PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

metadata pic blog 1

 by Daniel J. Solove

Over at Slate, Dahlia Lithwick and Steve Vladeck have a great piece about why “metadata” matters. It is very much worth reading. Here are some of my thoughts on the matter.

Several National Security Agency (NSA) surveillance programs involve gathering metadata about our communications (the numbers we call or the email addresses we email). This data is distinguished from the content of the communications, which is understood to be more sensitive and important. Sometimes, metadata is referred to as “envelope” information because it is akin to an envelope we send a letter in – and the letter itself is the “content” information.

Is the envelope information really that sensitive? “Nobody is listening to your telephone calls,” President Obama declared. Intelligence agencies are “looking at phone numbers and durations of calls; they are not looking at people’s names, and they’re not looking at content.” So should we breathe easier?

The answer is no. There are several reasons why the privacy of metadata matters tremendously.

1. Whom someone is talking to may be just as sensitive as what’s being said.

A person’s entire network of friends, doctors, lawyers, religious leaders, and others whom they communicate with can be quite revealing about their lives. Gathering metadata implicates the First Amendment right to freedom of association, as we have a right to associate with various political groups without being chilled by the government keeping tabs.

2. Through the aggregation effect, innocuous small pieces of data can readily be combined to form a more revealing portrait of a person.

In what I have termed “the aggregation effect” – adding together tiny bits of data like a Seurat painting – a bunch of little dots can combine to paint a portrait. And so it is with metadata. Add it up over time, and it becomes extremely revealing. I explained it best in my book, Understanding Privacy: “A piece of information here or there is not very telling. But when combined together, bits and pieces of data begin to form a portrait of a person. The whole becomes greater than the parts. This occurs because combining information creates synergies. When analyzed, aggregated information can reveal new facts about a person that she did not expect would be known about her when the original, isolated data was collected.” And I explained why aggregation is an especially large privacy concern today: “Aggregating information is certainly not a new activity. It was always possible to combine various pieces of personal information, to put two and two together to learn something new about a person. But aggregation’s power and scope are different in the Information Age; the data gathered about people is significantly more extensive, the process of combining it is much easier, and the technologies to analyze it are more sophisticated and powerful.”

3. The content-envelope distinction doesn’t make sense in today’s world.

The content-envelope distinction was created by the U.S. Supreme Court, which held in a series of Fourth Amendment cases in the 1970s that envelope (or metadata) information wasn’t protected by the Fourth Amendment. The law ever since has held to this distinction. The key case was Smith v. Maryland, 442 U.S. 745 (1979), which held that the phone numbers a person dialed weren’t protected by the Fourth Amendment partly because the phone company had access to them and partly because phone numbers weren’t viewed to be as sensitive as phone calls.

This case was decided long before the ability to gather, maintain, and analyze reams of metadata. And it was before the Internet, where IP addresses and URLs blur the content-envelope distinction. These sometimes seem like metadata, but they also involve content. IP addresses can reveal a map of how a person surfs the Internet. And URLs can even contain search terms. Are they content or envelope?

The distinction is silly in today’s age. Instead of blanket assumptions about the relative sensitivity of content and envelope information, based on a 1970s mentality, all personal data should be protected by the Fourth Amendment. I hope one day that the U.S. Supreme Court will revisit these unfortunate 1970s decisions and rethink.

After so many revelations of NSA overreaching, it seems as though there’s only one thing that the NSA hasn’t sucked up in its gigantic data vacuum cleaners – the U.S. Constitution. The NSA apparently thinks it lives in a Constitution-free zone. But not only does the Fourth Amendment protect us against the kind of dragnet surveillance the NSA is doing, but also the First Amendment, which guarantees the right to freedom of speech, thought, consumption of ideas, religion, and association. These rights are also severely compromised by the gathering of metadata.

****

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics.  This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 600,000 followers.

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter

Please join one or more of Professor Solove’s LinkedIn Discussion Groups:
* Privacy and Data Security
* HIPAA Privacy & Security
* Education Privacy and Data Security