13 Comments

Summary:

A recent U.S. court decision involving the Twitter accounts of several WikiLeaks supporters shows that when push comes to shove, users of social networks and most online services have no expectation of privacy — at least, not if the one requesting the information is the U.S. government.

4105726930_c42e8b12b9_z (1)

Online services like Twitter and Facebook spend a lot of time on their privacy policies, and Facebook in particular has spent the past couple of years tweaking its settings, trying to find a balance between convincing users to share information and allowing them to keep some private. But a recent U.S. court decision involving the Twitter accounts of several WikiLeaks supporters shows when push comes to shove, users of social networks and most online services have virtually no expectation of privacy whatsoever — at least, not if the entity trying to get access to their personal information happens to be the U.S. Justice Department.

The case in question involves the Justice Department’s repeated attempts to get personal account data from three WikiLeaks supporters, in order to bolster its espionage case against WikiLeaks founder Julian Assange for the release of diplomatic cables last year that were stolen (allegedly) by Army intelligence agent and whistleblower Bradley Manning. The three who were targeted are Icelandic MP Birgitta Jonsdottir — an early supporter of WikiLeaks who helped produce the “Collateral Murder” video that showed a U.S. military attack on civilians in Iraq — as well as computer-security expert Jacob Appelbaum and Dutch hacker Rop Gonggrijp.

Personal info released without the need for a warrant

The decision released on Thursday was the result of an appeal by the three targets of the Justice Department’s case, after another judge earlier this year upheld the order compelling Twitter to release the information. What’s particularly disturbing about this case is that the government didn’t even have to file for a traditional warrant to get access to the personal data from Jonsdottir and the others — it used a special order called a 2703(d), and its attempt to get that information might never have even come to light if Twitter hadn’t fought the order and won the right to alert Jonsdottir, Appelbaum and Gonggrijp.

In the latest ruling, Virginia judge Liam O’Grady said that the three had effectively given up any expectation of privacy when they signed up for Twitter, regardless of whether they had read the privacy policy or not (which the vast majority of users do not) and despite the fact that — as privacy advocate Chris Soghoian has pointed out — the privacy policy they agreed to when they joined was a different version than the one that is currently in effect. The judge in the latest decision said that:

Petitioners knew or should have known that their IP information was subject to examination by Twitter, so they had a lessened expectation of privacy in that information, particularly in light of their apparent consent to the Twitter terms of service and privacy policy.

Some — including David Gewirtz at ZDNet — have argued that this decision isn’t something regular web users should be concerned about, since the Justice Department is only targeting “collaborators” of WikiLeaks, which is being investigated for espionage, and therefore it’s a special case. But that defence isn’t really all that comforting, at least not to me. As Jonsdottir has pointed out in a piece written for The Guardian as well as an interview, this action blows a pretty wide hole in whatever we thought we knew about our rights to privacy online. And it does so in the interest of pursing a case against WikiLeaks for doing something that media organizations such as the New York Times do routinely, which is a blatant attack on the First Amendment.

You are sharing publicly whether you know it or not

What is the rationale behind this request for information from the U.S. government? We don’t know, and the judge in this case decided that the three targets of the court order didn’t have a right to know either, since he declined to force the Justice Department to reveal the purpose of its request. All we know is that the government wanted personal data about their activity on Twitter — including their IP addresses, any “contact information” related to the account, as well as “records of session times and durations,” and could even include the content of individual messages (including private messages). And it did this despite the fact that none of them have been charged with any kind of criminal offence in the U.S., and neither have WikiLeaks or Julian Assange.

As Soghoian has pointed out, most social networks and web services such as Twitter, Google+ and Facebook — and particularly the latter — are focused on getting their users to share more of their information, because doing this enhances the value of the network (and makes it more valuable to advertisers and marketers). Google  has said that it wants to make its new network part of everything it does, and connect it to everything that its users do on any Google service as a kind of central “identity platform.” Based on the decision in the Twitter case, any and all of that information could theoretically be available to someone, including the government.

That’s a pretty dangerous precedent, as the Electronic Frontier Foundation (which is representing Jonsdottir in the case, along with the American Civil Liberties Union) notes in its response to the Twitter decision, saying it is “gravely worried by the court’s conclusion that records about you that are collected by Internet services like Twitter, Facebook, Skype and Google are fair game for warrantless searches by the government.” And it’s a clear warning to anyone who joins a web service that their actions are effectively public.

Post and thumbnail photos courtesy of Flickr user Alan Cleaver and VoltaireNet

You’re subscribed! If you like, you can update your settings

  1. You’d have to be naïve or obtuse not to see that this is patently bad. Replace “the government” with “the Iranian government” (or your despised government of choice) in the above case and sensible people wouldn’t even discuss it.
    The biggest problem is that the privacy realities of social platforms are totally out-of-whack with both the user experience and perception (or lack thereof). Social sites are designed to feel private and intimate and there is a vested monetary interest in reinforcing this feeling. Simply putting a massive ToS, functionally written in a foreign language, with a perfunctory check-box that the user has to click once isn’t remotely sufficient.

    1. Totally agree, Jack — this is an issue that needs to be dealt with on a higher level. Thanks for the comment.

  2. The Regular Joe Monday, November 14, 2011

    I really don’t think privacy should be such an issue. So many people use the web today that it became irrelivent
    http://theregjoe.blogspot.com/2011/05/take-blue-pill-and-shut-up.html

  3. That’s always been the case with servers hosted in the US.

  4. So what happens when something like my private medical data gets moved to “the cloud”? Since it’s now online, even though I didn’t want it there, or put it there, they could gain access to it for any reason at all….and that kind of data IS something with which you have an expectation of privacy!

  5. A likely is that Social Media (as a whole) is being promoted so much by the people and the government in order to get the world information easily. The world today would totally be in disarray if Facebook was to be hacked today. All the personal data of over 800 mill people surely means a lot !

    Software Development Companies

  6. Actually, medical records are governed by other laws such as HIPAA, where there is an expectation of privacy. I doubt these rules will be changing any time soon.

    http://www.hhs.gov/ocr/privacy/

    1. They don’t have to change. You should have no expectation of privacy now. This in the permitted disclosure clause of HIPPA.
      “Law Enforcement Purposes. Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, and subject to specified conditions: (1) as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; “

  7. Does anyone believe that your personal information wasnt being used by Google or other sources?

  8. True, you don’t have any privacy online. Maybe on your own privately hosted domain and website i.e. your own digital property you’ll be entitled to privacy… but on third-party mediums that are thriving on non-private practices, forget about it. In general however, folks tend to vary in their
    interpretation of privacy… I also find it to be a lagging indicator… most people online don’t realize how “non-private” they are until it’s too late.

    http://www.webstarresearch.com/2011/08/05/online-privacy-spectrum/

  9. Have you guys heard the latest news?! FACEBOOK has “stolen” its features from Google Plus!! It’s unbelievable! Here’s a link

    http://www.coldscoop.com/2011/11/16/4-things-facebook-stole-from-google-plus/

  10. Fernando Oyo França Wednesday, November 16, 2011

    RT @blmoura: Ñ interessa + s vc leu os Terms of Privacy, na verdade ñ interessa s existe Terms of Privacy : http://t.co/AxhFImUQ (por @PauloQuerido )

Comments have been disabled for this post