Over on Slight Paranoia, privacy and security researcher Chris Soghoian does a brilliant job of delving into a section of the recent opinion in the Twitter Wikileaks case.
In the opinion issued this week, Judge O’Grady addressed the issue of whether three people associated with Wikileaks had any reasonable expectation of privacy in their IP addresses. In a nutshell, after reviewing Twitter’s privacy policy and the “I agree” button that they had to click to obtain their Twitter accounts, the judge decided that they had no reasonable expectation of privacy with respect to their IP addresses.
In his blog post, Chris criticizes the judge’s analysis on a few grounds. Importantly, the privacy policy that the judge quoted in explaining his ruling was not the privacy policy that was in place at the time the three users first signed up for their accounts. Big oops, yes. Chris argues that the version in effect at signup would have given the users a reasonable expectation of privacy in their IP addresses – assuming that any of them had even read it. As everyone except the judge seems to recognize, almost no one actually reads privacy policies.
Although the judge did cite and analyze the wrong version of the policy, it is not clear that this is the judge’s error as we do not know whether counsel for the three individuals ever submitted the version that was in effect when they signed up. If they didn’t, that is unfortunate, although it wouldn’t have any bearing on the issue of whether people actually read the privacy policy or any updates to it.
Chris writes:
If the judge were to examine the privacy policy that existed when these three targets signed up for a Twitter account, he might decide that they do in fact have a reasonable expectation of privacy and that the government needs a warrant to get the data.
I disagree with Chris on that. Even if the judge had acknowledged that Twitter’s privacy policy at the time of signup created a reasonable expectation of privacy, the court could still simply point out that a company’s privacy policy cannot trump a 2703(d) order. Application for a 2703(d) order does not involve demonstrating that the target had no reasonable expectation of privacy. It only requires that “the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation….”
Not only does a privacy policy does not exempt the provider from complying with an order under existing law, but the judge also cites Third Party Doctrine:
(Order at p. 28)
(Order at p. 30)
Game over. And I don’t blame the judge who is just applying existing law. The problem is with existing laws that desperately need updating.
ECPA needs to be updated so that a warrant is required to obtain users’ data from online providers. And we need to throw out outdated Third Party Doctrine and recognize that users have and are entitled to have a reasonable expectation of privacy for much of their online activities.
The Twitter Wikileaks case also reminds us – as if we needed more proof – that businesses that collect and retain data for months or years increase the risk to our privacy.
Lawyers for the three individuals have not yet announced any decision as to whether to appeal Judge Liam’s ruling. Frankly, I don’t think they can prevail. Not because they’re wrong, but because the law is wrong. And Congress needs to fix that.