Twitter fought the subpoena’s accompanying gag order, and has earned a partial victory that allowed Twitter to make the order public. [Some surmise that the wording of the order -- asking for size of "data files" -- suggests the same order was made to other ISPs or online providers, but there is no evidence that anyone other than Twitter has objected.] Upon learning of her inclusion in the subpoena, Birgitta Jonsdottir, a member of Iceland’s parliament, sought the help of the EFF and  filed a motion challenging the government’s attempt to obtain the records, asking the court to vacate the order. The motion argued the government’s demand for the records violated First Amendment speech rights and Fourth Amendment privacy rights of the Twitter-account holders.

In March 2011, Judge Theresa Buchanan, in the Eastern District of Virginia, ruled against that motion, arguing that because the government was not seeking the content of the Twitter accounts in question (.pdf), the subjects did not have standing to challenge the government’s request for the records. She further argued that “because petitioners voluntarily conveyed their IP addresses to Twitter as a condition of use, they have no legitimate Fourth Amendment privacy interest.” The judge was unpersuaded by the petitioners initial suggestion that they did not read or understand Twitter’s Privacy Policy, and that any conveyance of IP addresses to Twitter was involuntary. In a footnote of the motion, she wrote quite plainly: “Internet users are bound by the terms of click-through agreements made online.”

Christopher Soghoian has posted a critical analysis of this portion of the judge’s ruling, noting that while the judge states in her order that “[b]efore creating a Twitter account, readers are notified that IP addresses are among the kinds of ‘Log Data’ that Twitter collects, transfers and manipulates,” that isn’t entirely true. Soghoian comments:

It would be far more accurate to say that before creating a Twitter account, users are presented a link to a privacy policy, which includes a statement six paragraphs down about IP address collection. Users are further told that by clicking on a button to create the account, that they acknowledge that they read the linked privacy policy, although Twitter does not actually take any steps to make sure that users clicked on the link or scrolled through the content on that page.

Of course, it wouldn’t really matter if Twitter forced people to click on the privacy policy, or scroll through the page, because everyone knows that consumers won’t actually read through the text.

This final point is critical: “everyone knows that consumers won’t actually read through the text.” Soghoian’s post includes numerous studies that show users rarely read terms of service or privacy policies, as well as quotes from both FTC officials and US Supreme Court Chief Justice Roberts acknowledging the fact that these policies are difficult to read and understand.

Building from his original post, Soghoian has penned an amici brief (pdf) to the court, which presents the following argument:

Amici urge the court to not dismiss petitioners’ Fourth Amendment privacy interests based on their mouse clicks. Research has shown that consumers rarely read and even more rarely understand privacy policies. In fact, the mere presence of a privacy policy is often misunderstood by consumers to mean their privacy is protected. While “clickwrap” acceptance of terms may constitute a contract under certain circumstances, this legal construct for private obligations has limited bearing on whether a user’s expectation of privacy against government intrusion is objectively reasonable and protected by the Fourth Amendment.

I’m among the signers* of this brief, and would like to thank Chris for his continued efforts on protecting privacy online.

• Dr. Kelly Caine, Principal Research Scientist in the Center for Law, Ethics and Applied Research in Health Information and the School of Informatics and Computing, Indiana University
• Danielle Keats Citron, Professor of Law, University of Maryland School of Law
• Dr. Serge Egelman
• Jerry Kang, Professor of Law, UCLA School of Law
• Dr. Aleecia M. McDonald
• Frank A. Pasquale, Schering-Plough Professor in Health Care Regulation and Enforcement, Seton Hall Law School, Visiting Fellow, Princeton University Center for Information Technology Policy
• Len Sassaman, Researcher, Katholieke Universiteit Leuven (Belgium)
• Jason M. Schultz, Assistant Clinical Professor of Law, Director, Samuelson Law, Technology & Public Policy Clinic, UC Berkeley School of Law
• Wendy Seltzer, Associate Research Scholar, Center for Information Technology Policy, Princeton University
• Christopher Soghoian, Graduate Fellow, Center for Applied Cybersecurity Research, Indiana University
• Dr. Michael Zimmer, Assistant Professor, School of Information Studies, Co-Director, Center for Information Policy Research, University of Wisconsin-Milwaukee

I certainly don’t have the training to analyze this decision from a legal perspective, but one commenter illuminates concerns with such a ruling:

This ruling is very troubling for the following reasons:

* The 4th amendment only applies to the government. According to this ruling, if a commercial entity collects information about you without a warrant the government may then search that information without any judicial review. Completely circumventing the 4th amendment. It is like saying to the police, “Well, you can’t look at the phone records of someone without a warrant—unless you pay someone to impersonate said person and get them for you and then query their database.”

I can just imagine the advertisements now: “4th Amendment getting in the way? We’ll get around it for you! http://privacy-schmivacy.us”

* Surrendering information to any given entity should not be the same thing as surrendering personal information to the government. Just because I’m willing to fill out some company’s form doesn’t mean that I would do so if I expected the government to gain free access to that info without just cause and judicial oversight.

* Information contained in commercial databases is often inaccurate. If law enforcement starts using credit histories, employer databases, and other data stores to query information no one will be held accountable if that information is not correct. At least with a government-run database the citizen can petition to have information about them disclosed and/or corrected.

* An innocent person that is wrongfully accused of a crime may never know the true source of incorrect data in any given non-government database. In a government-run database, all data comes from cited public sources (such as court documents, police reports, DOT records, etc).

Implicit in the term “national defense” is the notion of defending those values and ideas which set this Nation apart. . . . It would indeed be ironic if, in the name of national defense, we would sanction the subversion of one of those liberties . . . which makes the defense of the Nation worthwhile. U.S. v. Robel, 389 U.S. 258 (1967)

The librarian, however, was merely following New Jersey law that considers personal information of library users to be confidential. The legislation requires any individual or entity wishing access to those records to have a court order.

Her actions were also supported by the American Library Association’s Code of Ethics which states, in part, that “We protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted,” as well as the ALA’s Library Bill of Rights, which states, in part, that “Libraries should cooperate with all persons and groups concerned with resisting abridgment of free expression and free access to ideas.” This has been interpreted to mean that when users recognize or fear that their privacy or confidentiality is compromised, true freedom of inquiry no longer exists.

Requiring a proper subpoena is a necessary step in protecting the privacy of users’ library records and ensuring true freedom of inquiry.

[via Pogo Was Right]

Numerous federal and local law enforcement agencies have bypassed subpoenas and warrants designed to protect civil liberties and gathered Americans’ personal telephone records from private-sector data brokers.

These brokers, many of whom advertise aggressively on the Internet, have gotten into customer accounts online, tricked phone companies into revealing information and even acknowledged that their practices violate laws, according to documents gathered by congressional investigators and provided to The Associated Press.

The law enforcement agencies include offices in the Homeland Security Department and Justice Department including the FBI and U.S. Marshal’s Service and municipal police departments in California, Colorado, Florida, Georgia and Utah. Experts believe hundreds of other departments frequently use such services.

“We are requesting any and all information you have regarding the above cell phone account and the account holder … including account activity and the account holder’s address,” Ana Bueno, a police investigator in Redwood City, Calif., wrote in October to PDJ Investigations of Granbury, Texas.

An agent in Denver for U.S. Immigration and Customs Enforcement, Anna Wells, sent a similar request on March 31 on Homeland Security stationery: “I am looking for all available subscriber information for the following phone number,” Wells wrote to a corporate alias used by PDJ.

Congressional investigators estimated the U.S. government spent $30 million last year buying personal data from private brokers. But that number likely understates the breadth of transactions, since brokers said they rarely charge law enforcement agencies any price.

[via privacy.org]

This form of public-private cooperation (or in many cases public purchase of information from private sources) allows the government to do an end-run around the Fourth Amendment’s prohibitions on invasion of privacy. The reason is that the state is not doing the data collection; it is only purchasing information already collected and collating the results with other information it possesses. As the article explains, this information can be used for far more than protecting national security; it can be used for ordinary law enforcement, or even to find teenagers who would be most willing to join the military. Once the information is available to the government for purchase and collation, and absent privacy laws prohibiting its use, there is no particular reason for government not to use data mining for as many different policy purposes as possible. If the government thinks it would be useful to know the preferences, tastes, habits and tendencies of its citizens for any reason of governance, it will eventually attempt to find out and make use of the information if it can do so at reasonable cost, unless the law prevents it. And the digital revolution, of course, makes it increasingly possible (and relatively inexpensive) to do so.

…Put another way, when collection and collation become major techniques of governance, we will need methods of accountability for these practices. And that means that contracts and practices that are currently classified and kept out of the public eye will have to be subjected to some form of scrutiny and accountability, either by the public or by some independent agency. Otherwise the National Surveillance State, like all well meaning forms of governance, will swallow up our liberties in the name of serving the public interest and getting the job done.

Except as provided below, Skype shall not sell, rent, trade or otherwise transfer any Personal and/or Traffic Data or Communications Content to any third party without Your explicit permission, unless it is obliged to do so under applicable laws or by order of the competent authorities.

[...] Please be informed that, notwithstanding the abovementioned, in the event of a designated competent authority requesting Skype or Skype’s local partner responsible towards such authority, to retain and provide Personal and/or Traffic Data, or to install wiretapping equipment in order to intercept communications, Skype and/or its local partner will provide all necessary assistance and information to fulfill this request. [emphasis added]

So, it seems if the “competent authority” that is the NSA comes asking for a sneak peek at your Skype account, they’ll be welcomed in with open arms.

Memo to self: cancel Skype account

[via Pogo Was Right]

The twin dangers of national security displacing the criminal justice system and the criminal justice becoming increasingly like the national security system are consequences of technological change. Although the National Surveillance State arises from the changing nature of war, changes in technology do not stop with the problem of war, as least as traditionally conceived. Rather, the very same changes in technology threaten to transform the ways that democratic governments interact with their citizenry. That is why the debate over the NSA program is so incredibly important. We need to have a national debate on how we will implement a system of information gathering and processing that is quickly becoming the norm and not the exception. If we do not have this debate, the system will be implemented so as to displace the civil liberties and rights of citizenship we hold dear.

The NSA program reaches into homes and businesses across the nation by amassing information about the calls of ordinary Americans — most of whom aren’t suspected of any crime. This program does not involve the NSA listening to or recording conversations. But the spy agency is using the data to analyze calling patterns in an effort to detect terrorist activity, sources said in separate interviews.

“It’s the largest database ever assembled in the world,” said one person, who, like the others who agreed to talk about the NSA’s activities, declined to be identified by name or affiliation. The agency’s goal is “to create a database of every call ever made” within the nation’s borders, this person added.

For the customers of these companies, it means that the government has detailed records of calls they made — across town or across the country — to family members, co-workers, business contacts and others.

This is much more extensive than the monitoring of international calls, which was previously discovered:

The NSA’s domestic program, as described by sources, is far more expansive than what the White House has acknowledged. Last year, Bush said he had authorized the NSA to eavesdrop — without warrants — on international calls and international e-mails of people suspected of having links to terrorists when one party to the communication is in the USA. Warrants have also not been used in the NSA’s efforts to create a national call database.

In defending the previously disclosed program, Bush insisted that the NSA was focused exclusively on international calls. “In other words,” Bush explained, “one end of the communication must be outside the United States.”

As a result, domestic call records — those of calls that originate and terminate within U.S. borders — were believed to be private.

See EFF for more information, including the fact that Quest apparently stood up to the NSA’s request.

UPDATE: Read Orin Kerr’s thoughts on the legality of the program, and Glenn Greenwald’s important commentary.

Does the fact that Google is providing this wi-fi as a public service on behalf of the city make them a de facto “state agent”? If so, does this have any impact on the legal procedures the state must go through in order to obtain any records Google maintains on users accessing the system? Conversely, if Google is now considered a “state agent,” do users have 4th Amendment rights when it comes Google’s collection of their browsing & locational data?

BTW, I am not a lawyer, and my understanding of these issues is based on my limited digestion of what my wife (who is an attorney) is patient enough to explain to me. Can anywone else chime in with the legalities of these concerns?