple inferences, about real phone users, that could trivially be made on a large scale."
Mayer, in a phone interview, says he hopes his research brings "scientific clarity" to the privacy properties of metadata. "There's a great policy debate flaring out and that debate depends upon factual assumptions," he says. "Our hope is to make sure that those factual assumptions are accurate."
The facts could be on the their side, but that doesn't mean the courts will make the same inferences about those facts as do Mayer, Mutchler and privacy advocates.