Your metadata and the law


Timothy B. Lee explains that your telephone metadata (i.e., all the information about your call other than the actual content of the conversations) can tell the government a lot more than whom you called, when, and for how long. Lee quotes from numerous examples given by Ed Felten, a professor of computer science at Princeton University who contributed to a brief for the ACLU, about what your metadata can reveal about you.

In some cases, a single call can reveal a lot.

Certain telephone numbers are used for a single purpose, such that any contact reveals basic and often sensitive information about the caller. Examples include support hotlines for victims of domestic violence and rape, including a specific hotline for rape victims in the armed services.

Similarly, numerous hotlines exist for people considering suicide, including specific services for first responders, veterans, and gay and lesbian teenagers. Hotlines exist for suffers of various forms of addiction, such as alcohol, drugs, and gambling.

In other cases, the pattern of calls can reveal what a single call cannot.

If a government employee suddenly begins contacting phone numbers associated with a number of news organizations and then the ACLU and then, perhaps, a criminal defense lawyer, that person’s identity as a prospective whistleblower could be surmised.

So by simply looking for patterns in your metadata, one can infer a lot of information about you, making the actual content sometimes superfluous. Lee concludes:

In short, the distinction between call metadata and call contents is not as clear in practice as it might seem in theory. Sucking up everyone’s phone records gives the government access to a lot of highly sensitive information, like whether you’ve had an affair, gotten an abortion, or provided secret information to a reporter. Felten’s examples give ammunition to those who believe the Supreme Court should revise its interpretation of the Fourth Amendment.

So what is the Supreme Court’s current view on the application of the Fourth Amendment when it comes to telephone metadata? Unfortunately, as is often the case with rapidly advancing technology, the courts tend to be behind the times. The foundational ruling on this issue harkens back to 1979 in Smith v. Maryland. In that case, a person convicted of robbery and then placing harassing and obscene phone calls to his victim appealed the decision saying that the police had obtained his phone calling history from the phone company without a warrant and then used that information to convict him. He lost his case.

In his opinion, justice Harry Blackmun said that when you call somebody, you are giving a third party, in this case the phone company, the number to call and hence you have voluntarily relinquished your privacy as to the number, although the contents of the call still require a warrant because for that there is still a “legitimate expectation of privacy”, since people do not expect the phone company to be listening in or recording it, though we know it has the capability to do so.

Petitioner in all probability entertained no actual expectation of privacy in the phone numbers he dialed, and even if he did, his expectation was not “legitimate.” First, it is doubtful that telephone users in general have any expectation of privacy regarding the numbers they dial, since they typically know that they must convey phone numbers to the telephone company and that the company has facilities for recording this information and does in fact record it for various legitimate business purposes. And petitioner did not demonstrate an expectation of privacy merely by using his home phone rather than some other phone, since his conduct, although perhaps calculated to keep the contents of his conversation private, was not calculated to preserve the privacy of the number he dialed. Second, even if petitioner did harbor some subjective expectation of privacy, this expectation was not one that society is prepared to recognize as “reasonable.” When petitioner voluntarily conveyed numerical information to the phone company and “exposed” that information to its equipment in the normal course of business, he assumed the risk that the company would reveal the information.

Blackmun cited as evidence that the phone company sends you a monthly bill where it lists all the numbers you called, so you know that they keep a record of your numbers. It is this precedent that the government is using to argue that the collection of metadata does not require a warrant.

But as Lee writes in another article:

Blackmun’s reasoning may have turned on the fact that automatic dialing was a relatively new development in 1979. Previously, telephone users had to tell a human operator which number they wished to reach, making it plausible to regard the phone company as an active participant in the phone-dialing process, but a mere passive conduit in transmitting the phone call itself.

Technological progress has rendered this distinction increasingly dubious. For example, cell phone companies now keep records about the locations of their customers’ phones. The government has argued that this “non-content” information should be available without a warrant. Yet such records amount to a detailed record of everywhere the phone’s owner has been in the past month; a much more intrusive form of surveillance than a list of the phone numbers a customer has dialed.

The third party doctrine also suggests that the users of cloud e-mail providers don’t even enjoy Fourth Amendment protections in the contents of their messages, since those have been voluntarily shared with third parties such as Google and Microsoft. One appeals court has ruled that a warrant is required, but so far most other courts have not followed that precedent.

Things are much different now from 1979. So what are the ‘legitimate expectations of privacy’ now since the metadata that is generated and stored is far more extensive and intrusive? On the one hand, it could be argued that people now have a “legitimate expectation of privacy” that is in fact more extensive than it was in 1979 and could extend to even the phone numbers and email addresses since everything is automated and the actual number of humans directly routinely viewing that information is smaller. On the other hand, some people have become wearily resigned to the fact that they are under constant surveillance, if not by the government then by commercial companies and their employers, and so may have lower expectations of privacy. So the issue may be ripe for re-evaluation.

However, given the much greater deference courts now give to the government’s authority, especially when the latter invokes the ‘war on terror’ excuse, I am not hopeful that they will come down on the side of greater privacy.

Comments

  1. Lassi Hippeläinen says

    If your operator knows the number you phoned to, it doesn’t mean that the whole world knows it. In fact, you can expect that only the operator knows it. (Not even the called party knows, unless she receives the call, and your number isn’t secret.) There is legal precedent to this. E.g. here in Europe the operators were(*) allowed to keep the metadata only for billing purposes, and only for three months. After that it had to be erased. The police could not get it, unless they had a court order.

    There are three separate issues in Lawful Interception:
    1. Collecting the metadata. Routine for the operators, because they need it for billing purposes.
    2. Handing the collected metadata over to authorities. Requires control for the reasons mentioned above.
    3. Collecting the content. Has to be prearranged.
    Don’t let the spooks confuse you by claiming that all three can -- and should -- be treated the same.

    (*) The time limit has changed, IIRC to “at least two years”, because of pressure from law encorcement.

  2. unbound says

    It’s a good thing that the Supreme Court justices are very old. They aren’t bothered by the roaring of the massive jet of “not getting it” flying right over their heads…

  3. DonDueed says

    Automatic dialing was hardly new, or even relatively new, in 1979. It was widespread by the 1940s at least. By 1979 only a very few rural areas would still require the intervention of a human operator.

    Of course, it’s possible that the justices on the court at that time may have grown up in the era when you had to tell Mabel down at the post office who you were calling. I’d be surprised if that was on the minds of the justices, though. The Smith decision sounds like a hair-split in favor of law enforcement.

  4. says

    It’s pretty clear that all this stuff is just fig-leafing: they’re going to do whatever they want. They always have. The FBI has always tapped whatever it wants -- legally or otherwise -- what we’re seeing is that as the police state continues to expand, the criminality expands with it.

    I assume you know the Postal Service gives address information to the FBI as well? Because apparently who you send mail to or get it from isn’t private, either.

  5. AsqJames says

    petitioner did not demonstrate an expectation of privacy merely by using his home phone rather than some other phone

    In other words, if you don’t take extraordinary measures to protect the privacy of your communications (only a tiny percentage of phone calls these days are not made from numbers tied to an identifiable individual, so using (for example) a pay phone is in itself extraordinary), the police/spooks have a right to monitor them.

    On the other hand, if you do take extraordinary measures to protect the privacy of your communications you’re clearly behaving in a suspicious manner, which means the police/spooks have an active duty to monitor such methods even more closely.

    That’s some catch that catch 22, eh?

Leave a Reply

Your email address will not be published. Required fields are marked *