Paper short abstract:

Pursuing ‘total information awareness,’ state security agencies have given meta-data a prominent and problematic role. Drawing on Snowden documents, we find that the de facto blurring between meta-data and content calls into question the innocence of meta-data as a form of sociotechnical governance.

Paper long abstract:

This paper considers government surveillance as a site of science and technology by other means. Pursuing the allure of 'total information awareness,' state security agencies within the so-called Five Eyes countries have turned to 'big data' techniques. As one consequence, meta-data is given a newly prominent and problematic role. Meta-data's advantages over more conventional reliance on message 'content' requiring human analysis, particularly its amenability to automated algorithmic analysis, lower legal barriers to its exploitation.

Drawing primarily on the 500+ published documents released by Edward Snowden, this paper examines the various interpretations that Five Eyes agencies give to meta-data, focusing on the socio-material aspects of communication interception, algorithmic analysis and decision-making. We show that meta-data includes far more than merely the 'outside of the envelope' information often claimed in media reporting. When considered en masse, meta-data can be at least as revealing of sensitive personal attributes as the content of communications. Under conditions of claimed security threat and institutional over-reach, such detailed analysis fuels dangerous illusions of reliable knowledge of an individuals' beliefs, affiliations and intentions, as reflected in US security agency chiefs proudly claiming in 2014, "we kill people based on metadata."

This blurring of meta-data and content data also undermines the traditional legal distinction between them upon which privacy norms are based. A significant governance implication is that in the context of massive meta-data analysis, this distinction is anachronistic, and that meta-data derived from personal communication activities should be granted the same data protection rights accorded to 'personal information.'