MetaPhone: The NSA’s Got Your Number

Co-authored with Patrick Mutchler.

MetaPhone is a crowdsourced study of phone metadata. If you own an Android smartphone, please consider participating. In earlier posts, we reported how automated analysis of call and text activity can reveal private relationships, as well as how phone subscribers are closely interconnected.

“You have my telephone number connecting with your telephone number,” explained President Obama in a PBS interview. “[T]here are no names . . . in that database.”

Versions of this argument have appeared frequently in debates over the NSA’s domestic phone metadata program. The factual premise is that the NSA only compels disclosure of numbers, not names. One might conclude, then, that there isn’t much cause for privacy concern.
… 

MetaPhone: The NSA Three-Hop

Co-authored with Patrick Mutchler.

MetaPhone is a crowdsourced study of phone metadata. If you own an Android smartphone, please consider participating. In an earlier post, we reported how automated analysis of call and text activity can detect private relationships.

Does the National Security Agency have court authority to pore over your phone records? Quite possibly.
… 

MetaPhone: Seeing Someone?

Co-authored with Patrick Mutchler.

Two weeks ago we kicked off the MetaPhone project, a crowdsourced study of phone metadata. Our aim is to inform policy and legal debates surrounding dragnet surveillance programs. We are exceedingly grateful to the hundreds of users who have joined. If you have not yet participated, you can still grab the MetaPhone app for Android.

Today we are excited to share some preliminary results: We can predict many romantic relationships. Automatically. Using solely phone metadata.
… 

Saving Your Cryptographic Front Door

Does the Fourth Amendment protect SSL keys? Not really, argues the executive branch in Lavabit’s appeal. “[A] business cannot prevent the execution of a search warrant by locking its front gate.”1

True enough. But a business does have a constitutional right to keep that gate intact. When executing a warrant, officers must ordinarily announce themselves and afford an opportunity to open up.
… 

What’s In Your Metadata?

Original at Stanford CIS.

Co-authored with Patrick Mutchler. This is a project of the Stanford Security Lab.

We’re studying the National Security Agency, and we need your help.

The NSA has confirmed that it collects American phone records. Defenders of the program insist it has little privacy impact and is “not surveillance.”

Like many computer scientists, we strongly disagree. Phone metadata is inherently revealing. We want to rigorously prove it—for the public, for Congress, and for the courts.

That’s where you come in. We’re crowdsourcing the data for our study. We’ll measure how much of your Facebook information can be inferred from your phone records.

Participation takes just a few minutes. You’re eligible if you’re in the United States, use an Android smartphone, and have a Facebook account.

To get started, grab the MetaPhone app from Google Play.

Why Data Center Tapping is (Legally) Different

Last week the Washington Post broke news that the National Security Agency has collected international traffic between Google and Yahoo data centers. I happened to be delivering a course lecture on signals intelligence the same day, so I made brief mention of the program—and how it appears particularly aggressive under the Fourth Amendment.

A sharp student pressed for specifics. How, he asked, could data center tapping be more legally questionable than previously leaked surveillance initiatives? This post is an expanded and refined version of my response.

In short: The firms evade Fourth Amendment pitfalls of citizenship, personal interest, and metadata. They also have enough evidence to establish standing. Finally, the NSA would have difficulty demonstrating that its surveillance was reasonable.

… 

The Web Is Flat

Consider this a bug report for the National Security Agency and its overseers. Dragnet online surveillance may be directed at international activity. But it nonetheless ensnares ordinary Americans as they browse domestic websites.

The spy outfit admits to vacuuming vast quantities of network traffic as it passes through the United States. Some taps are on the nation’s borders; others are on the domestic Internet backbone. International partner agencies, most prominently the UK’s Government Communications Headquarters, contribute to the NSA’s reach. Recent leaks have provided substantial detail: Under the Marina program, the agency appears to retain web browsing activity for a year.1 The XKeyscore system offers at least one way for analysts at the NSA and cooperating services to efficiently query both historical and realtime data.

Agency apologists are quick to point out that the snooping has limits. The NSA only acquires online communications when a sender or recipient seems international. Doing otherwise might, in their view, violate congressional restrictions or constitutional protections.

Tough luck for foreigners. But if you’re within the United States, the notion goes, you don’t have much cause for concern.

That’s wrong. Americans routinely send personal data outside the country. They just might not know it.
… 

Do Not Track in California

Both houses of the California legislature have unanimously approved AB 370, a Do Not Track initiative that is backed by Attorney General Harris. If Governor Brown signs the bill, it will be the first Do Not Track law worldwide. So, what would it do? More and less than a casual reader might expect.
… 

Legislating NSA Crypto Circumvention

The National Security Agency works to circumvent cryptography. In the abstract, that’s hardly objectionable—legitimate intelligence targets may adopt security measures. Concerns arise, however, when the NSA subverts the technologies that ordinary consumers and businesses rely upon. Longstanding conventional wisdom in the computer security community has been that the NSA works to insert backdoors into crypto standards and security products, and that the agency hoards vulnerabilities in popular crypto algorithms and implementations. Widely read reports recently confirmed these views.

The go-to recommendation among many security experts has been deployment of additional protective measures. That’s an appealing near-term option for sophisticated users and companies. It’s largely impractical for ordinary users, however. And adding more crypto won’t restore damaged trust, shut potentially risky backdoors, or patch vulnerable systems.
… 

Advancing Empirical Legal Scholarship: Federal Trial Opinions and Rules

In earlier posts I have shared XML versions of certain legal materials, including federal statutes, appellate opinions, and appellate rules. My aim has been to assist empirical legal scholars by providing machine-readable government documents.

Additional legal materials accompany this post, including federal trial-level opinions and rules. Suggestions from the research community remain very much welcome.

…