Is telephone metadata sensitive? The debate has taken on new urgency since last summer’s NSA revelations; all three branches of the federal government are now considering curbs on access. Consumer privacy concerns are also salient, as the FCC assesses telecom data sharing practices.
President Obama has emphasized that the NSA is “not looking at content.” “[T]his is just metadata,” Senator Feinstein told reporters. In dismissing the ACLU’s legal challenge, Judge Pauley shrugged off possible sensitive inferences as a “parade of horribles.”
On the other side, a number of computer scientists have expressed concern over the privacy risks posed by metadata. Ed Felten gave a particularly detailed explanation in a declaration for the ACLU: “Telephony metadata can be extremely revealing,” he wrote, “both at the level of individual calls and, especially, in the aggregate.” Holding the NSA’s program likely unconstitutional, Judge Leon credited this view and noted that “metadata from each person’s phone ‘reflects a wealth of detail about her familial, political, professional, religious, and sexual associations.’”
This is, at base, a factual dispute. Is it easy to draw sensitive inferences from phone metadata? How often do people conduct sensitive matters by phone, in a manner reflected by metadata?
We used crowdsourced data to arrive at empirical answers. Since November, we have been conducting a study of phone metadata privacy. Participants run the MetaPhone app on their Android smartphone; it submits device logs and social network information for analysis. In previous posts, we have used the MetaPhone dataset to spot relationships, understand call graph interconnectivity, and estimate the identifiability of phone numbers.
At the outset of this study, we shared the same hypothesis as our computer science colleagues—we thought phone metadata could be very sensitive. We did not anticipate finding much evidence one way or the other, however, since the MetaPhone participant population is small and participants only provide a few months of phone activity on average.
We were wrong. We found that phone metadata is unambiguously sensitive, even in a small population and over a short time window. We were able to infer medical conditions, firearm ownership, and more, using solely phone metadata.
We began by identifying the MetaPhone participants’ contacts. We used the same approach as in our prior work on number identifiability, matching phone numbers against the public Yelp and Google Places directories. In total, our 546 participants contacted 33,688 unique numbers. 6,107 of those numbers (18%) resolved to an identity.
Next, we labeled the contacts that appeared related to a sensitive activity or trait. In most instances, an organization’s line of business was apparent from its name. Where there was ambiguity, we used simple Google queries to learn more.
We present two sets of results. First, we provide an analysis of individual calls to sensitive numbers. Second, we relate several patterns of calls to emphasize the detail available in telephone metadata.
Individual Call Results
Many organizations have a narrow purpose, such that an individual call gives rise to sensitive inferences. If a person reaches out to a political campaign, for example, it seems highly probable that the person supports the candidate. Similarly, if a person speaks at length with a religious institution, it appears likely that the person is of that faith. A further inference could also be made, that the person worships at that particular institution.
We found numerous calls within our dataset that give rise to these sorts of straightforward inferences. The following table presents the proportion of participants who had at least one call with each category of sensitive organization.
|Category||Participants with ≥ 1 Calls|
|Recruiting and Job Placement||10%|
|Firearm Sales and Repair||7%|
|Political Officeholders and Campaigns||4%|
The case of religious organizations gave us an opportunity to check the precision of our inferences. Since the MetaPhone app collects a user’s religion from his or her Facebook profile, we could compare phone metadata inferences against ground truth.
There were 15 participants with both a well-defined religious status on Facebook (including atheism) and phone contact with a religious organization. Using just the naïve assumption that a person’s most-called religion is their own religion, we accurately identified the religious status of 11 of the 15 (73%).
Many numbers were associated with specialized products or services, particularly within professional fields. In medicine, for example, we were able to easily categorize phone numbers by specialty practice area.
|Category||Participants with ≥ 1 Calls|
|Dentistry and Oral Health||18%|
|Mental Health and Family Services||8%|
|Ophthalmology and Optometry||6%|
|Sexual and Reproductive Health||6%|
|Rehabilitation and Physical Therapy||3%|
|Emergency or Urgent Care||2%|
|Ear, Nose, and Throat||1%|
The degree of sensitivity among contacts took us aback. Participants had calls with Alcoholics Anonymous, gun stores, NARAL Pro-Choice, labor unions, divorce lawyers, sexually transmitted disease clinics, a Canadian import pharmacy, strip clubs, and much more. This was not a hypothetical parade of horribles. These were simple inferences, about real phone users, that could trivially be made on a large scale.
A pattern of calls will often, of course, reveal more than individual call records. During our analysis, we encountered a number of patterns that were highly indicative of sensitive activities or traits. The following examples are drawn directly from our dataset, using number identification through public resources. Though most MetaPhone participants consented to having their identity disclosed, we use pseudonyms in this report to protect participant privacy.
Participant A communicated with multiple local neurology groups, a specialty pharmacy, a rare condition management service, and a hotline for a pharmaceutical used solely to treat relapsing multiple sclerosis.
Participant B spoke at length with cardiologists at a major medical center, talked briefly with a medical laboratory, received calls from a pharmacy, and placed short calls to a home reporting hotline for a medical device used to monitor cardiac arrhythmia.
Participant C made a number of calls to a firearm store that specializes in the AR semiautomatic rifle platform. They also spoke at length with customer service for a firearm manufacturer that produces an AR line.
In a span of three weeks, Participant D contacted a home improvement store, locksmiths, a hydroponics dealer, and a head shop.
Participant E had a long, early morning call with her sister. Two days later, she placed a series of calls to the local Planned Parenthood location. She placed brief additional calls two weeks later, and made a final call a month after.
We were able to corroborate Participant B’s medical condition and Participant C’s firearm ownership using public information sources. Owing to the sensitivity of these matters, we elected to not contact Participants A, D, or E for confirmation.
The dataset that we analyzed in this report spanned hundreds of users over several months. Phone records held by the NSA and telecoms span millions of Americans over multiple years. Reasonable minds can disagree about the policy and legal constraints that should be imposed on those databases. The science, however, is clear: phone metadata is highly sensitive.