Prism, Communications Metadata and Traffic Analysis

From the glimpses I’ve seen of it over the last few days, the news appears to have been dominated with talk about a US government surveillance operation referred to as “Prism”. I don’t really have much idea what Prism is, or does, nor do I suspect do most of the folk who’ve been wittering on about it. It partly reminded me of Glimmerglass, but there again, I don’t really know what that tech does…; it also made me ponder the extent to which, if there are surveillance taps built in to various systems, they can be co-opted and subverted. As a code word, however, Prism sounds like it could be suitably sinister, although perhaps not quite at the level of “SPECTRE” or “Quantum”, so it’s a great opportunity for the press to play at spooks.

One thing I have noticed is that the reporting has also started referring to the notion of metadata. For example, the Guardian/Observer mention it thus (Boundless Informant: the NSA’s secret tool to track global surveillance data):

The focus of the internal NSA tool is on counting and categorizing the records of communications, known as metadata, rather than the content of an email or instant message.

In the case of email, this could include sender and recipient information, as well as the message timestamp, and maybe data about the size of the email, whether there were any attachments, and so on. For web transactions, the time you viewed a page and the address of that page would count as metadata about that transaction.

One thing I haven’t seen mention of is the signals intelligence (SIGINT) technique known as traffic analysis. In an article on The Origination and Evolution of Radio Traffic Analysis: World War II, a definition of “traffic analysis” from another report is presented as follows:

Traffic analysis comprises the study of enemy communications for the purpose of gathering information of military value without recourse to cryptanalysis of the text of intercepted messages. From such studies a certain amount of special intelligence of a tactical and strategical nature with regard to the enemy order of battle. direction of movements, massing of troops, probable intention, withdrawals. etc., can be derived. In addition … a large amount of technical intelligence valuable to the intercept and cryptanalytic functions of the Signal Security Service is obtained. In general, the technical information obtained from such studies, when applied to global intercept and cryptanalytic problems, must be derived from a global analysis of traffic. For the proper functioning of units collecting data upon which such studies will be based, their administrative control also must parallel the administrative direction of global intercept and cryptanalytic functions.

The local commander can obtain considerable benefit from the results of traffic analysis as regards special tactical and strategical intelligence derived therefrom, because such special intelligence is based primarily upon enemy communications in close proximity to his sphere of activity …

While it is not so far reaching in consequence as that which might be obtained from a successful cryptanalytic study of a high grade enemy cryptographic system, the results may sometimes be available instantaneously, and are subject only to proper interpretation on the part ofthe local staffand prompt coordination ofthe pertinent data bythe central agency.

The focus of traffic analysis is, therefore, an analysis of the metadata associated with a set of communications, rather than an analysis of the actual content of those communications. Traffic analysis (and social network analysis) is one of the reasons why it be useful in intelligence terms to collect metadata around communications.

For some worked examples around traffic analysis, see for example:

And so on…

PS see also this glimpse of a social network as built by the NSA (also this review of it. How does all this play out in the context of mosaic theory, eg as framed in the sense of states acting against their own citizens and building up incriminating (and possibly hallucinated) pictures of them?


  1. Alan Paull

    I suspect much of the intelligence in relation to traffic analysis by governments and large corporations is in the intelligence assessments around it. For example, WW2 traffic analysis could be used to determine large scale troop deployments in and between theatres (typically at the Division and above scale). However, against a sophisticated foe this type of intelligence would be subject to misinterpretations as a result of misdirection, simple misunderstanding of the methods of fighting of the enemy, or failure to corroborate with other types of intelligence. Typically, military organisations in the past have assumed that the enemy operates much like the good guys, when in fact things can be radically and fatally different.

    In the political and social spheres this boils down to the age-old problem in the military at least of focusing on those pieces of intelligence that reinforce what you already ‘know’ and ignoring or down-playing those that don’t. I await examples of this with scarcely controlled glee.

    The problem lies with the ‘analysis’ not the ‘traffic’.


    • Tony Hirst

      @alan Agreed – though I guess the point of this post was really just to place a marker about how comms metadata can tell you something about the structure of the comms system even if you don’t have access to the content of the messages passed through the system. The structure of that system may then be revealing of the roles of actors in the system, their location (in logical and social structural terms, as well as possibly geographical terms, and so on).