Court Refuses to Set Aside Order Requiring Disclosure of Twitter Users’ IP Addresses
[Post by Venkat Balasubramani with some comments by Eric]
In re: sec. 2703(d) Order; 10GJ3793; Miscellaneous Case No. 1:11dm00003 (E.D. Va. March 11, 2011) [pdf]
A federal magistrate judge refused to vacate a previously issued order granting the government’s request to reveal information regarding various Twitter accounts for people allegedly associated with Wikileaks.
On December 14, 2010, at the government’s ex parte request, the court entered a sealed order granting the government’s request for the following information associated with the Twitter accounts of WIkileaks, rop_g, ioerror, birgittaj, Julian Assange, Bradley Manning, Rop Gonggrijp, and Birgitta Jonsodottir:
1. subscriber names, user names, and identities;
2. physical addresses, email addresses, and other contact information;
3. “connection records,” records or session times and durations;
4. length of service and the types of service utilized;
5. “telephone or instrument number or other subscriber number or identity, including any temporarily assigned network addresses”;
6. means and source of payment for service.
The order also required disclosure of all records and other information relating to these accounts, including the timing and method of connections, data transfer volumes, and “source and designation” IP addresses; “non-content information” associated with any communications, such as “source or destination email addresses and IP addresses;” and correspondence and notes of records relating to the accounts.
Twitter sought to have the order partially unsealed and give an opportunity for the affect account-holders to contest the order. (Kudos to Twitter for taking this step. (“Why Twitter Was the Only Company to Challenge the Secret WikiLeaks Subpoena.”)) Several interested parties (Applebaum, Jonsdottir, Gonggrijp), represented by the ACLU and EFF, filed a motion seeking to vacate the order, but they were unsuccessful.
Standing Under the Stored Communications Act:
The first question was whether the moving parties had standing to challenge the order under the provisions of the Stored Communications Act. The court says that standing to challenge under section 2704(b)(1) is restricted to those customers who can show that the “contents” of their electronic communications have been sought. “Contents” are defined in the statute as information “concerning the substance, purport, or meaning” of the communications, and the court finds that the government did not seek the contents of any communication. [The court notes here that the moving parties face difficulties in challenging the application because they have not seen a copy of it - the application is under seal.]
First Amendment Arguments:
The First Amendment arguments centered around free association and the chilling effects that would result from the government being able to “create a ‘map of association’” from obtaining the information in question. The court is unpersuaded by the First Amendment association argument, partially because the moving parties had “made their Twitter posts and associations publicly available.” The court does not specify whether the accounts were set to private, but I assume if any of them were, the court would have mentioned it.
Fourth Amendment Arguments:
[b]efore creating a Twitter account, readers are notified that IP addresses are among the kinds of “Log Data” that Twitter collects, transfers, and manipulates . . . . Thus, because petitioners voluntarily conveyed their IP addresses to Twitter as a condition of use, they have no legitimate Fourth Amendment privacy interest.
I had not followed the goings on closely, but the moving parties had an uphill battle given that the government did not seek the contents of any communications. This is a fact that is sometimes obscured in media reports, which often paint the picture of the government getting access to sensitive and private communications. That isn’t the case. The fact that the accounts in question were not set to private did not help either. (Also, in the consumer context, courts have held that IP addresses are not personally identifiable information. See “Court: IP Addresses Are Not ‘Personally Identifiable’ Information.”)
[As a side note, I think this may be somewhat indicative of how many of the Facebook privacy lawsuits may shake out. Those lawsuits are heavily dependent on federal statutes which grant protection to the contents of communications, and if all that's being collected and used is the parameters of a person's internet activity, the plaintiffs will have a tough time arguing that any statutory violations occurred.]
EFF & the ACLU plan to appeal, so this isn’t the last word.
cnet (Declan M.): “DOJ wins access to WikiLeaks-related Twitter accounts”
Wired (Threat Level): “Judge Won’t Stop WikiLeaks Twitter-Records Request”
Eric’s comments: In my recap of top cyberlaw issues from 2010, I ranked Wikileaks as the #1 issue of the year and wrote:
Wikileaks finally forces us to confront many of the cyberspace governance issues we were debating in 1996. I’m sad to say that our government, and many private businesses, failed the test.
This ruling appears to be another datapoint in support of that assessment. The government’s request for Wikileaks-related information from Twitter very well may be lawless, but this judge–like so many others confronted with Wikileaks-related issues–is willing to roll with it using highly formalist reasoning. In this respect, Wikileaks may be the new Napster–whenever its name is invoked, the rule of law gets suspended in an overall effort to kick the unwanted enterprise out of the ecosystem; and everyone who touches Wikileaks gets tarred with the taint-by-association brush.
The court’s ruling on 2704 standing to challenge a 2703(c) request is a fine example of the problem. The court says that, based on the statutory wording, the affected subscribers lack standing to challenge the records request. OK, but when do the affected subscribers have standing to challenge a 2703(c) request? According to this ruling, the answer may be never. That can’t be right. Surely we as citizens have some way to fight back against overreaching government requests for non-public information about us…don’t we?
We encounter the same problem with the court’s discussion regarding IP addresses. The court makes a troubling categorical statement: “petitioners have no Fourth Amendment privacy interest in their IP addresses.” As with the 2703(c) records request, is there any circumstance where a subscriber could prevent his/her IP address from being disclosed to the government? According to this court, the answer may be no.
Overall, the court seems tone-deaf about the possible consequences of revealing the information to the government. We’ve made a lot of progress striking a balance regarding unmaskings in the civil context; here, the court doesn’t consider the possibility of balancing at all.
I’d like to think the Wikileaks participants used anonymizers for their IP addresses. If you are doing anything likely to incur the wrath of the US government, consider this a cautionary warning of the need to use good anonymizers for your activity.
UPDATE: Jennifer Granick’s post on the opinion.