Metadata = Surveillance

Ever since reporters began publishing stories about NSA activities, based on documents provided by Edward Snowden, we've been repeatedly assured by government officials that it's "only metadata." This might fool the average person, but it shouldn't fool those of us in the security field. Metadata equals surveillance data, and collecting metadata on people means putting them under surveillance.

An easy thought experiment demonstrates this. Imagine that you hired a private detective to eavesdrop on a subject. That detective would plant a bug in that subject's home, office, and car. He would eavesdrop on his computer. He would listen in on that subject's conversations, both face to face and remotely, and you would get a report on what was said in those conversations. (This is what President Obama repeatedly reassures us isn't happening with our phone calls. But am I the only one who finds it suspicious that he always uses very specific words? "The NSA is not listening in on your phone calls." This leaves open the possibility that the NSA is recording, transcribing, and analyzing your phone calls -- and very occasionally reading them. This is far more likely to be true, and something a pedantically minded president could claim he wasn't lying about.)

Now imagine that you asked that same private detective to put a subject under constant surveillance. You would get a different report, one that included things like where he went, what he did, who he spoke to -- and for how long -- who he wrote to, what he read, and what he purchased. This is all metadata, data we know the NSA is collecting. So when the president says that it's only metadata, what you should really hear is that we're all under constant and ubiquitous surveillance.

What's missing from much of the discussion about the NSA's activities is what they're doing with all of this surveillance data. The newspapers focus on what's being collected, not on how it's being analyzed -- with the singular exception of the Washington Post story on cell phone location collection. By their nature, cell phones are tracking devices. For a network to connect calls, it needs to know which cell the phone is located in. In an urban area, this narrows a phone's location to a few blocks. GPS data, transmitted across the network by far too many apps, locates a phone even more precisely. Collecting this data in bulk, which is what the NSA does, effectively puts everyone under physical surveillance.

This is new. Police could always tail a suspect, but now they can tail everyone - suspect or not. And once they're able to do that, they can perform analyses that weren't otherwise possible. The Washington Post reported two examples. One, you can look for pairs of phones that move toward each other, turn off for an hour or so, and then turn themselves back on while moving away from each other. In other words, you can look for secret meetings. Two, you can locate specific phones of interest and then look for other phones that move geographically in synch with those phones. In other words, you can look for someone physically tailing someone else. I'm sure there are dozens of other clever analyses you can perform with a database like this. We need more researchers thinking about the possibilities. I can assure you that the world's intelligence agencies are conducting this research.

How could a secret police use other surveillance databases: everyone's calling records, everyone's purchasing habits, everyone's browsing history, everyone's Facebook and Twitter history? How could these databases be combined in interesting ways? We need more research on the emergent properties of ubiquitous electronic surveillance.

We can't protect against what we don't understand. And whatever you think of the NSA or the other 5-Eyes countries, these techniques aren't solely theirs. They're being used by many countries to intimidate and control their populations. In a few years, they'll be used by corporations for psychological manipulation -- persuasion or advertising -- and even sooner by cybercriminals for more illicit purposes.

This essay previously appeared in the March/April 2014 issue of IEEE Security and Privacy.

EDITED TO ADD (3/14): This study of cellphone meta-data (news article here) demonstrates the point nicely. So does this amicus brief I signed in the ACLU v. Clapper case (press release here).

Posted on March 13, 2014 at 12:13 PM • 62 Comments


cpvrgnvaanMarch 13, 2014 2:22 PM

This is such a frustrating issue, politically. Right-wingers tend to support the intelligence agencies because National Security. Left-wingers tend to discount the danger because it doesn't seem to pose any threat to their pet social causes, and they have a pollyannaish view of regulation and oversight of those wielding the police power.

One way to help the left-wing understand why they should be opposed to mass surveillance is to couch the dangers in terms of the social causes they care about. Do we really want the NSA having a massive database containing the browsing habits of every single LGBT person in this country? Who are we - the "normal" majority - to say that such people have no legitimate reason to want to hide such information? They're doing nothing wrong, and there are very good reasons they have something to hide - millions of reasons, after the 20th century. Sure, Barack Obama isn't going to start rounding up gays, but what happens if the far-right Tea Party gets a homophobic candidate into the Presidency? It's a long-shot, politically, but is that really the only barrier we want between the status quo and a future where gays are being rounded up in droves, based on information dredged from Bluffdale?

How about NSA's data on Greenpeace, climate scientists, Code Pink activists, FEMEN, NOW leadership, abortion clinics, abortion doctors, abortion patients, gun-control advocates, HIV doctors, HIV patients, psychiatric diagnoses and prescriptions, etc.? You get the idea. All of this information accreting in Bluffdale is, in fact, a trove of political dirt. Perhaps it is true that Michael Hayden, Keith Alexander, and everyone else that has had control of this information are angelic beings devoid of all the nastiness ordinarily indulged in by people of their rank in those kinds of positions of power. But it is only a matter of time until more ordinary specimens of political machination get hold of this gold-mine (or dirt-mine) and put it to use. It is obvious that anyone who cares about minority causes should be adamantly opposed to the very existence of such a political dirt pile. The ACLU and the EFF understand this but we need to do a better job of explaining it in terms that Joe Birkenstock understands.

I think the right-wingers need to come to grips with the reality of what they are backing - they need to have the spell broken. As Jeremy Scahill has documented, the NSA surveillance program is using Minority-Report-style pattern analysis to generate "signatures" on the basis of which flesh-and-blood human beings are labeled as terrorists by a silicon machine - so-called signature strikes. There is no heroism, here. There is no do or die. There is no God and country. There is just computer-automated - and frequently highly erroneous by their OWN standards - death from above. We need to support the efforts of Scahill and others to put a human face on the overseas death-toll and to really confront the fact that every military technology that has been deployed against civilians overseas is a liability to come home and be deployed by our own police forces against us - cf SWAT teams, MRAP, LRAD, etc.

We cannot afford to give up. If we give up, the Chinese Internet model wins. The only barrier between the status quo and getting the broad public to understand the true threat that the intelligence services pose to modern democracy is explaining it in words and stories that they understand and can relate to. That is not an insurmountable challenge, we just need to set ourselves to the task, identify people with the appropriate skills and support them in the endeavor.

JoeMarch 13, 2014 2:37 PM

Tags are considered meta-data. If you can automatically generate tags based on the content then a human can search through the meta-data (ie, the tags) and get access to content without any human "directly" accessing (eg, reading or listening to) the content at all. In many ways, automation is blurring the distinction between data and meta-data. As automation becomes more intelligent and sophisticated, meta-data will end up giving more information about the content than directly accessing the content.

jacksonMarch 13, 2014 2:59 PM

Just go with Sprint, you'll never get a good signal so the gov't can't track you. But you can still pretend to be cool and talk to your friends in imaginary conversations!

Bob S.March 13, 2014 3:12 PM

Sir Tim Berners-Lee, is calling for a world wide Internet Magna Carta.

I think something that big is one of our few good choices and that it will not happen in our life times.

Users need to get much more annoyed with secret surveillance than they are now.

Much more annoyed, or else nothing will stop it.

I am already disillusioned that technical people will be of much use. Where are the breakthroughs in making encryption easy and widespread? Not happening.

What's the use of a good password if our own government has hired the best possible minds in the world to work full time at hacking and cracking them, even illegally, including physically entering your home?

Brandioch ConnerMarch 13, 2014 3:14 PM

How could a secret police use other surveillance databases: everyone's calling records, everyone's purchasing habits, everyone's browsing history, everyone's Facebook and Twitter history?
Instead of the "secret police" how about the contractors who have access to it?

In the old days you had to worry about some creep physically following your daughter home. But at least there was a chance you could spot the creep and get his license plate number and description.

Now, your daughter will never know whether the creepy guy staring at her at the coffee shop knows where she lives (alone?) and where she works and what her daily routine is.

You've all heard the stories about the bad cops who commit crimes. With ubiquitous surveillance the number of of "bad" people who have access goes up and the range that they have increases.

jonesMarch 13, 2014 3:34 PM

One might be able to argue from a statistical point of view that meta-data is more valuable than content.

Content is highly equivocal: "intercepted" speech may be unintelligible, people may speak in cant, or shorthand, or personal idioms, or speak indirectly about a sensitive subject, or allude to events that happened away from the phone.

Meta-data, conversely, is highly unequivocal. Its meaning is precise and often quantitative.

Knott WhittingleyMarch 13, 2014 4:05 PM

A recent Stanford study about significance of metadata:

We need bigger and longer-term studies like that, with more kinds of metadata and better analytical tools, to demonstrate what metadata will likely reveal about all of us.

We also need to be discussing the enormous potential for abuse and corruption, from insider trading to biased selective prosecution and blackmail of politicians, whistleblowers, watchdogs, activists, etc.

Most people just have no clue, on several levels.

yesmeMarch 13, 2014 4:06 PM


"I am already disillusioned that technical people will be of much use. Where are the breakthroughs in making encryption easy and widespread? Not happening."

Relax please. It's been less than a year ago that Snowden entered the news. It's a process. Every engineer knows that you can't bear a child with 9 mothers in one month. It takes time.

But I am quite sure that things are gonna change. Political, legal and technical. Why? Because the word is out! Everybody, in the whole world, knows what's going on.

stevelaudigMarch 13, 2014 8:02 PM

This "is" Obama's very long Clinton's "is" moment. The context isn't smarmy like Bill's but the impact is far deeper on the Republic and the democracy. Obama is not to be believed when he talks about some subjects and this is one of them.

Nick PMarch 13, 2014 8:10 PM

" In a few years, they'll be used by corporations for psychological manipulation"

That was actually one of the original use cases. Remember that corporations have been doing "data mining" for a long time. Huge industry built around it. The govt was the one late to the party. We should assume, though, that anything the private sector can do with these tools the NSA might be doing.

Saul TannenbaumMarch 13, 2014 8:57 PM


The argument to lefties (of which I count myself as one) is that surveillance, writ large, is a social justice issue. It is marginalized communities that have been under surveillance for years. See, for example, this Virginia Eubanks article.

The deep harm from surveillance is something sociologists call "societal sorting." You are, to the agents of the state, no longer an individual. Rather, you are a member of some bucket of people defined by the data collected about you. You are someone who called a phone number that was called by a terrorist. You come under heightened suspicion just because you order take out from the same restaurant. (Disclaimer: I live in Cambridge MA, near the Tsarnaev brothers, so I might be talking about me.) This, of course, blows right by the presumption of innocence, and makes a mockery of the notion that if I have nothing to hide, I have nothing to fear. I didn't think I needed to hide my choice of pizza parlor, but maybe that would have been a good idea.

chris lMarch 13, 2014 11:51 PM

One of the issues in the "metadata" (and even a great deal of the data collection is that the US legal system has a narrow view of 4th amendment protections. Any information that you've shared with another party (and "shared" is taken pretty liberally) is treated as not protected by the 4th amendment. The creates a situation where privacy is protected only by secrecy, and the government can simply "ask" (which often is more like "compel") anyone you've shared information with to share it with them, even without a warrant. In an age where nearly everyone has to share with someone the vast majority of what the average person might consider private, the government then gives itself free rein over everyone's information. What's needed is a substantially revised legal concept of privacy (and treated as an interpretation of the 1st, 4th, ad 5th amendments) that protects information that's shared with a reasonable expectation of privacy.

ThothMarch 14, 2014 12:00 AM

The general public are made up of those who are not security-savy people and it is these general public that determines the votes and policies. The Obama Surveillance Deception tactic aims to deceive the general public and to create a consensus among the public non-security-savy people that "metadata is not spying" case. This general consensus would in-turn strengthen the norm of having relax and easy-to-own security so that the 3 letter organisations can have it their easy way in to do anything they want as they wish and to subvert the general public at will.

The best case for defeating the Obama Surveillance Deception tactic is to educate the masses on security, create awareness (maybe some demonstration of concepts) and to cooperate with security providers to fund and lend a helping hand to protect the general public.

There is very little room left for trusting governmental organisations anymore although we should also be very wary of corporations and their selfish agendas.

Everyone must be able to arm themselves and protect themselves. That should be the motto of Security in this age.

Founding and funding of trustworthy open-source software and hardware solutions and education to protect the rights of each individual should be an important focus for NGOs who are involved in CommSec and ITSec.

At the end of the day, no matter how secure a system is, all it takes is ignorant people within the secure environment to compromise it.

hermanMarch 14, 2014 12:41 AM

It seems that the UAE Etisalat firewall now blocks comments on this web site. TOR works though. Sigh...

pianissimoMarch 14, 2014 1:32 AM

@Saul Tannenbaum:
Another harm is "anticipatory conformity". When we are on some level aware that we are being watched, we self-censor our thoughts even when they are basically harmless. During the last administration some air travelers were detained for wearing clothing emblazoned "Kip Hawley Is An Idiot" (I hope I got that right). This leads to an environment in which people keep their opinions to themselves, and stop themselves from complaining about what is being done to them. After all, if speaking out is going to mean more hassles now and into the indefinite future, you would be a fool to be noticed.

USG to citizens: just shut your mouth and enjoy it.

fajensenMarch 14, 2014 3:48 AM

How could a secret police use other surveillance databases: everyone's calling records, everyone's purchasing habits, everyone's browsing history, everyone's Facebook and Twitter history?

One could start identifying the "outliers" early on, people of exceptional skills, people who might ferment change - and murder them!

The people in power today - executives, corporations, political parties, lobbyists, e.t.c. are basically parasites perfectly adapted to society as it is now, which is per-definition the best of all worlds since it created such fine people as them.

What they must somewhat fear is competition eating their lunch, but, they have money and lawmaking power to contain the damage or co-opt the usurper.

What they absolutely fear is changes in the ecosystem they are adopted to happening faster than they can adopt to or changes that destroy their investments - right to privacy, for example. These things happen through the political system, so they are contained - again at a cost.

However, technological change is exponential. Technologies that only a few years ago would cost millions and required a lab with PhD's to run, can be had on eBay today. The lab and the PhD's can be monitored, the expensive equipment can be tracked; the cheap tech is everywhere, sometimes operated by very smart people with their own agendas for what should be made and why.

What is someone invents an intelligence booster, a smart student using the biology lab at the university where she studies - and releases it? The normal reaction would be label this an "Class A" drug, but, now this stuff is on the streets - "the competition" will have it, more bright people will take it - which causes the whole thing to go geometric when the enhanced smart people begin to design stuff. Control is lost!

With ubiquitous surveillance and some AI's reading research papers for troubling directions of research, it would be possible to detect that student downloading certain research papers, then identify the equipment purchases, see when she is in the lab - and then flag her up to The Authorities as a "Terrorist Student producing a chemical weapon in preparation for school massacre" or a "Misfit student producing a Class A drug".

MAD-logic will apply: One gang of elites will not attempt to acquire destabilising technology, of course they will cheat, but in general, whenever such technology emerges, it will be destroyed.

Eventually there will be "humanity-protection" laws passed that makes NDAA 2012 look liberal and preventive filtering of all communication to stop any outbreaks of creativity.

Filtering is already starting:

PS: That James Brokenshire in the picture looks like a thoroughly nasty type.

Snarki, child of LokiMarch 14, 2014 6:41 AM

"The general public are made up of those who are not security-savy people and it is these general public that determines the votes and policies."

The general public already has plenty of stuff to pay attention to (like making the economy run), and NSA spying is far, far down on their list of concerns. Rightly so.

Inflict upon the rich and powerful the full 24/7 surveillance that the NSA can muster, and things will change. Not before.

There's a REASON that library/video-rental records were only protected after some embarrassing high-profile supreme court confirmation hearings in the 80's.

There's a REASON that cell-phone intercepts got criminalized and made much more technically difficult, after a guy in DC recorded some GOP honchos planning strategies.

To get the interests of the powerful and the public back into alignment, the powerful needs to lose a lot of their privacy.

Rolf WeberMarch 14, 2014 7:55 AM

I agree with Bruce that metadata equals surveillance.
However, there is no single evidence so far that the NSA (or the government) actually abuses the data, neither for mass surveillance nor to chase ordinary criminals. Let alone political abuse. Even with the mass of Snowden files, not a single abuse could be revealed so far.

I agree that it is a potential risk, that the government has an infrastructure it *could* abuse.

On the other side, we should accept that the government needs some data to fight crime and terrorism. I just want to be sure that it doesn't abuse it for mass surveillance.
I think it could be achieved by transparency. Give the government a "direct access" to a metadata database, but log and publish how many datasets it actually accesses.
I described it a little bit more in detail here:

Saul Tannenbaum March 14, 2014 7:56 AM


"Surveillance Studies" is an actual academic discipline with a large literature on the harms of surveillance. I recommend pretty much anything by David Lyon who, literally, wrote the book on the topic.

To go a bit meta for a moment, one thing that has to start happening is a conversation among the technologists, the activists, and the scholars of surveillance. I've found myself at a number of talks about NSA/Surveillance/Big-Data in the past couple of weeks and I've been struck that each discipline is producing recommendations that are in their comfort zone. Lyon, who I heard talk at MIT earlier this week, says that we have to have legal reform because security technology is too hard. Bruce, of course, says we have to have technology reform because legal reform is too hard. They may both be right, but a deep discussion about strategy and tactics would be very, very productive.

TIMMarch 14, 2014 8:20 AM

Hi Bruce,

take a look at Amazon. Out of analyzing their customer they prepare packets with specific articles before the customer has ordered them. This might be the result of manipulation on psychological level or just the problem, that humans are bound to uniformity in behavior. In both cases we see, that we have the potential to be manipulable.

You say, that your president said "The NSA is not listening in on your phone calls."
I think he uses the same definition of "collecting data" like the NSA and then they could save, parse, store any phone call on earth, but only the few they use for some reason (in best case to do something good = prevent something bad) would be called "collected".

There are many articles with single information about metadata that are collected, but I have not found a wallpaper with all known metadata. If you have an overview on all the metadata that are collected (and even additional the NSA probably added after 2008) that might be helpful to think better about what could be done with this and see it in the bigger context, too.

ccoughMarch 14, 2014 9:00 AM

If the third party doctrine gets overturned in several years, when this gets to the Supreme Court, would that solve the problem domestically within the US?

chris lMarch 14, 2014 10:00 AM

@ccough - the third party doctrine is unlikely to change in a few years. Most of the US supreme court seem to support it, with the exception of Sotomayor, who has made a few comments suggesting that she questions it and possibly supports a reasonable concept of informational privacy.

vas pupMarch 14, 2014 10:25 AM

@Bob S: "What's the use of a good password if our own government has hired the best possible minds in the world to work full time at hacking and cracking them, even illegally, including physically entering your home?" The same as for any personal/entity security (physical or informational): not to be easy target for all other 'privacy' predators like crooks of all sorts, PIs, competitors, former BFs or GFs, etc. As I stated before on this respected forum in a story about two ladies met with tiger in the jungle, and one start running, the other said: "can you run faster than tiger? No, she replied. I need just run faster than you." I hope point taken. Regarding Gov or organized crime/mob or agent of foreign gov: if you are specifically selected as a target (based on meta-data or other sources legal or illegal) there is no possible balance of resources on your side. In that case your statement is absolutely valid: You do not have protection. Its like win against casino. If you have enough money to double your bet each time, then you win finally.
@Saul Tannenbaum. Presumption of innocence applies to prosecution, not LEA intelligence activities as soon those activities within scope of Bill of Rights limitations (that is my own opinion - open for logical argument/deliberation on that, not emotional outbreaks or labeling).
@all other respected bloggers ( as possible solution in election year in particular): start promoting the idea of openly incorporate/amend into Bill of Rights in State (as first step) and Federal Constitutions the idea of explicit addressing privacy: clear definition and protection. I have no doubt that prospective elective officials on both sides of the isle will be in support of this having their own privacy jeopardized by recent revelations of Mr. Snowden and issue with Senate intelligence Commette.

ccoughMarch 14, 2014 10:36 AM

@chris l

But if the third party doctrine was overturned, however unlikely it may be, would it solve the legal problem of U.S. domestic surveillance?

logoutMarch 14, 2014 11:56 AM

Governments are the enties that commit the humungous mass murders, drop more bombs on cambodia "secretly" than were dropped on japan and germany combined during war.
except the the cambodians who knew new about it they didn't know it was "secret"
Who lines people up and guns them down into trenchs governments do. Pol Pot or Nixon, politicans destroy anyone they cannot use.
impunity is routine.
Why do they do that, psychopathy and machismo and ego of politicians is the real reason, though of them with a weird accent, Kissinger is still selling that sort of thing, Putin has nothing on kissinger
When it comes to criminal culpability and impunity
The US once had a very good Ideal that it seldom lived up to, the beer summit with henry louis gates did not reinstate the billofrights
except for one man who had obamas phone number, for the rest of us, extrajudicial home invasions continue any time some egotistical thug want to abuse someone he determines does not have access to a real competent lawyer who will actually stand up for him.
Govenment break all of their own laws on the theory that they don't have to obey any steenkin law.

CarpeMarch 14, 2014 1:27 PM

@ Wolf Weber

"I agree with Bruce that metadata equals surveillance.
However, there is no single evidence so far that the NSA (or the government) actually abuses the data, neither for mass surveillance nor to chase ordinary criminals. Let alone political abuse."

Simply having the data in the first place is an abuse. The methods through which they gathered it and then retroactively protected the telecoms was abuse. There have been numerous examples of political prosecution using data such as this. (cointelpro, etc) The Snowden files are internal documents that wouldn't show the abuse even if it was happening in any sense other than the technical. They have revealed, for example, that the NSA has been sharing data with the DEA to fight the war on drugs, who then uses that data in an unconstitutional way to gather more court presentable evidence.

"On the other side, we should accept that the government needs some data to fight crime and terrorism."

No we shouldn't. Right now terrorism is a tiny little blip on the radar of threats to America physically, and technologically the surveillance state has weakened our security and even economy more than any terrorist act could, not to mention the ideological undermining of the Constitution.

I'm afraid you are just pulling shit out of a hat and pretending you know what you are talking about.

Rolf WeberMarch 14, 2014 4:09 PM

No, pure possession of data cannot be abuse.

Would you please show evidence that the NSA shared phone metadata with DEA? Or any other data?

The Snowden files showed more than technical details, for example they showed the spying on the German Chancelor or Brazilian president. Or Belgian Telecom. So the files showed what NSA actually did. But none of it was a wrongdoing so far.

Apart from that, your privacy absolutistic view is nothing than childish.

Rolf WeberMarch 14, 2014 5:50 PM

@Nick P

No, this dosn't provide evidence for the claim "data is shared". At best, it is evidence for tips.
And I really think this is a grey zone. Imagine an NSA agent who is observing a foreign suspicious, coincidently notices a crime made by a citizen. What to do?

Knott WhittingleyMarch 14, 2014 6:24 PM


And I really think this is a grey zone. Imagine an NSA agent who is observing a foreign suspicious, coincidently notices a crime made by a citizen. What to do?

Apply the exclusionary rule, and exclude it.

People should stop pretending that unwarranted surveillance is a valid thing because it's about terrorism, and then saying that it's okay to take the information gathered and use it to tip off law enforcement about crimes.

The Corporate Store is full of information about millions of people that can be used for selective prosecution of whatever political enemies the security state feels like, or scandal-mongering.

Dissident members of their own oversight committees, for example.

You know they're not going to exploit that even-handedly. They're going to do what the FBI did with Jane Harmon, and leave them the fuck alone if they're "friendlies," blackmail them into compliance, or use parallel construction to implicate them if they're "unfriendly."

Any analyst can do that to their personal enemies. Any powerful surveillance system can be thoroughly gamed with almost zero chance of getting caught.

That's way too much personal and political power to leave in the hands of potentially rogue analysts, or rogue agencies.

Any referral of criminal evidence to outside law enforcement agencies should be considered a leak of classified information, and prosecuted, or the whole thing should be shut down.

Powerful mass surveillance is vulnerable to unlimited abuse.
Failing to strictly compartmentalize and oversee it makes a mockery of the exclusionary rule, due process of law, equal protection of the laws, and liberal democracy generally.

chris lMarch 14, 2014 9:23 PM

@ccough - Getting rid of the third party doctrine by itself won't necessarily solve the problem, but given the third party doctrine, it's very easy for the government to get virtually any information about you without a warrant because anything that you've revealed to anyone loses 4th amendment protection. If we had a doctrine where you could contractually share information (e.g. financial or call records) while retaining rights to limit its dissemination then it might help plug the hole. As it is now, the government seems to call anything you've shared with a third party fair game to obtain without a warrant because it has no 4th amendment protection.

chris lMarch 14, 2014 9:39 PM

@rolf weber - in Clapper v. Amnesty International, Solicitor General Verrilli offered that while AI had no standing and that the case in question should be dismissed, there would be potential plaintiffs with standing because prosecutors were using NSA-obtained (warrantless) data to develop criminal cases and were informing the defendants that they had used data from the NSA. Except that up to that point they were using the data and not informing defendants (as they are required to do). Using illegally obtained data to develop a case is supposed to render all evidence derived from the illegally obtained data inadmissible, but they weren't bothering to share the fact that the cases were developed from NSA data. The DOJ has subsequently started informing defendants, as they should have been doing for quite a while. Many cases are likely to be appealed as a result.

ZachMarch 14, 2014 10:01 PM

This essay is correct.

However to personalize this by loading it up on Obama is not only disingenuous but dangerous. It way over simplifies what a complex mess we have descended into.

Also, we have been on this arc since before 9-11. To unwind this ball is going to take a long time.

The promise of a secure and open global Internet is currently in grave danger. We must hope that someday we look back on the "Edward Snowden Event" as the beginning of the true start of the Internet.

Nick PMarch 15, 2014 10:07 AM

@ Rolf

Are you kidding me? A tip *is* sharing information. A stream of tips is consistently sharing information. Having special secret prosecutors, policies, procedures, and agent training dedicated means it's pretty standard operating procedure. As seen in the released documents:

I wonder why you're changing the situation. There is a clear relationship between intelligence agencies and DEA for moving information. They've been doing it since the 1990's. It's rarely about terrorism. It happens a lot. Dedicated people for it, too. Yet, you make it seem like it's a spontaneous thing that an analyst might do and DEA didn't ask for. The *documents* show it's totally the opposite.

Early on, they got permission to build these surveillance systems by promising there would be strong controls on them and they would only be used for *terrorism.* That they were absolutely necessary for terrorism, actually. Pessimists and conspiracy theorists said they were a risk as they'd be secretly expanded to target other enemies of the state, criminal or political. We've now learned that they are secretly giving over information to half a dozen groups who are prosecuting people for all kinds of stuff, rarely terrorism. When the pessimists get it right, Americans should be worried enough to take action.

Clive RobinsonMarch 15, 2014 10:34 AM

@ Nick P,

The past few weeks have been "an education" in how some people's belief systems won't break no matter how hard they are attacked with evidence or logic.

If you remember last year I recomended a book to download and read about "authoritarian supporting personalities".

I guess it's time to dust it off etc ;-)

Clive RobinsonMarch 15, 2014 10:52 AM

For those who might be interested in the book (and you should be) you can download it from Dr Altemeyer's home page with his blessings,

He has also written another book on the Tea Party phonomon and it's worth a look as well.

CatMatMarch 15, 2014 4:09 PM

Thanks for the pointer, Clive Robinson!

I didn't catch that the last time.
I've now read the first chapter of "The Authoritarians" (that's up to page 51, about a fifth of the book) in the last hour and it's been a good read so far.

Then again I suppose it would be for me, seeing as I scored 38 on the RWA scale... quite a bit lower than I excpected, actually.

I'm now starting to wonder if the main difference between low and high scorers is whether they expect their ostensibly chosen representatives to even pretend to be part of the social contract that the general populace is supposed to honor.

Sancho_PMarch 15, 2014 6:40 PM

@ Clive Robinson,

Thanks a lot, just started reading, very promising.
May be close to what I see as “nationalcapitalism” (evolved from the brownshirts).

Rolf WeberMarch 17, 2014 2:49 AM

@Knott Whittingley
I don't say that unwarranted surveillance (on citizens) is valid. And there is no proof that the tips are resulting from unwarranted surveillance on citizens.

It's a good thing when many cases are appealed. It shows the system is still working after all.

Share information is not the same as share data.
For me it is still the most plausible explanation that the tips only result out of legitimate surveillances on thirs parties, and a crime is watched "accidentally".

Or let me ask a question:
Do you believe NSA grants DEA access to the metadata database (or any other database)?
If yes, where is proof (with 1.7 mio classified documents, I'd really expect clear evidence).

Mike the goatMarch 17, 2014 5:07 AM

Bruce - you are absolutely right. We are being assured that because it is just "metadata" that somehow our rights have not been violated - as if a watered down infraction is somehow less of an outrage. One senator dismissed it as nothing more heinous than your local telco keeping CDR.

Folks us security professionals and activists can keep talking this issue up but the bottom line is that we've lost this battle perhaps even before it has begun. In the court of public opinion the NSA can violate the constitution of this country if they claim that they are doing it for a good reason ; to make us "safer" and to protect us from all those terrorists we see hiding behind mailboxes on every Main St.

We should all have known better than to trust the Internet and unencrypted comms over it, just like those concerned about privacy in the 1920s wouldn't have trusted Western Union or its employees. The obvious solution is to at least encrypt everything - email is an easy one, particularly if you can meet the people in person to eliminate key exchange as a potential issue. I guess then we have to wonder about what cryptosystems are safe to use. I think Schneier said "trust the math" and I am inclined to agree with him. If anything they are exploiting implementation bugs, not the crypto itself.

Nick PMarch 17, 2014 11:06 AM

@ Mike the goat

All good points. My only critique is Bruce's "Trust the math." I counterpointed it here. It's better as a catchphrase than as a solution.

Math is involved, but only one piece. And previous A1-class system efforts show formal verification caught the least of the vulnerabilities. The majority came from reviews where engineers thought about design/code/channels and thought about what could go wrong, one piece of system at a time. So, a full process a la EAL6+ development is necessary for the app and its TCB. CPUs/IO/MMU that makes security easier to get right are a plus.

KnottWhittingleyMarch 17, 2014 2:18 PM

Speaking of trusting the math, does anybody know how useful a D-Wave style of (limited) quantum computer is for breaking encryption? (If indeed it works.)

I would think that if you can do exponential work in linear for any annealing kind of thing, you could probably adapt it to break encryption. (But then, I'm no expert on any of the subjects involved.)

If that's right, it would seem to me that even if there's only a few percent chance it really works, then there's good reason to fear that we can't trust the math, even if the math is right and the implementation is right and encryption can't be bypassed.

chris lMarch 17, 2014 3:21 PM

@rolf - the DOJ has been prosecuting cases for years (under two administrations) without sharing information that they were obligated to share. The only reason they can be appealed now I'd because the SG slipped and admitted they were using the data. So up until that point, it's been abusive use of data obtained without warrants. And they admit now it was being done.

Nick PMarch 17, 2014 5:51 PM

@ Rolf

"Share information is not the same as share data."

Interesting defence. Let's try it in a few other situations:

Medical: "We didn't violate HIPPA by giving patient data to unathorized party. We simply gave information on all of medical issues and operations the person had."

Finance: "We didn't give out credit data to illegitimate parties. We just gave information consisting of card numbers, expiration dates, balances, and so on."

Military: "We at Wikileaks didn't publish any classified data. We published information we produced as we read classified data."

Voting: "Our company's voting machines don't permanently keep ballot data regarding your vote. However, they do share information with our data center such as who you voted for."

Most sane courts wouldn't buy your substitution. If anything, focusing so much on the words rather than actions of NSA/DEA seems like a misdirection tactic.

The fact of the matter is that DEA regularly gets something from NSA's spying apparatus, they have dedicated staff to process that something, they have training manuals regarding that something, that something is used to arrest people, parallel chains of evidence are created to disguise the something, and people are convicted in court with their defense never even knowing that something exists.

You've argued that "something" is information, not data. I argue that nothing in the above paragraph shows any less cooperation when you make that substitution. If anything, the regular sharing of pre-analyzed data makes agencies like DEA even more powerful than if petabytes of raw telecom/internet data were dumped on them.

Rolf WeberMarch 18, 2014 4:06 AM

Nick, I would agree with you if there was evidence that the NSA would actually "work" for other agencies like DEA, for example if they would investigate in domestic drug crimes. But there is no evidence for this claim.
All what is proven yet is that when the NSA accidentally observes crimes, they may give hints to other agencies.

As I said before, I consider this as a grey zone. And that's why I differentiate between sharing information and sharing data. If the NSA would give other agencies access to raw data, this would be a clear wrongdoing.

SkepticalMarch 18, 2014 5:59 AM

Re: NSA and sharing of evidence of a crime

If the NSA, in the course of surveillance of foreign communications, comes across evidence of a crime committed or about to be committed, then it may share that evidence with law enforcement. See 50 USC 1801(h)(3).

If the NSA, in the course of conducting electronic surveillance, acquires a domestic communication for which they do not have a warrant, then unless that domestic communication reveals an imminent threat to an individual's safety (and a couple of other exceptions not relevant to this), the NSA must immediately destroy the acquired communication. See 50 USC 1806(i).

I have some broader thoughts on the metadata is surveillance principle, but perhaps another time.

vas pupMarch 18, 2014 2:50 PM

@Rolf Weber:"If the NSA would give other agencies access to raw data, this would be a clear wrongdoing."
Yes, absolutely. The idea is to separate meta-data collection/processing and law enforcement based on information obtained after processing in separate entities (independent structures). Intelligence (meta-data related) is coming from data first, then suspect(s) second (after processing/red flagging). Law enforcement having access to meta-data could be very tempted to collect any 'dirt' on the suspect and his/hers contacts (not related to this particular crime) when they could not prove suspect guilt in the crime they are currently investigating by evidence available/collected. That is very dangerous practice. They still have other mechanisms available to request t a r g e t e d information related to particular criminal event. That was discussed on this respected forum in connection to restructuring NSA and reassigning some of its functions.

KnottWhittingleyMarch 18, 2014 4:30 PM


You seem not to understand the potential for abuse of power, and the impossibility of preventing it.

Suppose, for example, that NSA decided to try to get rid of most of their major critics in positions of power over them, e.g., Wyden, Udall, Leahy, and a few others---or at least discredit them, or create distractions and controversy around them so that nobody really listens to what they say about the intelligence community.

All they have to do is buy some untraceable disposable phones and use them to make a few phone calls to those people, and use the same phones to make periodic calls to random terrorist suspects, child pornographers, hit men, dope smugglers, money launderers, prostitutes, dominatrixes, traitors or whatever.

They can make all those people pop up as obviously suspicious characters to be flagged for investigation by the IRS, the DEA, the FBI, etc., then sit back while every aspects of their and their associates' lives is examined with a microscopically fine-tuned comb by whichever major intelligence agencies they want.

And if it comes out that those agencies are investigating their own overseers, there will be "very good reasons" that eventually come out, too. How could they ignore such suspicious stuff that just pops up on their computers when they're looking at various criminals?

If those agencies keep mum and refer their evidence to DOJ for investigation, that fact can be leaked---the DOJ has "clear evidence" of Wyden's affiliation with traitors, Udall's with child pornographers, Leahy's with money launderers, and so on.

Some of the investigations would turn up something actually criminal or very embarrassing or seemingly hypocritical done by the person being ratfucked (to use a Watergate-era term), or just by someone embarrassingly close to them---an aide, a daughter, their lawyer or accountant, whoever.

Often they wouldn't, but it could be enough to arrange that somebody is endlessly under investigation for seeming involvement in something bad, based on "good evidence" that just happens to never result in proof. Then you can leak that fact, if necessary, and get people talking about a coverup---how suspicious it is that there's so much "good evidence" but the investigation is never resolved. If you don't have a Whitewater or Benghazi or a blowjob to impeach somebody for, you can easily create the appearance of one.

This doesn't take a vast, difficult-to-conceal conspiracy to ratfuck people. Given the infrastructure that's been built, one or two people with the right access could do it, and three or four properly placed people could do a whole hell of a lot of it---e.g., a vice-president, a head of an intelligence agency, a middle manager, and one analyst or techie in a position like Snowden's.

They could even do it in a way that makes it obvious to other people in the agency that something very weird is going on, but there's an easy way to make that seem plausibly legit, too---you just say those people are involved in a mole hunt. They're looking for the next Snowden, so they need wide and unauditable access to the machinery, to keep the mole from figuring out when they're onto them, and other potential moles from knowing how they can be caught.

Perfect. And we would never know if it's happening.

That's what I think Snowden means by "turnkey tyranny."
We're building the infrastructure to enable a small group to conduct purges and consolidate their power a whole lot, long before they do anything obviously tyrannical.

We're not living in Putin's Russia, but we're building the infrastructure for it, and assuming that the guys ever in charge would never do anything like that, ever. We won't slip down that slope, even with no real brakes.

We're to assume that we will never again have scary ruthless people anywhere near the levers of power---people like Nixon or Agnew or Hoover or Gordon Liddy or Donald Segretti or Ollie North or all the scumbags we never caught.

To which I say Dick Cheney, Karl Rove, Scooter Libby, Chris Christie? Scott Walker? Half the Tea Party zealots? Fox News. (Or pick Democrats/liberals if you're less trusting of them.)

Rolf WeberMarch 19, 2014 3:13 AM

What you describe would be a clear wrongdoing. After 9 months, and with reportedly 1.7 mio documents, *not* *a* *single* such a wrongdoing could be revealed.

We (with this I mean the majority in our democracies) *want* that the spy agencies are powerful. This is why we give them so much of our tax money.
We don't want that they abuse their power, this is why good oversight is needed. Like it or not, but the Snowden files *prove* that the NSA is under really good oversight. I wish I could be sure that "my" German agencies are under similar good control (no, I don't call for a German Snowden).

JohnJMarch 19, 2014 9:27 AM

@Rolf, as the saying goes about the stock market, "past performance does not necessarily predict future results." Just because they haven't committed wrongdoing so far doesn't mean they won't in the future. I'll add that even though no documents have surfaced to show they have, that doesn't prove they haven't. Governments specialize in secrets.

As to the harm it causes, I can say that their (meta)data collecting is most definitely harming the US populace. We are all directly and indirectly paying for this surveillance. Twice.

First, taxpayers are paying to fund the government operations. And that cost is amplified since the government is operating in a deficit; interest will accrue.

Second, the telcos have substantial costs associated with the collection of the data, processing requests, etc. They aren't going to let those costs reduce their profit margins so the costs of data collection are being passed along to the consumers in the form of higher monthly service fees.

So even without legal harm there's still economic harm being inflicted. And we're all paying it every single day.

KnottWhittingleyMarch 19, 2014 11:19 AM


What I describe would be a clear wrongdoing? Of course.

But you miss the point. We know that the intelligence community has a long history of doing things we would not approve of, and lying both about (1) whether they would ever do that and (2) what we gained from it that might argue doing things we'd "never do."

We've overthrown democratically elected governments and supported paramilitary death squads. We've sold missiles to the freaking Ayahtolla himself. We lied about weapons of mass destruction and "freedom" to get into a horrendously expensive and tragic war for other people's oil. We've systematically kidnapped, imprisoned, humiliated and tortured people. We surveil on everyone all the time, without reasonable suspicion, much less with a warrant based on probable cause. We have secret courts making secret law.

By this time, we shouldn't be very reassured that there are things we have no evidence have been done, if we can see how and why they may be done. Maybe they haven't gotten around to it yet, or maybe they have, and we just haven't found out yet.

We know that the intelligence community is veryworried about the public finding out what it really does, for PR reasons at home as well as operational security abroad. We know that it generally reveals it successes and keeps its failures classified as long as it can.

It is true that many Americans want very strong spy agencies, but as honest intelligence people will tell you, they don't know what they're getting. It's like five-year-old saying who they want to marry, and everybody with a clue knows that. When it comes down to it the intelligence community justifies doing things they "would never do" by saying that the public doesn't want them, but should want them, or would want them "if they knew what we know."

And that is often a lie, as is abundantly clear by now. A whole lot of people would not want extraordinary rendition and torture, especially if they knew that it doesn't yield much useful or important intelligence. A whole lot of people would not want the NSA spying on everyone if they knew it hasn't foiled a single terror plot.

That sort of thing makes it eminently reasonable to be cautious about what the intelligence community would do, if they think they can get away with it, and which of those things are more likely because they probably could get away with it---e.g., things it only takes a few people to do, given the infrastructure they have, so that it's easier to keep secret from the public and oversight committees.

We'd be stupid not to wonder about things, given that the intelligence community is systematically more ruthless than it admits to, and more prone to doing things it'd "never do" if it thinks it can do so successfully and secretly.

How much clearer could that be, by now?

The intelligence community likes to take the stance that they're the grownups who should know everything and make the important decisions about what to do and not to do---and that if the public would just grow up and look at the facts, they'd generally agree.

Yeah, no. Have you read (Pulitzer prize-winner) Tim Weiner's history of the CIA, Legacy of Ashes?

Most people haven't. And if they did, I bet most would not take the childish line you're taking. They'd be really worried.

vas pupMarch 20, 2014 11:45 AM

@KnottWhittingley:"If you don't have a Whitewater or Benghazi or a blowjob to impeach somebody for, you can easily create the appearance of one."
We all are not angels. When "you don't have" means you did not look deep enough in time and space. I just want to remind you Governor Stark from 'All King's Men' (by Robert P Warren) who clearly stated to his confident Jack Burden: Men is conceived in sin and was born in mess, and all his path from the birth to the death is the path of sin. I am not asking you to fabricate anything. Look thorough and you'll find out. My point is that in 1937 when book was published first there were already understanding (with all cynicism of Gov Stark) that f a b r i c a t i o n is wrong and is just result of poor investigating work and leads to disqualification if investigator(s) as result. As usually, I left aside moral of this - that is security forum first (as somebody reminded in a past). What is disturbing with new surveillance technologies is the trend to utilized them blindly putting aside brain/human analysis. They all just a tool, not decision making authority.
Most of your posting (same date and time as quote above) resonate with my concerns as well.
I have a dream (rather wishful thinking) that LEAs/Intel will use as a beacon making final decision on any their open or covert activity provisions of our Constitution (Bill of Rights). You know, dictator J. Stalin said 'hitlers' come and go, by peoples are staying. I'll say that Presidents, Senators, etc, are come and go, but Bill of Right is staying.
@Rolf Weber. There is always space for improvement for BND and other LEAs/Intel in Germany. But to be fair, I admire what they did when bought CD from IT guy in Liechtenstein bank with all tax evasion information, and then openly declared to Germans what they have and how to avoid penalty by paying taxes by established deadline. And many Germans did, because they know BND and Co usually not bluffing. The problem is that Intel sometimes is using for financing covert operation same offshore banks as tax evaders, drug cartel, etc. That is why that is not the case with all Caribbean banks - just educated guess.

Peace of MindMarch 20, 2014 4:39 PM

The word is denial.

What has already happened is nothing fundamentally new, only the immense advance in efficiency and scope is new.

Everyone with primary education should be able to understand it: the US is running down the same path as the Third Reich and the Union of Soviet Socialist Republics. Only much worse.

Deny it all you want, that is what denial is all about. I don't think enough people will be outraged soon enough to avoid this becoming the new normal.

I think even Snowden (as well as Schneier and a lot of other informed people) is in denial, as he is clinging on to a mantra of "encryption works" when so much of his own information and even various public news-items blatantly show that encryption doesn't work.

sailor1031March 29, 2014 9:42 AM

Please, please, please can we stop confusing data and metadata. The number you called, when you called, how long you spoke, etc. are all data - not metadata.

The formats, lengths, descriptions of data items are metadata but not the data themselves. NSA has deliberately confused this issue to make it seem as if they are not actually collecting important data but that is just deceptive and completely dishonest. Unfortunately lazy, complaisant media go along with this.

Alastair McGowanAugust 25, 2014 4:37 AM

What really needs challenging here is the way that the line drawn between innocence and guilt is being removed and replaced with a continuum of probabilities between a 'safe' citizen and one whose behavior is 'risky' - and who decides which crimes threaten society and which do not. This is currently most evident in terrorism, and here in the UK it is also clear in prosecution of sex crimes, and our system of Anti-Social Behavior Orders under which 'precursors to crime' invite sanctions from authorities.

What ever happened to habeas corpus? What happened to the adversarial system of law under which prosecuting authorities must collect sufficient good evidence to prove beyond reasonable doubt that a person has stepped over the line into illegal behaviour. This test of guilt occurs within a framework in which authorities are powerful investigators of randomly selected cases of suspicion, and defendants are entitled to provide no evidence but instead must powerfully argue about the proposed evidence in order to create reasonable doubt.

This test of guilt/innocence is at the root of Western criminal law and the relationship between Citizen and State but we seem to be replacing it with para-legal decisions taken at the level of suspicion only, and based on politically driven motivations. Metadata then arises as a tool for separating those who step close to (but not over) the line of legality from those who steer well away from it, cowed, chilled, and compliant. In a democracy everyone needs to feel empowered to step close to the line of legality otherwise the powerful will dominate society in their interests alone.

Metadata is the smoke that suggests a flame may have occurred, or will occur, but no quantity of it alone is evidence of the flame. We have a growing situation in the UK where police announce that they are investigating an alleged sex crime in the hope that other allegations will come forward. The attorney general warns that this is an attempt to 'build strong cases from many weak ones' - the analogy of a lot of smoke being used to infer 'beyond reasonable doubt' in the absence of a real flame.

The corollary to this is that any person the police or state wishes to target can be follow through their metadata until either enough smoke is discovered or a real piece of evidence of wrongdoing emerges. So we have to ask who chooses which patterns to follow, which citizens to follow up, who exercises the discretion and why? My brother recently reported a crime and the police seem reluctant to follow it up, but they will follow up other crimes. Who decides what to investigate? Are politics involved in these decisions? You bet they are. And that is where the threat to democracy lies.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.