Risk
6/19/2013
11:53 AM
Connect Directly
RSS
E-Mail
50%
50%

What Prism Knows: 8 Metadata Facts

Data traffic analysis could provide "megadata" intelligence agencies can use to cross-reference information using big data techniques.

One of the biggest worries triggered by Edward Snowden's National Security Agency (NSA) leaks concerns the scale of data being collected by the intelligence agency.

Government officials have said that while various NSA programs capture different types of data, including metadata relating to phone numbers and call duration, that information is used only to investigate foreigners, unless the FBI first convinces a judge to issue a warrant based on probable cause.

Still, the NSA appears to be collecting records on millions of innocent Americans, and then storing the information until it may be needed at a later date. The agency's supporters, including President Barack Obama, have said that the program makes the country more secure without compromising privacy. According to news reports, advanced search algorithms are used to ensure that information is accessed -- again, without a court order -- only on people who appear to be foreigners.

On the flip side, Center for Democracy and Technology (CDT) president and CEO Leslie Harris said, "There is no algorithm exception to the 4th Amendment," referring to the Constitution's prohibitions on unreasonable searches.

[ Is Edward Snowden a hero or a traitor -- or somewhere in between? Read NSA Prism Whistleblower Snowden Deserves A Medal. ]

Is either side fully right or wrong? Here are eight facts relating to the U.S. government's capture and use of metadata:

1. What Can Metadata Do?

For starters, Bruce Schneier, chief security technology officer of BT, said the metadata in question is more accurately known as "traffic analysis". Nomenclature aside, traffic analysis offers powerful possibilities for identifying whoever's behind the communications. A recently published Nature study found that human mobility traces are highly unique. Based on data collected by researchers on 1.5 million people over a 15-month period, given just four data points -- involving location and time -- they could uniquely identify 95% of the individuals, and by picking two random points, correctly identify half of the people being tracked.

2. Should Intelligence Agencies Be Allowed to Collect Everything?

What are the intelligence ramifications of the Nature study? "When paired with emerging 'big data' analytics techniques, metadata can ultimately prove to be more valuable, and potentially even more illuminating, than the 'data' itself," said CDT researcher Aubra Anthony in a blog post. "Right now, the government's interpretation of Patriot [Act] Section 215 doesn't seem properly limited to protect the privacy of innocent Americans. In fact, the collection of this metadata seems unlimited in scope and duration."

3. Obama: Collection Doesn't Equal Access

Many people have balked at having details related to every call they make recorded. But according to Obama, who's defended the NSA's programs, the data is rarely used. "If you're a U.S. person, then NSA is not listening to your phone calls and it's not targeting your emails unless it's getting an individualized court order," Obama told Charlie Rose in an interview broadcast Monday night on PBS.

Furthermore, Obama said, such a court order would result only if the FBI could demonstrate probable cause to a judge. "[It's] the same way it's always been, the same way when we were growing up and we were watching movies, you want to go set up a wiretap, you got to go to a judge, show probable cause."

4. Obama: This Program Doesn't Track Location Data

While a little location and time data could quickly allow investigators to create positive matches, according to President Obama, the NSA's phone-record interception program doesn't capture location data. "There are two programs that were revealed by Mr. Snowden, allegedly. ... Program number one, called the 2015 Program, what that does is it gets data from the service providers like a Verizon in bulk, and basically you have call pairs," Obama explained. "You have my telephone number connecting with your telephone number. There are no names. There is no content in that database. All it is, is the number pairs, when those calls took place, how long they took place. So that database is sitting there."

Given a "reasonable, articulable suspicion that this might involve foreign terrorist activity related to Al-Qaeda and some other international terrorist actors" -- perhaps from the CIA or New York Police Department -- then the NSA, with a court order, will perform narrow queries on the database to see if the phone number has been recorded, and if so, what other numbers it was used to contact. At that point, Obama explained, a related report will be generated and passed to the FBI.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
MikeSMJ
50%
50%
MikeSMJ,
User Rank: Apprentice
6/19/2013 | 9:22:40 PM
re: What Prism Knows: 8 Metadata Facts
As Bruce Schneier pointed out, the metadata can be more important, and more useful in investigations, than the data. In fact, with "Big Data" research techniques, the metadata can be used to find "key individuals" and clusters of individuals for any community of interest.

That is, the same techniques that are used to identify "potential" terrorists can be used to identify gun control activists, or women's rights activists, or (let's keep this balanced) "states rights" activists.

Once any organization - particularly a government - has this kind of power available, it becomes next to impossible to prevent its use for other purposes than the original intent. There is nothing to prevent the government from deciding that these interest groups are somehow a "danger to the society", and restricting their "freedom of expression and assembly, freedom from
arbitrary detention, and the right to petition the government for a
redress of grievances." Under the circumstances, I believe that
James A. Lewis is being naive to assert that this kind of invasion of privacy is not dangerous.
Truthsmith
50%
50%
Truthsmith,
User Rank: Apprentice
6/21/2013 | 5:24:36 PM
re: What Prism Knows: 8 Metadata Facts
The argument by Lewis: if it safeguards people's political liberties, then
capturing metadata is a useful technique. "The essential political
rights are freedom of expression and assembly, freedom from arbitrary
detention, and the right to petition the government for a redress of
grievances," Lewis said. "If these four rights are protected, surveillance is immaterial in its effect on civil liberties.

He points to four essential "political liberties" as if they are the ones that count, as if they are the only ones that count. Note that he left out another very important one, the one that is DIRECTLY violated by the NSA practices:

Amendment 4: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

The NSA's massive metadata collection is absolutely UNREASONABLE SEARCH. We all know that. Blabbing on about these other four "rights" reminds me of the rich young ruler that obeyed four commandments, but he failed on the biggest one, because he loved his riches more than God.
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
6/26/2013 | 3:05:36 AM
re: What Prism Knows: 8 Metadata Facts
The major problem with Mr. Lewis' point is that if we had a benevolent government that we could trust, this would be an entirely different kettle of fish. Problem is, in 2013, there's a serious divide in the American political spectrum and programs like these can be abused for political gains. One needs only look at the fallout surrounding the IRS scandal to rest assured of that and the point hat Marlinspike brings up not only echoes that but amplifies it.

People need to remember that there is an entire cottage industry out there based solely on the collection and aggregation of your personal data and the resale of that data to organizations for any use they deem fit - whether it be advertising (a benign use) or something more sinister.

The really major issue that I have with these programs is that public knowledge of these collection efforts leads to interest from organizations that don't have the best interests of the American people at heart.

Imagine what happens if a group like Anonymous or an enemy power gains access to all of your personal data. Would you ever feel safe again? And given that the number of attacks is escalating on a year over year basis as well... it's just a matter of time. Identity theft may well be the tip of the iceberg...

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6278
Published: 2014-09-30
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and m...

CVE-2014-6805
Published: 2014-09-30
The weibo (aka magic.weibo) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6806
Published: 2014-09-30
The Thanodi - Setswana Translator (aka com.thanodi.thanodi) application 1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6807
Published: 2014-09-30
The OLA School (aka com.conduit.app_00f9890a4f0145f2aae9d714e20b273a.app) application 1.2.7.132 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6808
Published: 2014-09-30
The Active 24 (aka com.zentity.app.active24) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.