Twitter, Wikileaks and the Broken Market for Consumer Privacy

Updated 2:30 pm near bottom of post, to clarify recipient of a letter from Yahoo’s lawyers.

The tech world is abuzz with a remarkable display of backbone by Twitter in the Wikileaks case. It deserves wider notice.

Federal prosecutors want to indict Julian Assange for making public a great many classified documents. In December the feds obtained a secret order instructing Twitter to hand over private account contents for Assange and four Wikileaks associates, including network addresses, connection logs, credit card information and identities of everyone they talked to. The order forbade Twitter to notify those affected, among them Birgitta Jónsdóttir, a member of Iceland’s parliament.

Twitter stalled, fighting and winning a motion to lift the gag order, which is how we know about the case. (If the judge had believed government claims that lifting the gag would blow the investigation, she could equally have rejected Twitter’s motion.) Having obtained permission, Twitter notified its users and promised to hand over nothing if they filed a motion to quash within ten days. That is simply the gold standard of customer protection, enabling courts to balance the legitimate needs of prosecutors with the civil liberties of their targets. It almost never happens.

The Obama administration, like those before it, promotes a disturbingly narrow interpretation of the Fourth Amendment, misapplying the facts of old analog cases to a radically different digital world. I do not deny that there is a line of judicial precedents allowing government agents to search our emails, copy our hard drives and plant GPS trackers on our cars without anything close to probable cause. But there are also contrary cases, and the steady march toward a surveillance state would be unrecognizable to the Founders. Computer files and the contents of smartphones are indisputably the present-day equivalents of constitutionally protected “houses, papers, and effects.” Surveillance-happy authorities define the problem away. The search-and-seizure provisions of the Fourth Amendment, they say, are irrelevant because you and I have no “reasonable expectation of privacy” in digital records that tell vastly more about us than our parents’ file drawers. This is not primarily a legal argument. It’s an assertion of fact about what we think, and about the nature of our society. It says that, because we have entrusted our private data to Google or Sprint or Skype — without which transactions we cannot function in today’s economy or society — we are affirming that we do not actually regard our secrets as private. Another version, equally circular, is that we know that high-tech surveillance tools exist, and therefore don’t expect privacy for anything those tools can reach. (In case you haven’t heard, thermal imagery can take pretty good pictures through your bedroom wall from the street.) Raise your hands, all you government lawyers, if you purport to believe your emails and personal files are not private. I’ll be happy to link to them in my next column.

Companies that receive government information demands have to obey the law, but they often have room for maneuver. They scarcely ever use it. Digital security guru Christopher Soghoian, in a first-rate piece of reporting and analysis awaiting publication in the Minnesota Journal of Law, Science and Technology, describes the available legal and technical tools in rich detail. In general, the companies could keep fewer records that could be subpoenaed, insist that data requests be narrowly tailored to the asserted purpose and ask courts to lift restrictions on customer notice.

It is beyond reasonable doubt that authorities asked other companies to supply the same kinds of information sought from Twitter, but none of them admit it. Soghoian notes that standard procedure in this kind of forensic work is to assemble data from many sources to “draw the graph” of Wikileaks and its leadership — who communicates with whom, and when, and who initiates the contact — even if the contents of the conversations are encrypted. Twitter lived up handsomely to a policy of providing no private information without a binding order, and of notifying users unless legally barred from doing so. The other companies, with a few partial exceptions, will not say what their policies are. I sent carefully framed questions to Verizon Wireless, Sprint, AT&T, T-Mobile, Comcast, Time Warner Cable, Google, Yahoo, Microsoft, Facebook, MySpace and Skype. None replied to most of them. Partial answers, when I got them, were mostly homilies about how seriously they take privacy and how carefully they review each request.

Details are below, but here’s the bottom line. As Paul Ohm, a former computer crime prosecutor, put it to me, there is a “classic tacit collusion problem” by companies that do not want to compete on privacy and agree among themselves that “the less you know the better.” Yahoo actually said as much when Soghoian filed a freedom of information request for ~~helped disclose some of~~ its surveillance practices. Yahoo’s lawyers asked the U.S. government to deny the request, saying disclosure would “shock [our] customers” and damage ~~wrote him a threatening letter, saying he had damaged~~ the company’s “reputation for protection of user privacy and security, which is a competitive disadvantage for technology companies.”

If only. We know what’s in our Cheerios and in our retirement accounts because the law requires disclosure. The market for privacy is broken. Suppliers don’t let us comparison-shop and Congress is not disposed to oblige them. Attention state legislators: does anyone care?

—

Here’s the fine print:

I asked the companies how many times in 2010 they were served with government demands for non-public information about their customers, and whether they (1) try to narrow those demands; (2) insist on compulsory legal orders before complying; (3) ask courts to allow them to notify their customers; (4) tell customers who inquire, if legally permitted, whether their private data has been obtained by authorities; (5) follow stronger or weaker interpretations of their customers’ rights in areas of disputed law, such as the pro-privacy holdings in the Sixth Circuit and Ninth Circuit that do not bind other jurisdictions. I further asked them, if they declined to answer these questions, why they believed their customers did not deserve to know.

—–

Here is what I got back (any italics are mine):

Verizon Wireless, AT&T, Time Warner Cable, Google and MySpace simply ignored the questions. No response at all.
Microsoft said “we take our responsibility to protect our customers’ privacy very seriously, so have specific processes that we use when responding to law enforcement requests.” No hint on what those processes might be. As for the rest: “We appreciate your questions and, unfortunately, this statement is the extent of what Microsoft can provide at this time.”
Skype “does not comment on law enforcement matters” but “cooperates with law enforcement agencies where legally required… Though we’d like to help you with your story, I’m afraid we’re going to have to decline offering any further details.” Skype’s privacy policy is said to be “very transparent,” although it answers exactly none of my questions. The closest it comes is to say Skype “may” disclose your personal information “to respond to legal requirements, to protect Skype’s interests, to enforce our policies or to protect anyone’s rights, property, or safety.” That is the kind of language that lawyers write to justify almost any conceivable disclosure.
T-Mobile “complies with all relevant federal and state laws, including privacy laws. We take our customers’ privacy very seriously, and carefully control the circumstances under which we disclose customer information to any governmental or non-governmental entity.” How so? T-Mobile leaves itself even more wiggle room than Skype does. It hands over your private information “when compelled or permitted” by law,” and this includes, but is not limited to, circumstances under which there is a declaration from law enforcement of an exigent circumstance, as well as other valid legal process, such as subpoenas, search warrants, and court orders.”
Yahoo “responds to valid law enforcement demands.” Its lawyers “carefully review all incoming legal demands,” and “take very seriously our dual responsibilities to abide by US law and to protect our users’ privacy.” The company “is committed to protecting user data.” The privacy policy says disclosures come in response to “subpoenas, court orders,” or unspecified “legal process,” or “to establish or exercise our legal rights or defend against legal claims,” or when “we believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Yahoo!’s terms of use, or as otherwise required by law.”
Sprint manages to be the most responsive and the least reassuring. It gets “thousands of record requests a year” from authorities — other published hints have suggested tens of thousands — and requires a “valid legal request,” which is not the same thing as a compulsory request. “We act as good stewards of our customers’ personal information while also meeting our obligations to law enforcement agencies.” Sprint “usually” requires a subpoena or court order but in other cases “Sprint can provide information without requiring this supporting documentation.” Sprint notifies its customers only when “ordered buy a judge to do so,” which in practice is almost never, rather than as legally permitted, which would be often, because “we do not seek to interfere with the progress of law enforcement investigations.” Then comes the boilerplate that “we are ardent about addressing privacy in our products and services and then clearly communicating those policies and practices to our customers.” On the whole, this answer is not terribly specific, but the company’s priorities are pretty clear. It values cooperation with authorities more than the privacy of its customers, and notifies them only when compelled to do so.
Comcast makes “every reasonable effort to protect subscriber privacy,” and the rest of the answers amount to “maybe.” Disclosures of personal information “may be made with or without the subscriber’s consent, and with or without notice, in compliance with the terms of valid legal process such as a subpoena, court order, or search warrant.” It gives the greatest protection to customer’s television viewing habits because the Cable Act requires notice and an opportunity for customers to contest release of their personal information. For internet customers, “we are usually prohibited from notifying the subscriber of any disclosure of personally identifiable information to a government entity by the terms of the subpoena, court order, or search warrant.” There is no mention of contesting gag orders, or of notifying customers when permitted to do so.
Facebook: ”We have no comment at this time” on Wikileaks. On the policy questions, “Will get back to you.” I’m still waiting.

kittyantonikwakfer

“Twitter stalled, fighting and winning a motion to lift the gag order, which is how we know about the case. (If the judge had believed government claims that lifting the gag would blow the investigation, she could equally have rejected Twitter’s motion.)”

Interesting that Theresa Buchanan, magistrate judge in the Eastern District of Virginia, both signed the original subpoena with gag order on Twitter and then the order to lift the “gag”. If she did not believe the “government claims that lifting the gag would blow the investigation”, then why did she issue the gag order in the first place?

Did Judge Theresa Buchanan just go along with the gag order, on the hopes or assumption (by prosecutors) that Twitter would not challenge it, just as the other corporations have not done in this and similar cases?? I think that this is very likely and is a significant factor in selecting a judge by an anti-WikiLeaks federal prosecutor/legislator/executive.
pks29733steel

Best way to keep things ‘away’ from prying eyes is ‘hi-jack’ a ‘wi-fi’ (or should I say ‘borrow’) once setting your computer’s internet settings to ‘private’. Now you are on the ‘web’. Next go to ‘AOL’, create a screen name and a ‘e-mail’ address. Now by using a ‘non-secured’ ‘wi-fi’ signal there is no ‘internet provider’ traced to a ‘charge account’ or bank account. Your address would be that of the owner of the ‘wi-fi’ signal you are borrowing. Thus you are on the web, files can be downloaded from the web, e-mails can be received and sent, and you cannot be traced.
nipper58

And to hell with the potential problems for the real owner of the wireless account, PKS?
cyclotron351

RE:pks29733steel,
apart from when you hijack a WiFi , your PC will leave behind its unique MAC address (the number associated with your PC WiFi card , like 00:D0:B7:C4:99:6F)
Your MAC address is broadcast contained in the header of all data packets sent.
This information will be kept in the hijacked WiFi logs and other places. Your car number plate may have been scanned by personal, local, municipal or government ANPR automatic number plate recognition cctv technology. Some organisations are bulk recording ALL WiFi signals (not just Google ‘accidentally’).
I agree that you cannot be traced, in 5 minutes, but give it a day or two and your method is not valid. I think privacy is deader than a Norwegian Blue, but hopefully I may be pleasantly surprised if it is re-animated at some point!
davidasr

@ cyclotron351: The “deader than a Norwegian Blue” analogy regarding user privacy was spot on, though I doubt many will get the reference.
rohalz

Sadly, while the government tries to obfuscate the real issue that concerns it, most people are mislead to believe that govewrnments are upset by the release of insults by various diplomats about other countries’ leaders. The real issue is that wikileaks has also posted documents that reveal how Mugabe, the brutal murderer leading Zimbabwe, was propped up by the UK and the US, hardly moral or ethical decisions. They are also trying to keep information from the public that would indict bankers and the wealthy elites who defraud the tax system routinely.

We need more information and truth from whatever sources can obtain it. Only when armed with truthful information can we preserve real democracy.
http://nitinbajaj2.wordpress.com nitinbajaj2

No matter what, twitter’s efforts in lifting that gag order are commendable..
http://mikeauvic.wordpress.com mikeau

Surely there is an irony that we are arguing about protecting the information about a company that exposes the information of others. While we may say it is the government, it has involved messages from individuals whose jobs may now be on the line, and has damaged the security of diplomacy, both may no longer trusted because of what has been posted by Wikileaks.
You could easily argue the same arguments to stop a leak as stop a government from ensuring no crime has been committed.
Secondly USA get over your constitution it does not apply to us who live outside the USA. Arguments need to be based on basic human dignity and rights for all. Wikileaks no doubt use this to their advantage, as much as the government.
demonthenes2

The real issue for us the users is to lobby our state legislatures to write state laws that restrict government access to our data and write the specific steps for law enforcement to follow and Judges to enforce that protect our digital privacy. Doing it on a national level is unrealistic but on a state level very doable. Most National legislatures are “unavailable” and are vulnerable to the time constraints of who they will listen too. Local legislatures are very available (they’re your neighbors) and often a successful bill in a state spurs action on a national level. Many state representatives are not aware of the digital privacy issue but will act on it if made aware of it as locals are very often states rights supporters who will defy the Washington trend of big gov bowing to every law enforcement request legal or pertinent or not. Washington plays cover your ass and hauls out the National Security issue at the drop of a hat when all it’s protecting are it’s own misdeeds. The burden of proof that Wiki-leaks is a security risk and any method is legal to take down wiki-leaks should always be trumped by the public’s absolute right to digital privacy. Even if the US national government fails to protect those right the US States can do so state by state. Hopefully the day will come when the US States will enforce their sovereignty and we the people must make that happen both in our legislatures, our Courts and if necessary in the streets aka Tunisia !