What telephone metadata can reveal

Mathematician and former Sun Microsystems engineer Susan Landau explains to Democracy Now! host Amy Goodman how metadata can give you so much useful information that listening in to the conversation may not be necessary.

That’s because a phone call—the metadata of a phone call tells what you do as opposed to what you say. So, for example, if you call from the hospital when you’re getting a mammogram, and then later in the day your doctor calls you, and then you call the surgeon, and then when you’re at the surgeon’s office you call your family, it’s pretty clear, just looking at that pattern of calls, that there’s been some bad news. If there’s a tight vote in Congress, and somebody who’s wavering on the edge, you discover that they’re talking to the opposition, you know which way they’re vote is going.

One of my favorite examples is, when Sun Microsystems was bought by Oracle, there were a number of calls that weekend before. One can imagine just the trail of calls. First the CEO of Sun and the CEO of Oracle talk to each other. Then probably they both talk to their chief counsels. Then maybe they talk to each other again, then to other people in charge. And the calls go back and forth very quickly, very tightly. You know what’s going to happen. You know what the announcement is going to be on Monday morning, even though you haven’t heard the content of the calls. So that metadata is remarkably revealing.

When people try to excuse what the government did by saying that it was legal, what they may not be aware of is that the government was using a secret interpretation of Section 215 of the USA PATRIOT Act, the part under which these acts are being justified. As senator Ron Wyden warned,

The fact is, anyone can read the plain text of the PATRIOT Act, and yet many members of Congress have no idea how the law is being secretly interpreted by the executive branch, because that interpretation is classified. It’s almost as if there were two PATRIOT Acts, and many members of Congress have not read the one that matters. Our constituents, of course, are totally in the dark. Members of the public have no access to the secret legal interpretations, so they have no idea what their government believes the law actually means.

Note that the secret interpretation of the law in its use in the NSA snooping cases could not be challenged since the programs themselves were secret. So we have layer upon layer of secrecy, the net result of which is that the government feels that it can do almost any damn thing it wants to.


  1. says

    There’s a fantastic old book – formerly used to train signal intelligence analysts – called “Traffic Analysis and the Zendian Problem”, which is available:
    It’s a set of “intercepts” as an exercise the analyst can walk through to completely compromise the communications of a mythical country called “Zendia.’

    One of my more compulsive crypto-head friends actually completed the exercise – it was his idea of “fun”

  2. wtfwhatever says


    That was an excellent example. So now I wish to show you how you, in the implementation of this blog, are actually enabling the same sort of collection and pattern analysis of your visitors.

    1. First your blog states this, as do most wordpress blogs: "Your email address will not be published. Required fields are marked *"

    2. While my email is not published, what is published is an MD5 hash of my email (and every visitor's email)

    3. You can verify this for yourself.

    4. Go here http://www.miraclesalad.com/webtools/md5.php and type in your email address and then in the source to this page or any page you have commented on, search for that md5 hash.

    5, Add a comment to this page. Then view the source code to this page and search for your comment. WordPress will have created a link to a gravatar for you. If you are logged into gravatar that link will point to your photo. If you are NOT logged into gravatar or wordpress, that link will point to a non-random generic image, but the link will contain the mostly unique md5 hash of your email address. Search for the string "gravatar.com/avatar/" and then your md5 hash determined above.

    6. md5 hash is a cryptographic hash function that is mostly a 1:1 unique mapping from input string to hash. "MOSTLY" is critical. The hash itself cannot logically be claimed to be 'collision-resistant' but in practical matters, it is. See the wiki for md5.

    7. Google does not make it easy to search for these hash strings, but they are present in the code and they are usually represented as a string of 32 hexadecimal characters and all of them preceded by a fragment that points to gravatar.

    8. While google may not make it easy for you to search for them, it is trivial to build a specialized search engine to do so. Take the Udacity course "Introduction to Computer Science" -- that course will tell you the fundamentals on how to build such a search engine using Python. OR you can download one of dozens of free search engines and use those.

    9. Using MD5s, you can track any blog, or any forum that uses gravatars where the person has put in the same email address. EVEN if that person is not logged into Gravatar, and does not consent to gravatar tracking, the MD5 is placed in there. If a person signs in as "Anonymous" but uses the same "will not be published" email address, that same MD5 will be placed on the page.

    10. I do not know your email address, but it is relatively easy to build rainbow tables of common names, or famous names and search for the corresponding MD5 hashes, even if you are trying to remain anonymous on some other site.

    11. I do not know your email address, but your health insurance company and your employer might. Hey! The md5 of your email shows up on a liver cancer support forum! And at ashleymadison.com's help desk! What the what?


    People interested in privacy should always change the email address the give to wordpress sites. Just add a few digits to it.

    Sites strongly concerned with their user's privacy should not use Gravatar.

    Sites weakly concerned with their user's privacy should not say "your email will not be published" and should not make email address a requirement.

    For more information, google gravatar privacy leak. fwiw, WordPress/gravatar is well aware of this huge privacy leak on the web, but they don't consider it a leak, and they refuse to fix it.

    Are you certain that the NSA, which does know everyone’s email addresses. does not have this simple search engine?

  3. baal says

    I wonder if the cell phone’s pings to cell towers count as metadata. If so, that’s essentially 24/7 tracking of your phone’s location (as you drive to the office, the gym, the grocer, to pick up your kids, to your mistresses house etc).

  4. says

    Are you certain that the NSA, which does know everyone’s email addresses. does not have this simple search engine?

    It’s hardly Mano’s job to worry about that.

  5. says

    I wonder if the cell phone’s pings to cell towers count as metadata

    Of course. Handoffs, too.

    How do you think the FBI was able to tell who was present during the Stuebenville rape?

Leave a Reply

Your email address will not be published. Required fields are marked *