MIT Project Reveals What PRISM Knows About You

Wayne Rash,
wayne Rash

An MIT project shows Wayne Rash just how much information PRISM can get without opening a single email

When I first heard about the National Security Agency’s PRISM operation at a conference in Washington, D.C., it wasn’t clear just how significant it might be. I knew that the government was collecting information from emails, including the names and addresses of the recipients, the originator, the time and date of the message, and perhaps the size of the message. But it wasn’t clear just how much the government could glean from that.

But that was before it became clear exactly how effectively visualisation tools can show the relationships between and among points of data. I found out a few days later just how effective that can be when I was introduced to its use as a cyber-security tool. Now it turns out that the same type of illustration is available from MIT, and it uses your own email to produce the illustration.

PRISM knows who you talk to

metadata peter judge MIT immersion surveillanceAs Brian Fung reports in National Journal, this is the information that Google has available from your gmail account. If the government requests email data from Google, this is what the government gets. The tool, called Immersion, goes through your Gmail and reports to you on what it finds. Then Immersion displays it as a sort of bubble chart showing who you trade email with the most, and perhaps equally important, the relationship between those people.

The cluster of colored bubbles in our illustration are from TechWeekEurope editor Peter Judge. with the names of the people omitted. The size of those bubbles shows how much he has corresponded with those people, effectively showing how important they may be to him.

In the data from my own Gmail account, the largest bubbles are public relations agents, except for the second-largest which is my long-suffering Apple support person. Some of these bubbles also represent news sources, and if you could see them, there are thin lines between some of those bubbles showing that they also know each other.

[My own metadata, shown in the illustration is from more than seven years intensive use of Gmail, pretty much to the exclusion of other systems. The red bubbles re family, the green and brown ones are friends, while the blue and orange bubbles are two overlapping groups of work colleagues – Peter Judge, Editor]  

If you click on the link in the word “Immersion” above, you can try this out for yourself. The results will appear in a few seconds, first with preliminary results, and then with more details as the data is analysed further. For people who are not all that active on Gmail (me, for example) the amount that the data shows is sobering. Just imagine if Gmail is your primary means of email as it is for many people.

Now, for the really scary part. When Google handles your email, it gets this information, but it also has been searching for keywords within your email so that it can use it for advertising. What this means is that Google not only knows all the information in your metadata, but also knows what is contained in your email. This could be a very revealing profile indeed. At least the NSA says it doesn’t read the contents of your email. Google does, and it admits that it does. Which is more scary?

But what about companies that use Google for their corporate email? Even if Google doesn’t use that for marketing info, there’s still the metadata that lives for a fairly long time in your Gmail account. As long as it’s in there, it can be mined and analyzed. My Gmail account goes back to 2008, so there are years of communications available.I’ve never been that uncomfortable about having the government or Google know that I get press releases (since they’re meant to be public anyway) or that I communicate with tech support people since my communications there will also probably be public. I also don’t communicate anything important using Gmail for exactly this reason.

The NSA doesn’t really need your permission to get this data because it can pick it up as it passes through certain parts of the Internet. Google can’t do that, so it needs your account. There’s not much you can do about the filtering of Internet data because your address information has to be readable if your email is going to get delivered.

You can assume that if the NSA is looking at your email, the information in Immersion is similar to what they will see. Consider that they probably see all of your email addresses (and not just Gmail) and that the metadata is examined along with the metadata from everyone you’ve corresponded with, and you can see just how much can be inferred from this data alone.

If this sounds as if you’re stuck in some sort of digital hell, it’s not as bad as it could be. First, you don’t need to use Gmail, and that will limit the information Google has about you and your company. You also don’t have to use Google for search, and that will limit it even more. None of this affects what the NSA may find out about you, but at least the government isn’t selling your info for ad revenue.

What do you know about Internet security? Find out with our quiz!

Originally published on eWeek.