One of the most interesting things about the data on phone calls being provided to the NSA by Verizon on its business customers, as revealed by the Guardian last night, is what it doesn’t include.
An order from the Foreign Intelligence Surveillance (FISA) court obtained by the Guardian says that Verizon must provide all “telephony metadata.” That’s defined as including but not being limited to the time, duration, origin, and terminus of every call, and the unique identifiers of the handsets and subscriber accounts involved. The order doesn’t spell it out, but “telephony metadata” can also include the location of a phone when it makes a call. The content of calls and the names and addresses the people involved are explicitly said not to be shared.
What exactly the NSA can achieve with all that information depends more on what other sources it can access than on what Verizon is providing. If the NSA has the phone number of a person of interest, it could use Verizon’s dataset to call up when and where they have been active on their phone and who they called. However, although vast, the data store can’t alone empower a kind of universal search engine able to call up the movements and lives of any person by name. However, phone network data could be a building block of that if the NSA has the right other sources to match up and correlate with what Verizon or other phone companies provide.
There’s little doubt that the NSA has plenty of other data sources, but what exactly they are is unknown. One question raised by last night’s news is which other companies are subject to similar orders from the FISA court. The NSA is known to have received similar data to that it gets from Verizon from other phone companies in the past, and today Senate Intelligence committee chair Dianne Feinstein said that type of data gathering was an ongoing practice. Google has been subject to FISA orders, the Washington Post said last month, in a report saying that although the details of the orders are not public, they have been accessed by Chinese hackers. There would certainly be technical challenges, but if NSA has used FISA to mandate access to data from online and financial services it could use them and data like that from Verizon to follow along with almost every aspect of a person’s life electronically. (The NSA is currently building two giant data centers, in Maryland and Utah, to bost its data storage and analysis powers.) The NSA is also known to be interested in having software automatically flag people for investigation based on suspicious patterns in data that reveals communication and association patterns.
The way that correlating different data sources can magnify their power has long concerned privacy and civil rights activists, because it makes it much harder to assess the risks any one particular data source could pose in the wrong hands. Recent moves by Facebook to extract more from what it knows about its users neatly illustrate how the practice can significantly change what can be learned about people. The social network uses obfuscated versions of its members’ phone numbers and e-mail addresses to connect its data with information that data-broker Datalogix gathers from loyalty card schemes, with the result that it is now possible for companies to connect a person’s activity on Facebook, and the ads they see, with what they buy in physical stores (see “Facebook Starts Sharing What it Knows About You”).