Skip to main content

Metadata matters: how phone records and obsolete laws harm privacy and the free press

Metadata matters: how phone records and obsolete laws harm privacy and the free press


The AP scandal shows who you call can matter as much as what you say

Share this story


Between the IRS admitting it targeted conservative political groups and the never-ending debacle over the US embassy raid in Benghazi, the Obama administration has had to deal with a full plate of scandals this week. It topped off on Monday, when the Associated Press revealed that the Department of Justice had issued a subpoena to conduct a sweeping surveillance campaign against its reporters over the course of two months.

Immediately upon hearing this, some people took it to mean that the US government had tapped the AP’s phone lines and listened in on conversations between reporters and confidential sources. In reality, the DOJ’s surveillance had collected phone records — numbers, call durations, location data, and other telecommunications byproducts — not the content of the communications themselves. But that doesn’t mean that journalists and the American public at large have no reason to be shocked and appalled by the intrusion.

Members of the press and Congress are right to be alarmed by the DOJ’s surveillance campaign, which reportedly began last year to investigate a leak regarding a foiled terror plot. Far from being “harmless,” the gathering of telecommunications metadata or “non-content” information can be incredibly damaging to a reporter’s work and integrity — or a regular citizen’s privacy. Moreover, the fiasco highlights once again that all Americans, journalists or otherwise, are still in the doghouse when it comes to data privacy laws.

“There are whole categories of information for which the metadata is as sensitive as the content.”

“There are whole categories of information for which the metadata is as sensitive as the content,” said Chris Soghoian, ACLU’s principal technologist and senior policy analyst, in a phone interview with The Verge. For a regular person, it could be something like calling an addiction hotline or sending a text message to a number which donates money to a political campaign — what was discussed or how much you donated isn’t particularly important next to the knowledge that you called, texted, or emailed in the first place.

In a 1997 paper that circulated heavily on Twitter following news of the Justice Department’s AP surveillance, University of San Francisco law professor Susan Freiwald explains how gathering this kind of non-content data can go horribly wrong:

For example, some information can be used to incriminate those who communicate with people involved in criminal enterprises. Further, some information can incriminate even without connecting the subject to other suspects. Several courts have held that an unusual volume of calls made immediately before, during, and after sporting events furnishes strong evidence that the caller is engaged in a gambling operation. Besides incriminating those who violate the law, communication attribute information yields evidence of those with whom one associates, and the sources of one's information.It's the same thing that plunged former CIA chief General David Patraeus into scandal last November. As the Wall Street Journal explains it, law enforcement tracking down Patraeus' mistress Paula Broadwell "used metadata footprints left by the emails to determine what locations they were sent from. They matched the places, including hotels, where Ms. Broadwell was during the times the emails were sent. FBI agents and federal prosecutors used the information as probable cause to seek a warrant to monitor Ms. Broadwell's email accounts."

Warrantless access to data showing the date, time, duration, and participants involved in a communication can be especially dangerous for journalists working with confidential sources. Soghoian notes that in a leaks investigation, most of the actual leaking happens in person — phones are simply used to arrange meetings. So in the end, it’s the non-content records — like those collected in secret from the AP — that really matter. “Which officials are talking to which journalists is what they’re after,” he says, “and it just happens to be that that’s the information that currently gets the lowest protection under US law.”

Normally, the DOJ has a much stricter set of internal rules for collecting that information from members of the press. But the guidelines seem to have been violated in this instance, and Attorney General Eric Holder, backed into a corner during a House Judiciary Committee hearing on Wednesday over his non-involvement in the case, is now calling for the reintroduction of a media shield law to protect journalists from future government intrusions.

As for average citizens, who have much weaker protections than journalists doing their jobs, it all comes back to that ancient and notoriously weak privacy law that keeps allowing the US government to capture data en masse without any warrants or legal repercussions: the Electronic Communications Privacy Act (ECPA) of 1986.

Thanks to a 1976 court decision citing something called the “third party” doctrine, ECPA still interprets the creation of incidental data — the kind generated as a byproduct of using telecommunications, like call records — as data “given” to a third party. Therefore, the court decided, there is no “reasonable expectation” of privacy for this information, so it’s all fair game for any federal prosecutor with a subpoena. A New York judge recently took that even further, saying that the only way you can expect to have privacy is by leaving your phone off.

A federal judge recently said the only way to expect privacy is by leaving your phone off

Of course, this is a ridiculous position to be in at a time when ubiquitous, internet-connected mobile communications devices constantly leave geolocation data, web browsing habits, and more in the hands of phone companies and service providers. In the Supreme Court, Justice Sonya Sotomayor has agreed that the argument is "ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks." That information also includes opened emails, emails unopened after 180 days, text messages, IP addresses, and more — all of which require no warrant for the government to obtain them under the current law.

But perhaps the newest and most dangerous development in considering all this free-flowing metadata is that in recent years, it has become incredibly easy to build tools that scrape, scan, and exploit it. Companies like the US-backed Palantir sell Minority Report-style software meant to analyze enormous metadata sets for evidence of future crimes and terrorism. Yet the law still reflects a time when this information wasn’t considered sensitive, and had to be parsed by hand.

Simply put, a free press can not report meaningfully on matters of national importance when they have reason to believe their activities might be logged and algorithmically analyzed by the government at all times — nor can the general public speak freely. The Obama White House has proudly trumpeted its aggressive crackdown on leakers, which saw the draconian Espionage Act invoked more times than during every US administration combined. Perhaps now, Congress will be asking whether that’s really a world we want to live in.