Twitter, Wikileaks and the Broken Market for Consumer Privacy

  • Share
  • Read Later

Updated 2:30 pm near bottom of post, to clarify recipient of a letter from Yahoo’s lawyers.

The tech world is abuzz with a remarkable display of backbone by Twitter in the Wikileaks case. It deserves wider notice.

Federal prosecutors want to indict Julian Assange for making public a great many classified documents. In December the feds obtained a secret order instructing Twitter to hand over private account contents for Assange and four Wikileaks associates, including network addresses, connection logs, credit card information and identities of everyone they talked to. The order forbade Twitter to notify those affected, among them Birgitta Jónsdóttir, a member of Iceland’s parliament.

Twitter stalled, fighting and winning a motion to lift the gag order, which is how we know about the case. (If the judge had believed government claims that lifting the gag would blow the investigation, she could equally have rejected Twitter’s motion.) Having obtained permission, Twitter notified its users and promised to hand over nothing if they filed a motion to quash within ten days. That is simply the gold standard of customer protection, enabling courts to balance the legitimate needs of prosecutors with the civil liberties of their targets. It almost never happens.

The Obama administration, like those before it, promotes a disturbingly narrow interpretation of the Fourth Amendment, misapplying the facts of old analog cases to a radically different digital world. I do not deny that there is a line of judicial precedents allowing government agents to search our emails, copy our hard drives and plant GPS trackers on our cars without anything close to probable cause. But there are also contrary cases, and the steady march toward a surveillance state would be unrecognizable to the Founders. Computer files and the contents of smartphones are indisputably the present-day equivalents of constitutionally protected “houses, papers, and effects.” Surveillance-happy authorities define the problem away. The search-and-seizure provisions of the Fourth Amendment, they say, are irrelevant because you and I have no “reasonable expectation of privacy” in digital records that tell vastly more about us than our parents’ file drawers.  This is not primarily a legal argument. It’s an assertion of fact about what we think, and about the nature of our society. It says that, because we have entrusted our private data to Google or Sprint or Skype — without which transactions we cannot function in today’s economy or society — we are affirming that we do not actually regard our secrets as private. Another version, equally circular, is that we know that high-tech surveillance tools exist, and therefore don’t expect privacy for anything those tools can reach. (In case you haven’t heard, thermal imagery can take pretty good pictures through your bedroom wall from the street.) Raise your hands, all you government lawyers, if you purport to believe your emails and personal files are not private. I’ll be happy to link to them in my next column.

Companies that receive government information demands have to obey the law, but they often have room for maneuver. They scarcely ever use it. Digital security guru Christopher Soghoian, in a first-rate piece of reporting and analysis awaiting publication in the Minnesota Journal of Law, Science and Technology, describes the available legal and technical tools in rich detail. In general, the companies could keep fewer records that could be subpoenaed, insist that data requests be narrowly tailored to the asserted purpose and ask courts to lift restrictions on customer notice.

It is beyond reasonable doubt that authorities asked other companies to supply the same kinds of information sought from Twitter, but none of them admit it. Soghoian notes that standard procedure in this kind of forensic work is to assemble data from many sources to “draw the graph” of Wikileaks and its leadership — who communicates with whom, and when, and who initiates the contact — even if the contents of the conversations are encrypted. Twitter lived up handsomely to a policy of providing no private information without a binding order, and of notifying users unless legally barred from doing so. The other companies, with a few partial exceptions, will not say what their policies are. I sent carefully framed questions to Verizon Wireless, Sprint, AT&T, T-Mobile, Comcast, Time Warner Cable, Google, Yahoo, Microsoft, Facebook, MySpace and Skype. None replied to most of them. Partial answers, when I got them, were mostly homilies about how seriously they take privacy and how carefully they review each request.

Details are below, but here’s the bottom line. As Paul Ohm, a former computer crime prosecutor, put it to me, there is a “classic tacit collusion problem” by companies that do not want to compete on privacy and agree among themselves that “the less you know the better.” Yahoo actually said as much when Soghoian filed a freedom of information request for helped disclose some of its surveillance practices. Yahoo’s lawyers asked the U.S. government to deny the request, saying disclosure would “shock [our] customers” and damage wrote him a threatening letter, saying he had damaged the company’s “reputation for protection of user privacy and security, which is a competitive disadvantage for technology companies.”

If only. We know what’s in our Cheerios and in our retirement accounts because the law requires disclosure. The market for privacy is broken. Suppliers don’t let us comparison-shop and Congress is not disposed to oblige them. Attention state legislators: does anyone care?

Here’s the fine print:

I asked the companies how many times in 2010 they were served with government demands for non-public information about their customers, and whether they (1) try to narrow those demands; (2) insist on compulsory legal orders before complying; (3) ask courts to allow them to notify their customers; (4) tell customers who inquire, if legally permitted, whether their private data has been obtained by authorities; (5) follow stronger or weaker interpretations of their customers’ rights in areas of disputed law, such as the pro-privacy holdings in the Sixth Circuit and Ninth Circuit that do not bind other jurisdictions. I further asked them, if they declined to answer these questions, why they believed their customers did not deserve to know.

—–

Here is what I got back (any italics are mine):

  • Verizon Wireless, AT&T, Time Warner Cable, Google and MySpace simply ignored the questions. No response at all.
  • Microsoft said “we take our responsibility to protect our customers’ privacy very seriously, so have specific processes that we use when responding to law enforcement requests.” No hint on what those processes might be. As for the rest: “We appreciate your questions and, unfortunately, this statement is the extent of what Microsoft can provide at this time.”
  • Skype “does not comment on law enforcement matters” but “cooperates with law enforcement agencies where legally required… Though we’d like to help you with your story, I’m afraid we’re going to have to decline offering any further details.” Skype’s privacy policy is said to be “very transparent,” although it answers exactly none of my questions. The closest it comes is to say Skype “may” disclose your personal information “to respond to legal requirements, to protect Skype’s interests, to enforce our policies or to protect anyone’s rights, property, or safety.” That is the kind of language that lawyers write to justify almost any conceivable disclosure.
  • T-Mobile “complies with all relevant federal and state laws, including privacy laws. We take our customers’ privacy very seriously, and carefully control the circumstances under which we disclose customer information to any governmental or non-governmental entity.” How so? T-Mobile leaves itself even more wiggle room than Skype does. It hands over your private information “when compelled or permitted” by law,” and this includes, but is not limited to, circumstances under which there is a declaration from law enforcement of an exigent circumstance, as well as other valid legal process, such as subpoenas, search warrants, and court orders.”
  • Yahoo “responds to valid law enforcement demands.” Its lawyers “carefully review all incoming legal demands,” and “take very seriously our dual responsibilities to abide by US law and to protect our users’ privacy.” The company “is committed to protecting user data.” The privacy policy says disclosures come in response to “subpoenas, court orders,” or unspecified “legal process,” or “to establish or exercise our legal rights or defend against legal claims,” or when “we believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Yahoo!’s terms of use, or as otherwise required by law.”
  • Sprint manages to be the most responsive and the least reassuring. It gets “thousands of record requests a year” from authorities — other published hints have suggested tens of thousands — and requires a “valid legal request,” which is not the same thing as a compulsory request. “We act as good stewards of our customers’ personal information while also meeting our obligations to law enforcement agencies.” Sprint “usually” requires a subpoena or court order but in other cases “Sprint can provide information without requiring this supporting documentation.” Sprint notifies its customers only when “ordered buy a judge to do so,” which in practice is almost never, rather than as legally permitted, which would be often, because “we do not seek to interfere with the progress of law enforcement investigations.” Then comes the boilerplate that “we are  ardent about addressing privacy in our products and services and then clearly communicating those policies and practices to our customers.” On the whole, this answer is not terribly specific, but the company’s priorities are pretty clear. It values cooperation with authorities more than the privacy of its customers, and notifies them only when compelled to do so.
  • Comcast makes “every reasonable effort to protect subscriber privacy,” and the rest of the answers amount to “maybe.” Disclosures of personal information “may be made with or without the subscriber’s consent, and with or without notice, in compliance with the terms of valid legal process such as a subpoena, court order, or search warrant.” It gives the greatest protection to customer’s television viewing habits because the Cable Act requires notice and an opportunity for customers to contest release of their personal information. For internet customers, “we are usually prohibited from notifying the subscriber of any disclosure of personally identifiable information to a government entity by the terms of the subpoena, court order, or search warrant.” There is no mention of contesting gag orders, or of notifying customers when permitted to do so.
  • Facebook: “We have no comment at this time” on Wikileaks. On the policy questions, “Will get back to you.” I’m still waiting.