Co-authored with Patrick Mutchler.
MetaPhone is a crowdsourced study of phone metadata. If you own an Android smartphone, please consider participating. In earlier posts, we reported how automated analysis of call and text activity can reveal private relationships, as well as how phone subscribers are closely interconnected.
“You have my telephone number connecting with your telephone number,” explained President Obama in a PBS interview. “[T]here are no names . . . in that database.”
Versions of this argument have appeared frequently in debates over the NSA’s domestic phone metadata program. The factual premise is that the NSA only compels disclosure of numbers, not names. One might conclude, then, that there isn’t much cause for privacy concern.
Co-authored with Patrick Mutchler.
MetaPhone is a crowdsourced study of phone metadata. If you own an Android smartphone, please consider participating. In an earlier post, we reported how automated analysis of call and text activity can detect private relationships.
Does the National Security Agency have court authority to pore over your phone records? Quite possibly.
Co-authored with Patrick Mutchler.
Two weeks ago we kicked off the MetaPhone project, a crowdsourced study of phone metadata. Our aim is to inform policy and legal debates surrounding dragnet surveillance programs. We are exceedingly grateful to the hundreds of users who have joined. If you have not yet participated, you can still grab the MetaPhone app for Android.
Today we are excited to share some preliminary results: We can predict many romantic relationships. Automatically. Using solely phone metadata.
Original at Stanford CIS.
Co-authored with Patrick Mutchler. This is a project of the Stanford Security Lab.
We’re studying the National Security Agency, and we need your help.
The NSA has confirmed that it collects American phone records. Defenders of the program insist it has little privacy impact and is “not surveillance.”
Like many computer scientists, we strongly disagree. Phone metadata is inherently revealing. We want to rigorously prove it—for the public, for Congress, and for the courts.
That’s where you come in. We’re crowdsourcing the data for our study. We’ll measure how much of your Facebook information can be inferred from your phone records.
Participation takes just a few minutes. You’re eligible if you’re in the United States, use an Android smartphone, and have a Facebook account.
To get started, grab the MetaPhone app from Google Play.
Consider this a bug report for the National Security Agency and its overseers. Dragnet online surveillance may be directed at international activity. But it nonetheless ensnares ordinary Americans as they browse domestic websites.
The spy outfit admits to vacuuming vast quantities of network traffic as it passes through the United States. Some taps are on the nation’s borders; others are on the domestic Internet backbone. International partner agencies, most prominently the UK’s Government Communications Headquarters, contribute to the NSA’s reach. Recent leaks have provided substantial detail: Under the Marina program, the agency appears to retain web browsing activity for a year.1 The XKeyscore system offers at least one way for analysts at the NSA and cooperating services to efficiently query both historical and realtime data.
Agency apologists are quick to point out that the snooping has limits. The NSA only acquires online communications when a sender or recipient seems international. Doing otherwise might, in their view, violate congressional restrictions or constitutional protections.
Tough luck for foreigners. But if you’re within the United States, the notion goes, you don’t have much cause for concern.
That’s wrong. Americans routinely send personal data outside the country. They just might not know it.
Both houses of the California legislature have unanimously approved AB 370, a Do Not Track initiative that is backed by Attorney General Harris. If Governor Brown signs the bill, it will be the first Do Not Track law worldwide. So, what would it do? More and less than a casual reader might expect.
Critics of consumer privacy protections frequently invoke revealed preference as a justification for laissez-faire policy. If users really cared about their privacy, the argument goes, we should expect to see revolts against intrusive practices. A number of scholars have demonstrated pervasive information asymmetries1 and bounded rationality2 in consumer privacy choices; the decisions that users actually make about online privacy can hardly be expected to reflect their actual preferences.
But let’s suppose that consumers and online firms are fully informed and completely rational. The economic story that consumers value their privacy less than the marginal income from privacy intrusions is certainly consistent with market behavior.
We should not, however, conclude that the status quo is optimal. There is another congruent economic story, where privacy intrusions are inefficient but nevertheless result owing to transaction costs and competition barriers. This post relates the alternative economic story with two possible examples, then closes with policy implications.
Sunday’s New York Times included a story about how the presidential campaigns are making extensive use of third-party web trackers. In response to privacy concerns, “[o]fficials with both campaigns emphasize[d] that [tracking] data collection is ‘anonymous.’”1
The campaigns are wrong: tracking data is very often identified or identifiable. Arvind Narayanan has previously written a comprehensive and accessible explanation of why web tracking is hardly anonymous; my survey paper on web tracking provides more extensive discussion.
One of the ways in which web tracking data can become identified or identifiable is “leakage”—data flowing to trackers from the websites that users interact with. Leakage most commonly occurs when a website includes identifying information in a page URL or title. Embedded third parties receive the identifying information if they receive the URL (e.g. referrer headers) or the title (e.g.
document.title). Even a little identifying information leakage thoroughly undermines the privacy properties of web tracking: once a user’s identity leaks to a tracker, all of the tracker’s past, present, and future data about the user becomes identifiable.
Web services frequently fail to account for information leakage in their design and testing; a study I conducted last year found that over half of popular websites were leaking identifying information.2 More than a few website operators have made inaccurate representations about the information they share with third parties; in just the past year the Federal Trade Commission settled deception claims against both Facebook and Myspace for falsely disclaiming identifying information leakage.
The Times coverage piqued my curiosity: Are the campaigns identifying their supporters to third-party trackers? Are they directly undermining the anonymity properties that they are so quick to invoke?
Yes, they are. I tested the two leading candidate websites using the methodology from my prior study of identifying information leakage. Both leak. The following sections describe my observations from the Barack Obama and Mitt Romney campaign websites.