A Look at Twitter’s Updated Privacy Policy (November 19, 2009)

[Post by Venkat]

As noted on Twitter’s blog, Twitter refreshed its privacy policy yesterday. Given that virtually everything Twitter does is placed under the microscope, I’m sure the policy will be pored over in detail. (Here’s a link to the updated policy and a link to the old policy.)

General thoughts on the policy: The policy is short, easy to understand, and in plain English. The thrust of the policy is that most users typically use Twitter to publicly disseminate information, and users should expect any of this information to be broadly disseminated. This includes dissemination by Twitter, third party applications, search engines, etc. To the extent you want to restrict use of this information, Twitter gives you the tools to do so in your profile settings.

Much of what’s in the policy is very typical of what you would find in the privacy policy of any other website or social network. However, a few things are worth mentioning:

1. Geolocation: The policy provides that you can turn geolocation on and off, and if you have it turned on, your location information is obviously broadcast and also used by Twitter. Geolocation is opt-in and this makes sense.

2. Cookies: The policy also mentions that Twitter places cookies on your computer. Virtually all privacy policies contain this, since most websites use cookies. But for some reason this part of the privacy policy jumped out at me. I guess it’s a reminder of the tremendous advertising power that Twitter could wield. Everyone who uses Twitter expresses their preferences through Twitter, by clicking on links, using applications, and just through general usage. Most people probably do more, such as expressing their food, drink, entertainment, political, and other preferences. (Some more than others.) By being able to identify the computer of someone who expresses those preferences, Twitter can build a valuable network that would be useful to advertisers. I’m not only talking about advertising on Twitter.com (the web client), but also advertising on other websites or networks as well. This is pretty common in the industry, and subject to attack by privacy advocates, some of whom are pushing for an opt-in system for this type of tracking. Thus far Twitter has been free of advertising, but this is likely to change, as indicated by Twitter’s own statements. (See Scoble’s link below.)

3. Metadata: Interestingly, the policy also treats tweet metadata as public information (“information you are asking us to make public”). This seems to create some grey area between information which you broadcast and is truly public, and information which is available to Twitter (but not to your followers) from your use of Twitter. Robert Scoble has a post with comments from Twitter’s COO signaling Twitter’s turn to advertising and possible use of metadata in this context. I didn’t pick up on this at first, but I think this is significant.

4. Subpoenas: The part of the policy that talks about disclosing information in response to a subpoena provides plenty of wiggle room to either require law enforcement (or a civil litigant) to obtain a subpoena or for Twitter to respond to a “legal request” (presumably, this could be a letter from law enforcement). It’s probably unreasonable to expect these types of companies to always take a stand and require a subpoena or fight for the privacy rights of users when a third party tries to unmask a commenter or user, but it would be nice from the user perspective to have some clarity. I’m guessing in practice Twitter provides notice when a third party seeks information from or about a user’s account, but this doesn’t seem to be required under the policy. (The social media dynamic is probably a strong check here.)

What Changed?: Other than the points mentioned above, I didn’t notice any other significant changes to the policy (the cookie stuff was leftover from the old policy). The old policy made some statements regarding security measures implemented by Twitter which Twitter [wisely] removed from the current version. The provision that any transfer of information in connection with a sale of the business would be subject to the provisions of Twitter’s privacy policy remains, although Twitter removed the notice provision.

It’s worth mentioning that neither the old policy nor the new one clearly speak to whether Twitter or any third party can build a “profile” using information which you make publicly available. Twitter can crunch the data contained in someone’s Twitter stream and obtain a wealth of information regarding a particular person. Anything ranging from their sleeping patterns, to their dietary habits and their political preferences. Of course, people make this information publicly available anyway, so they have no real argument as to why a third party should be prevented from using this information, but realistically, it would be tough to construct such a profile without access to Twitter’s data and tools. Do users expect Twitter to use user information in this manner? Probably not at this juncture, but as a general matter there’s nothing from a legal standpoint that would prevent this, and the privacy policy does not preclude it. These types of applications are not that far-fetched, given reports of tools to analyze someone’s social network and assess their credit worthiness (“Rapleaf”) or psychological profile (“TweetPsych“). Recently a story made the rounds about an insurer who denied an insurance claim based on the insured’s photos posted on Facebook (“Depressed Woman Loses Benefits Over Facebook Photos“). (A host of specialized rules could come into play in this instance – ranging from rules governing financial privacy and fair credit to rules governing the employment relationship – so a privacy policy wouldn’t necessarily provide a definitive answer to the question anyway.)

How Does it Compare to Facebook’s Recently Revised Policy?: As far as volume, in comparison to Twitter’s policy, Facebook’s policy [link] reads like a (painful-to-read) epic saga. This is partially due to the fact that information sharing and interaction on Facebook is more complex, but Facebook’s policy is simply impossible to read and digest in one sitting. The two policies are somewhat similar in their approach, although Facebook differs in that users don’t make their Facebook data “public” in the same sense that Twitter users do. Of course, Facebook has a bit of a history of advertising initiatives and pitfalls that probably prompted the additional complexity. Facebook’s policy has some interesting tweaks such as a “memoriam” for Facebook users where friends and relatives can post items about a deceased person. Also, Facebook has a deletion policy, which I didn’t see in Twitter’s privacy policy. (Deletion policies will become increasingly important as people try to obtain information (deleted by the user) from social networking sites in the context of litigation.)

***

The Trademark Guidelines: It’s worth mentioning that Twitter also refreshed its trademark guidelines. They are pretty standard fare, but contain some rules that people pretty clearly are not following right now, for example: (1) use only the current Twitter logo to link to and promote your Twitter account (“40 cute free Twitter badges“); (2) don’t use Twitter’s logo on the cover of your book (“The Twitter Book“); (3) don’t use screenshots of third party profiles or tweets without the third party’s permission; (4) don’t use Twitter marks on apparel or merchandise without Twitter’s permission (“Sock Guy Socks“). The trademark guidelines also address some of the sore spots in the area of third party use of Twitter’s trademarks (or terms which Twitter is trying to obtain trademark protection for): (1) “don’t use Twitter in the name of your website or application;” (2) “don’t register a domain name containing ‘twitter’;” and (3) “don’t apply for a trademark with a name including Twitter or Tweet (or similar variations thereof).” Both Twitter and third party developers are trying to obtain trademark protection for the term “tweet,” (see for example “CoTweet“) and it’s unclear as to how the battle between Twitter and these third party developers will play out. It’s difficult to tell at this juncture whether Twitter’s new trademark guidelines signal a true change in policy or whether it’s business as usual. (See posts by Tom O’Toole here and Mike Masnick here for some discussion of Twitter’s “laissez faire” attitude with respect to third party use of Twitter trademarks.)

[Edited: to add the point about disclosure in response to subpoenas or law enforcement requests. I should probably also note that I’ve been using Twitter for the past 15 months or so. I was going to say that I’m a “casual user,” but at 5000+ updates, that’s a tough claim to make!]