Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Connect 91% of Numbers With Names In Metadata Probe

Posted by samzenpus on from the looking-at-the-list dept.

Trailrunner7 writes "One of the key tenets of the argument that the National Security Agency and some lawmakers have constructed to justify the agency's collection of phone metadata is that the information it's collecting, such as phone numbers and length of call, can't be tied to the callers' names. However, some quick investigation by some researchers at Stanford University who have been collecting information voluntarily from Android users found that they could correlate numbers to names with very little effort. The Stanford researchers recently started a program called Metaphone that gathers data from volunteers with Android phones. They collect data such as recent phone calls and text messages and social network information. The goal of the project, which is the work of the Stanford Security Lab, is to draw some lines connecting metadata and surveillance. As part of the project, the researchers decided to select a random set of 5,000 numbers from their data and see whether they could connect any of them to subscriber names using just freely available Web tools. The result: They found names for 27 percent of the numbers using just Google, Yelp, Facebook and Google Places. Using some other online tools, they connected 91 of 100 numbers with names."

20 of 84 comments (clear)

  1. No shit by oodaloop · · Score: 3, Informative

    Phone numbers are listed in things like telephone books. NSA (and other intelligence agencies; let's not forget about the rest of them) have been ingesting telephone directories, business cards, public records, FB pages, ad nauseum into massive databases for many years so that a new name/number/address/email etc can be matched to known correlates.

    --
    Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
    1. Re:No shit by icebike · · Score: 5, Informative

      Phone numbers are listed in things like telephone books. NSA (and other intelligence agencies; let's not forget about the rest of them) have been ingesting telephone directories, business cards, public records, FB pages, ad nauseum into massive databases for many years so that a new name/number/address/email etc can be matched to known correlates.

      Even metadata consisting only of Cell numbers are available to the NSA because they have access to all the carriers records as well.

      Even a "Burner" phone is traceable in the US.

      There is no such thing as "metadata", and there hasn't been for a long time.

      --
      Sig Battery depleted. Reverting to safe mode.
    2. Re:No shit by hawguy · · Score: 2

      I never heard about that program. How do you know about it? Did you work on that program or something?

      If they haven't been adding public phone book data to their databases then they'd have to be awfully incompetent - that data is commercially available and (relatively) cheap to purchase.

    3. Re:No shit by ShanghaiBill · · Score: 2

      Phone numbers are listed in things like telephone books.

      Of course. Before I read the summary, I never heard anyone claim that numbers cannot be connected to names, and it certainly wasn't a "key tenet" justifying NSA spying. In fact, being able to trace suspicious calls back to an identifiable person is the whole point.

    4. Re:No shit by sumdumass · · Score: 2

      Well, the working claim was that in order to associate a name with the number, that had to get a warrant and ask the provider who owns the number. Of course this ignores things like a crisscross directory that allows you to look up names from numbers and street addresses but i don't think they expected the public to think that far.

      What this research does is shows how they do not need a warrant or special information from the service providers. It shows how availible most this information is and how it is reletively harmless until you posess the information the NSA is collecting while trying to claim it means nothing special.

    5. Re:No shit by Runaway1956 · · Score: 2

      Hmmm. Not exactly in the phone book - but you've got me wondering. Is there, or is there not, a directory somewhere that might enable Average Joe, the campus activist, to look people up? It's pretty sure that the NSA can look you up any time they like. Gotta leave for work in a few minutes, but I'm leaving this tab open as a reminder to see what I can see when I get home . . . .

      OOOOOHHHHHH!!!!!! The very top hit on my first Google search!

      http://www.nationalcellulardirectory.com/

      So there is a directory - I need to explore it when I get home!

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  2. Wha'? by 93+Escort+Wagon · · Score: 3, Informative

    One of the key tenets of the argument that the National Security Agency and some lawmakers have constructed to justify the agency's collection of phone metadata is that the information it's collecting, such as phone numbers and length of call, can't be tied to the callers' names.

    I don't believe I've heard anyone, in the government or not, make that claim. What possible good would metadata be to them if they couldn't associate it with an individual?

    What I've mainly heard them say is "you shouldn't care, since we're not listening to the actual call". That's still garbage.

    --
    #DeleteChrome
    1. Re:Wha'? by s.petry · · Score: 5, Interesting

      Then you have not listened to much of the debate. Clapper and others in offices have stated that metadata is completely anonymous and therefor not a risk. They have also said what you note. This is a campaign of denial and deceit trying to cover all possible ground. Additionally, TV media has been pretty silent on the issues so they are trying to keep things quiet and away from the masses.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    2. Re:Wha'? by oodaloop · · Score: 5, Informative

      The idea behind using metadata without names is building a network diagram showing who is in contact with whom. If you have one bad guy talking to another through an intermediary, it's not necessarily important to know the name or names of all the people in between, so much as it is important to know that they are in cahoots, so to speak. That information can then be the starting point for further investigation. With massive graphs of this sort, you can start to look for important nodes, identify roles and TTPs (tactics, techniques, and procedures), and flow of information from number and direction of links. I don't support the unconstitutional searching of Americans' data, but I do understand the methodology of network analysis. (IAA Intelligence Analyst)

      --
      Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
    3. Re:Wha'? by cold+fjord · · Score: 2

      I don't believe I've heard anyone, in the government or not, make that claim. What possible good would metadata be to them if they couldn't associate it with an individual?

      What I've mainly heard them say is "you shouldn't care, since we're not listening to the actual call". That's still garbage.

      They show how it is done and discuss it in the 60 Minutes segment. It is pretty close to the start after a brief discussion with General Alexander. You can read the transcript and watch the video.

      Briefly, they can chain together the calls from someone that they identify as a terrorist and see where it leads. How many calls, where they go.

      If they run into a US number that looks suspicious they can alert the FBI to start an investigation based off from the phone number. It would be up to the FBI to identify who that was.

      --
      much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
    4. Re:Wha'? by cold+fjord · · Score: 2

      It is demonstrated in the 60 Minutes segment near the beginning.

      --
      much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
    5. Re:Wha'? by s.petry · · Score: 2

      You could look up the Clapper testimony, where he claimed in front of a Congressional hearing that they did not get personal data and if they did it would be expunged/ignored (can't remember the exact verbiage). Google with this string "NSA claims metadata harmless" and you will find plenty.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    6. Re:Wha'? by s.petry · · Score: 2

      To be less of a dick (pardon me) The Clapper testimony stated that they could not see personal data. That statement is exactly the definition of anonymous. Whether they used the term 'anonymous' or not is not relevant to the point. The point was that they claimed they could not see your personal data, and if they accidentally did they would remove it and not use it.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  3. This is my shocked face by redmid17 · · Score: 3, Insightful

    Goon on Stanford for confirming this, but it should have been pretty evident how easily the metadata can be used to identify people for a while now. The fact the NSA said it couldn't be used to do so should lead one to believe the opposite right off the bat.

  4. Re:555-555-5555 by The+Rizz · · Score: 2

    ... and now it's linked to Noël Coward!

  5. Re:This is god. by larry+bagina · · Score: 5, Funny

    Please clarify:

    1. We are bastards. We need to get raped by a horse.

    -or- 2. We are having sex with bastards. The bastards need to get raped by a horse.

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

  6. Re:Metaphone (disambiguation) by jellomizer · · Score: 2

    Combine that with the Levenshtein distance you can get some good results.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  7. With what accuracy by phorm · · Score: 4, Insightful

    Just because you've connected 123.233.266.41 with "Bob Smith", doesn't mean you've actually connected to the right person. We've already seen cases where RIAA supoena's to ISP's have gotten the addresses of grandmothers who can barely use email much less file-sharing... so how do we know there "connections" are accurate.

    1. Re:With what accuracy by dpidcoe · · Score: 2

      Just because you've connected 123.233.266.41 with "Bob Smith", doesn't mean you've actually connected to the right person. We've already seen cases where RIAA supoena's to ISP's have gotten the addresses of grandmothers who can barely use email much less file-sharing... so how do we know there "connections" are accurate.

      You don't know for sure, but you can get a high degree of probability by cross referencing other things, like connection time, who was contacted, etc. I have a bit of experience in that regard.

      About 10 years ago I used to be part of a server admin community for an FPS game. We published a banlist for confirmed cheaters detected by punkbuster (in its default state it was crap, properly tuned by someone who knows what they're doing it was quite good at catching cheaters) and let people run our banlists and punkbuster configurations in exchange from streaming their server logs to us. We built a database of what basically amounted to phone metadata (player names, unique IDs, what servers they connected to from what IPs and when, and a record of any kicks and/or bans associated with any unique ID). Someone made a search tool for it that grew organically until we could cross reference just about anything. We started using it to background check people who applied for access to the private section of our forum where we developed punkbuster configurations in response to the cheaters updating their various aimbots to avoid our detection scripts in an endless arms race.

      The standard method for finding someones alternate accounts was to dump a list of every single IP address they'd connected from (usually somewhat large), then dump a list of every account that had ever connected from those IP addresses at any point in time (usually about the same size as the name table, due to not all IPs being re-used by gamers who happened to play that particular game). At that point it was an extremely circumstantial and tenuous connection between the names at best, and we'd leave it at that if nothing looked suspicious (if none of those names were banned, all of them could be the guys alts for all we cared). However, if one of the accounts had once been banned, we would start looking deeper into it.

      The usual way to make a solid link between the two was to check what IP addresses they connected to during what times. If the accounts connected from the same IP in an interlinked fashion (e.g. account1 connects, then account2 connects, then account1 connects again over a period of a few days), we could safely assume they were at least in the same building (or college campus or whatever). We figured that it would be incredibly bad luck for DHCP to cycle like that between two people who played the same game with one of them happening to be a cheater. From there, we'd check what servers they visited regularly, and what times they had a habit of being active at. If account1 visits servers A, B, and C on a regular basis, and then account2 also visits A, B, and C on the same basis, we would be pretty sure of it being the same person.

      It wasn't enough that we would ban people over it, but it was enough for us to deny access based on the fact that their computer probably wasn't physically secure from whoever was cheating. We didn't want to have a situation where someones family member was a cheater and started using their brothers credentials to relay our private checks to the hacker sites before they were released or something like that.

  8. In related news ... by Cassini2 · · Score: 4, Insightful

    the NSA automatically identifies telemarketers, and does nothing.