Social networking, cloud computing and mobile connectivity have together fundamentally transformed our world, but they come with a dark side. As we move about our daily lives, we secrete a constant stream of data, a digital electronic cloud of bits and bytes that follows us around indefinitely. Some of this comes from activities over which we have direct control: texting, emailing, surfing, shopping, communicating. But a lot of it comes incidentally, without our awareness, largely as a byproduct, a kind of electronic envelope to each and every digital transaction called "metadata."
Until this week, very few North Americans probably ever heard of metadata. They should get to know it better.
What is metadata? Take my mobile phone. Even when I'm not using it, when it's just sitting in my pocket or on my desk, it emits an electronic pulse every few seconds to the nearest wifi router or cellphone tower that includes a kind of digital biometric tag: the model of the phone, its operating system, the geolocation of the phone (and by extension all of my movements). Meanwhile, metadata of the phone in use could include the number I'm calling, the length and time of the call, the IP addresses of websites I visit, etcetera. All of this metadata doesn't just evaporate, either; it moves through the filters and chokepoints of the Internet, and sits indefinitely, there to be mined, on the servers of the companies that own and operate the infrastructure: the telecommunications and Internet service Providers like AT&T and Verizon in the United States, and Bell, Telus, and Rogers here in Canada.
Which brings us to the National Security Agency flap in the United States – an issue that, not surprisingly, is spilling across the border into Canada. In both countries, reports have emerged suggesting that the U.S. and Canadian signals intelligence agencies, NSA and Communications Security Establishment Canada (CSEC) respectively, are gathering large swathes of metadata in collusion with telecommunications companies.
Although CSEC refuses to say much at all about the matter, U.S. officials justify it on the basis that metadata is not content (and thus not subject to the same safeguards as the latter), allowing President Barack Obama to coyly remark that "no one is listening in on your phonecalls." Probably true, but they're most definitely monitoring your metadata, and voraciously so. The NSA's enormous new $1.2-billion complex in Utah will be able to handle and process five zettabytes of data, which former NSA technical director (and now whistleblower William Binney) estimates to be on the order of 100 years worth of all of the world's communications.
Think metadata is trivial compared to content? Think again. MIT researchers who studied 15 months of anonymized cellphone metadata of 1.5 million people found four "data points" were all they needed to figure out a person's identity 95 per cent of the time. In 2010, German Green Party politician Malte Spitz and Germany's Die Zeit newspaper requested all of the metadata from Mr. Spitz's phone carrier, Deutsch Telekom. The company sent back a CD containing 35,830 lines of code. "Seen individually, the pieces of data are mostly inconsequential and harmless," wrote Die Zeit, "[but] taken together, they provide what investigators call a profile – a clear picture of a person's habits and preferences, and indeed, of his or her life."
Access to metadata, when combined with powerful computers and algorithms, can also allow entire social networks to be mapped in space and time with a degree of precision that is extraordinarily unprecedented, and extraordinarily powerful. Once analyzed, metadata can pinpoint not only who you are, but with whom you meet, with what frequency and duration, and at which locations. And it's now big business for that very reason. A growing complex of top secret data analysis companies orbit the law enforcement, military, and intelligence communities offering Big Data analysis, further driving the need for yet more data.
For both Americans and Canadians, the flap offers a timely opportunity to ask big questions about the appropriate checks and balances of security agencies in a liberal democratic society as we undergo such a profound Big Data revolution. Until this week, very few Canadian citizens had even heard of CSEC – this, in spite of the fact that its enormous budget and wide-sweeping powers. Born in the Cold War, CSEC operates in the shadows. Its new nearly $900-million headquarters (once described as "Taj Mahal" by John MacLennan, the head of the Union of National Defence Employees) doesn't even show up on Google maps, even though it's been under construction for several years and is plainly visible from the parking lot of its sister agency, CSIS (which does show up).
CSEC routinely punts back freedom of information requests with entire sections blacked out. Its pat non-answers on the latest headlines trivialize the scope of what's at stake, and are, frankly, unacceptable given the resources Canadians bestow on the agency to do its job.
To be sure, the world is a nasty place. We do need law enforcement, defence, and national intelligence agencies. But in the world of Big Data, in which we are turning our digital lives inside out, should we be entrusting power and authority to agencies that barely acknowledge their own existence? It's time to open up the black box, lift the lid on cyberspace, and impose accountability on those whom we entrust with access to our intimate digital lives. It's time to watch the watchers.
Ronald Deibert is Professor of Political Science at the University of Toronto, where he is Director of the Canada Centre for Global Security Studies and the Citizen Lab at the Munk School of Global Affairs, and author of Black Code: Inside the Battle for Cyberspace (Signal/McClelland & Stewart, 2013).