June 13, 2014
As a Stanford engineering student and lawyer, Jonathan Mayer discredits NSA claims
Jonathan Mayer's education path is unusual: He has earned a Stanford law degree while working on his PhD in computer science. He did research with a fellow doctoral candidate to discredit NSA claims that sensitive information about American citizens cannot be gleaned in the "metadata" the spy agency gathers from millions of phone calls.
By Glen Martin
Stanford Law graduate Jonathan Mayer, who is completing his PhD in computer science, teaches a seminar that explores the legal ramifications of security and privacy in the technology sector. (Photo: Norbert von der Groeben)
Law and computer science both have their codes, but they're disparate. Legal code is often fuzzy and qualitative. Computer code is precise and quantitative. Not surprisingly, law and computer science tend to attract different people. It's not that the twain shall never meet; it's just that they seldom do.
Jonathan Mayer is the exception. He has received his law degree and is completing his PhD in computer science, both at Stanford. Along the way he has aimed his double-barreled expertise at the National Security Agency's practice of collecting various forms of electronic information, including telephone metadata of Americans: the phone number of every caller and recipient, the unique serial number of the phones involved, the time and duration of each phone call.
Working with fellow Stanford computer science doctoral candidate Patrick Mutchler, Mayer proved that the NSA was wrong when it claimed that its analysts could not tease detailed personal information from phone metadata searches.
"Phone numbers, as it turns out, aren't just phone numbers," Mayer said. "They're an avenue for finding out detailed information about individual citizens."
Aleecia McDonald, the director of privacy for the Center for Internet and Society at Stanford Law School, said Mayer's research irrefutably demonstrated that phone metadata is anything but trivial.
"The lovely thing about Jonathan's research is that it made the sensitivity of phone metadata concrete," McDonald said. "The country was told that phone metadata were not worth constitutional protection, and now Jonathan's research confirms otherwise."
McDonald said Mayer's research confirmed the sense of unease felt by many Americans, which could have ramifications beyond the current metadata debate.
"Mobile phones are basically tracking devices, but in addition to geographic data, Jonathan showed you can obtain rich information on daily lives and associations," she said. "This speaks directly to strongly protected privacy issues. No one is calling for stopping all surveillance, but these new dragnet programs essentially treat everyone as criminals and terrorists all the time. People are wondering if they can trust government on anything, and that's dangerous."
Mayer's ability to have significant public impact while still a young academic stems directly from his unusual combination of legal and computer acumen, according to John C. Mitchell, the Mary and Gordon Crary Family Professor in the School of Engineering and Stanford vice provost for online learning. Mitchell, who is Mayer's adviser, is a professor of computer science and, by courtesy, of electrical engineering.
"That ability to apply high technology to legal issues, to understand both fields so deeply – well, not many people have those skill sets," said Mitchell. "In fact, he seems one of a kind. We're lucky to have him working on these issues. I don't know anyone else who could do it."
Go 'geekward,' young man
Mayer traces his interest in computer science – his "geekward leanings," as he puts it – to his childhood in Chicago, where he logged a lot of time on his family's Apple IIGS computer. Once, when he received an elementary school writing assignment, he developed a web page instead. This was in the early stages of the World Wide Web, and his accomplishment engendered both respect and confusion.
As his facility with computers grew, he became increasingly interested in security issues. This was sometimes expressed in unorthodox – even mischievous – fashion. He couldn't help but hack.
One holiday, he recalled, he received a Radio Shack watch that had a TV remote control feature. After fiddling a bit, he discovered that by setting the frequency for a Sony TV, pointing his device at the infrared port on certain Apple computers and hitting channel change, he could force the computer to reboot.
"My school used those kinds of computers, so I spent quite a bit of time pushing channel change when kids were on the computers at school," Mayer said. "They were mystified. I have to admit it was fun, but it also got me thinking about computer vulnerabilities."
Computer science quickly became a focus for Mayer during his undergraduate studies at Princeton. But he also developed interests in public policy and politics – subjects that had previously struck him as dreary.
"They just seemed somewhat vapid and tedious," Mayer said. "But my roommates were intensely interested in policy and politics, and they gradually won me over. I saw that both are viable paths for implementing change, for getting real things done."
His faculty adviser, Princeton computer science and public affairs Professor Ed Felten, reinforced that. Mayer's senior thesis reflected the merging of his interests: It was about web privacy – balancing computer science research with law and policy issues.
Taking dual paths
After graduating from Princeton in 2009 with a degree in public policy, Mayer came directly to Stanford with the intention of becoming, as he tells it, the first student to simultaneously pursue a JD in law and a PhD in computer science (CS).
"I wasn't going to do law and policy lite or CS-lite," Mayer told the Stanford Daily in February. "I was going full in on both."
Among his successes on the legal front: He was recently asked to teach a class at Stanford Law. The seminar explores the legal ramifications of security and privacy in the technology sector, emphasizing "areas of law that are frequently invoked, hotly contested or ripe for reform," according to the course overview.
He finds his new instructor role rewarding: "I get a kick out of the fact that I'm an engineer teaching law at Stanford."
His legal accomplishments notwithstanding, Mayer's computer science efforts – particularly his metadata research – have made more of a public splash. And as so often happens at Stanford, it all started with a conversation among peers.
"Patrick [Mutchler] and I were talking with our adviser [Mitchell] shortly after the Edward Snowden revelations," Mayer recalled. "We were really intrigued by the NSA's programs, especially all the claims and counterclaims about phone metadata. There was a lot of conjecture at that point but very little scientific clarity. So we thought we'd try to bring some focus to bear."
But Mayer and Mutchler found it difficult to acquire the metadata. While the NSA could harvest it directly from telecommunications companies, the Stanford doctoral students had to solicit phone records from the public.
"We realized we might be able to get metadata voluntarily through crowdsourcing," Mayer said. "So we posted an explanation on a Stanford website and provided an Android app that allowed people to send us their data. Crowdsourcing is a pretty risky basis for research, of course, because you never know what you're going to get. We would've been very happy with 100 responses – instead, we got about 500, and we were off to the races."
Metadata was revealing
Again, this innovative tactic took root in the confluence of legal and computing expertise.
"Building and distributing the app was within the capabilities of many computer experts, but its application was very clever," Mitchell said. "The rationale was: 'We would like to see what the NSA sees, but we don't want to behave like the NSA. So how do we do that?' Seeking volunteers willing to provide their phone data and devising and distributing the app was an extremely creative, sophisticated – and effective—approach."
In the course of their analysis, Mayer and Mutchler derived many revealing inferences from the metadata that show who called whom, when, from where to where and how often. For example, they could determine where the subjects lived and worked, and could see some intimation of relationships between the volunteers.
In some cases, the researchers were able to identify who was dating whom. One volunteer contacted a pharmaceutical hotline for multiple sclerosis patients, a management service for rare medical conditions, a specialty pharmacy and several neurology medical groups. Another called several locksmiths, a hydroponics dealer, a head shop and a home improvement store.
Those findings, Mayer drily observed, debunked the NSA's original assertions that phone metadata were impenetrable.
"It gave us pause," he said. "It was pretty clear that we could tease out more sensitive information with some elbow grease."
The findings have caused headaches for the NSA, and Mayer sees waning support for the agency's aggressive pursuit of private information. A number of high-profile cases on metadata are either pending or wending their way through the courts, and the entire program is up for renewal, or cancellation, in 2015. In May, the U.S. House of Representatives passed legislation to halt the National Security Agency's wholesale collection of domestic phone records. Sen. Dianne Feinstein, the chairwoman of the U.S. Senate's intelligence committee, signaled she is amenable to supporting a companion bill.
Mayer, who has received his JD and recently passed the California Bar Exam, expects to complete his computer science PhD in 2015. And after that?
"I would like to go to Washington, to try to bring technical rigor to federal policy," Mayer said, "though I'm aware there's always the danger of sinking into the political morass in that town. I'm working on a start-up NGO that I hope can bridge D.C. and Silicon Valley. In the interim, I just enjoy teaching at the law school."
Glen Martin is a former San Francisco Chronicle reporter based in Santa Rosa, Calif.
For more Stanford experts on engineering, law and other topics, visit Stanford Experts.