Data Privacy is the biggest oxymoron in Computer Security.  Well, maybe second biggest after the name of the industry itself.  If it exists at all, it’s ephemeral.  My point is the expectation should not exist.  At most, even with encryption, it exists at a point in time only.  That the NSA program to track American citizen phone records became public today via a leak to the Guardian only proves the point even more.

What should your expectation be towards data privacy?  Basically what I just said.  Limited.  But that’s the practical position.  Americans further have an expectation of certain rights to privacy from the government.  This isn’t one of them.  Let me explain why what the government is telling us in terms of our need for protection easily trumps our right to privacy in this case.

To summarize what the NSA has been doing; they track what they accurately refer to as ‘meta data’ from phone calls.  By the way, if you’re familiar with the term Web 2.0 as it applies to social networking or current programming techniques, the next trend is Web 3.0 and is all about meta data and the semantic web.  In this case, the NSA is not listening to our phone conversations.  They are tracking calls made from or to specific phone numbers.  Data mining these connections provides patterns that suggest terrorism, and if warranted the NSA seeks court approval to then gather more personal information on the call.

Is the number called from your number private information?  I should add, the NSA doesn’t yet know the number is yours’.  They are simply tracking the numbers anonymously.  Of course, with a couple of clicks, any lay person can perform a reverse phone lookup.  Apparently this isn’t illegal when your neighbor does it.  I equate our phone calls with driving a car from point A to point B.  We can’t do that privately.  Roads are a fairly public space.  The Police however cannot stop you and search your vehicle without following reasonable search and seizure guidelines as part of our personal rights to freedom.  Authorities need probable cause.  Our telephony infrastructure, especially since most analog voice has migrated to data lines if not the actual Internet, is a public utility.  This is debatable, but I believe access to the traffic, or meta data of the phone traffic, should not be considered private.  Anyone who remembers party lines or operator switchboards should agree.

Why is this useful?  Why is the government right?  Consider a commercial application.  First, let me reiterate as I have throughout my blog and on my About page that I do not speak for or in any way represent the views of my employer IBM.  I’ll make note though that I have been in computer security for a very long time.  A popular computer security service is to monitor network traffic for signatures that suggest hacking efforts.  It’s called intrusion detection and prevention.  One particular problem with this technique is that smart hacking is encrypted so it’s difficult to monitor.  The next step then is to do exactly what the NSA is doing with phone records.  Track the end points.  The source and destination IP addresses.  Then correlate (data mine) the IP addresses with published lists of known bad guys – generally botnet command-and-control web sites.  The data is still encrypted but now some inference can be applied to determine if this is bad traffic and steps can be taken to block it.

My ISP Comcast does this for its customers.  They send customers an email stating they have noticed computers from their home talking to known botnets.  They then suggest to their customer that they should take action to eradicate any infection of malware from their computers.  In the case of Comcast, this email is actually quite useless as it doesn’t provide you with the IP address of the botnet command-and-control nor does it provide you with the IP address of the computer in your house.  The average person using Comcast for their ISP likely has a half dozen computers and mobile devices accessing the Internet.  I’ve called them only to learn that this email is really just a marketing ploy to sign you up to their Xfinity Signature Support.

Back to point, this is a good technique to root out illegal activity based on meta data.  Only after positive identification of possible wrong-doing are more personally identifiable records obtained.  I’m not a lawyer but suspect this meets probable cause.  This is my perspective and admit I could be wrong legally.  But I support this action by the NSA.