Imagine bringing a date home for dinner. You put the laptop away and mute your phone. You prepare a gourmet home-cooked meal for two, queue up a selection of romantic songs and pick out a movie to watch after dinner. As the evening winds down, your heart races a bit as you go in for a kiss and wonder how your night will end.
Now imagine that someone is monitoring each and every event of your evening. Oh, don't worry, they're not actually watching you or listening in on your conversation. They just know who you emailed or called just before you put your computer away. They know what you bought for dinner and how you prepared it. They know who came over, where he or she came from and how long he or she stayed. They know what time you started the movie and which songs you listened to. They even know what time you turned off the lights — and whether or not the music was still playing when you did.
And they know all of this without ever getting a search warrant.
Unfortunately, this scenario is all too real. Government agencies from the NSA to local law enforcement have taken advantage of weak protections for "metadata" — including records about your phone calls, emails, purchases, location and more — to build huge databases about ordinary Americans. In thousands of cases, this information has been inappropriately accessed, potentially exposing a vast array of information about individuals: their attendance at a gay rights rally or addiction support group, their purchase of a home pregnancy test or a dating service subscription, or their calls to a suicide hotline or a job recruiter.
In response, the ACLU of California today released "Metadata: Piecing Together a Privacy Solution," a new policy paper that offers a way forward. It explains why lawmakers might have originally decided to give metadata less protection than content — and why the reasons for doing so are no longer valid in the modern world. It highlights the sensitive information that metadata can expose and provides evidence of actual abuses that have occurred in past years. Drawing from recent court cases, state laws, and analysis, it provides a simple roadmap for courts and lawmakers looking to enhance protections for metadata and ensure that our right to privacy remains alive and well in the modern era. Among other things, it is clear that we must:
- Protect all sensitive information, whether it is "content" or "metadata"
- Protect sensitive information held by third parties
- Protect sensitive information derived by aggregating and analyzing other data
- Provide law enforcement and other government agencies with clear rules and guidance
- Ensure that any collection or use of metadata is transparent and subject to independent oversight
The distinction between content (which receives stronger protection) and metadata might have made sense decades ago when technology to collect and analyze data was virtually nonexistent. But in the modern world, non-content does not mean non-sensitive. Indeed, the explosion of data mining, targeted advertising and other new technologies is driven by the realization that companies and the government can learn a great deal about an individual simply be recording their actions. We hope this paper will help make sure that all sensitive information receives the protection it deserves.