One of the documents disclosed by Edward Snowden was a FISA court order, issued under section 215 of the Patriot Act, mandating that Verizon provide records for all “communications (i) between the United States and abroad; or (ii) wholly within the United States, including local telephone calls.” This data included information on the identities of the sender and the receiver, the date, time, duration, location and other unique identifiers of the communications such as IMSI and IMEI numbers.
NSA and Obama administration officials have defended this collection as reasonable and limited because it does not include the content of the calls. A recent study on the "sensitivity" of telephone metadata, how easy it is to draw sensitive inferences from metadata, provides evidence that contradict the administration's claims:
It is also important to remember that the metadata collection program is only one of many different NSA programs that have been released. When President Obama claims that there is no collection of content, he is saying that this particular program does not collect content. The Wikipedia page on the global surveillance disclosures from 2013 to present is breathless in scope.We used crowd sourced data to arrive at empirical answers. Since November, we have been conducting a study of phone metadata privacy. Participants run the MetaPhone app on their Android smartphone; it submits device logs and social network information for analysis. In previous posts, we have used the MetaPhone dataset to spot relationships, understand call graph interconnectivity, and estimate the identifiability of phone numbers.At the outset of this study, we shared the same hypothesis as our computer science colleagues—we thought phone metadata could be very sensitive. We did not anticipate finding much evidence one way or the other, however, since the MetaPhone participant population is small and participants only provide a few months of phone activity on average.We were wrong. We found that phone metadata is unambiguously sensitive, even in a small population and over a short time window. We were able to infer medical conditions, firearm ownership, and more, using solely phone metadata.