Your comms metadata is super-revealing but the law doesn't protect it

America's legal world needs to rethink what it considers people's private information so it can get a grip on today's spying techniques.

Stemming from 1970s telephone laws, communications metadata – which details who you talk to, when and where etc – is considered by the courts to be separate from the actual contents of your communications. Fewer legal hoops need to be jumped through to obtain citizens' metadata: it's considered basic information.

Yet, on today's internet, those metadata records reveal plenty of personal information – potentially more useful information than the actual calls and chats they describe.

As such, the line between metadata and private communications is completely blurred by today's technology. US laws fail to recognize this, granting the cops and Feds easy access to sensitive metadata and allowing them run roughshod over Americans' privacy.

As a group of top researchers argue in a new draft paper [PDF], the distinction between private content (which has some degree of privacy safeguards) and metadata describing that content needs to be redefined:

Our final conclusion is simple. The Internet is far more complex than the phone network was in 1979. Electronic surveillance laws and policies must accommodate this complexity.

In the paper, the authors point out that concepts such as non-content distinctions (what exactly is metadata, for example) were designed for pre-internet mediums such as phone calls, and cannot translate to internet services.

Where the laws had been intended to separate the dialing of a phone number (not protected) from the conversation itself (protected), the large amount of detail that can be gathered from metadata fogs those once-clear distinctions:

The concept of metadata as a category of information that is entirely distinguishable from communications content and thus deserving of lower privacy protection is no longer tenable.

The paper's authors also note that the concept of "third-party doctrine" as it stands makes little sense on the internet. When you share information about yourself to a third party, it is no longer considered protected: you gave it away. Today's online services run through so many third parties without a user's explicit consent, there's almost always a third party involved, thus weakening one's privacy protections.

Co-author Matt Blaze told The Register that fixing the problem wouldn't be as simple passing one law or setting a single precedent in court.

"We don't think there's an single fix, and it probably needs to be addressed at every level from individual cases to comprehensive 'clean slate' legislation," Blaze said.

"What is clear is that rules so deeply rooted in the technology of the 20th century phone system are going to yield increasingly unsatisfying results and become less and less useful going forward."

The paper, It's Too Complicated: the Technological Implications of IP-based Communications on Content/Non-content Distinctions and the Third Party Doctrine, was written by Steven Bellovin (professor of computer science, Columbia University), Matt Blaze (associate professor of computer information science, University of Pennsylvania), Susan Landau (professor of cybersecurity policy, Worcester Polytechnic Institute), and Stephanie K Pell (assistant professor and cyber ethics fellow at West Point's Army Cyber Institute). It is set to be published in the Fall 2016 edition of the Harvard Journal of Law and Technology once finalized. ®