Court Refuses to Set Aside Order Requiring Disclosure of Twitter Users’ IP Addresses

[Post by Venkat Balasubramani with some comments by Eric]

In re: sec. 2703(d) Order; 10GJ3793; Miscellaneous Case No. 1:11dm00003 (E.D. Va. March 11, 2011) [pdf]

A federal magistrate judge refused to vacate a previously issued order granting the government’s request to reveal information regarding various Twitter accounts for people allegedly associated with Wikileaks.

On December 14, 2010, at the government’s ex parte request, the court entered a sealed order granting the government’s request for the following information associated with the Twitter accounts of WIkileaks, rop_g, ioerror, birgittaj, Julian Assange, Bradley Manning, Rop Gonggrijp, and Birgitta Jonsodottir:

1. subscriber names, user names, and identities;
2. physical addresses, email addresses, and other contact information;
3. “connection records,” records or session times and durations;
4. length of service and the types of service utilized;
5. “telephone or instrument number or other subscriber number or identity, including any temporarily assigned network addresses”;
6. means and source of payment for service.

The order also required disclosure of all records and other information relating to these accounts, including the timing and method of connections, data transfer volumes, and “source and designation” IP addresses; “non-content information” associated with any communications, such as “source or destination email addresses and IP addresses;” and correspondence and notes of records relating to the accounts.

Twitter sought to have the order partially unsealed and give an opportunity for the affect account-holders to contest the order. (Kudos to Twitter for taking this step. (“Why Twitter Was the Only Company to Challenge the Secret WikiLeaks Subpoena.”)) Several interested parties (Applebaum, Jonsdottir, Gonggrijp), represented by the ACLU and EFF, filed a motion seeking to vacate the order, but they were unsuccessful.

Standing Under the Stored Communications Act:

The first question was whether the moving parties had standing to challenge the order under the provisions of the Stored Communications Act. The court says that standing to challenge under section 2704(b)(1) is restricted to those customers who can show that the “contents” of their electronic communications have been sought. “Contents” are defined in the statute as information “concerning the substance, purport, or meaning” of the communications, and the court finds that the government did not seek the contents of any communication. [The court notes here that the moving parties face difficulties in challenging the application because they have not seen a copy of it – the application is under seal.]

First Amendment Arguments:

The First Amendment arguments centered around free association and the chilling effects that would result from the government being able to “create a ‘map of association'” from obtaining the information in question. The court is unpersuaded by the First Amendment association argument, partially because the moving parties had “made their Twitter posts and associations publicly available.” The court does not specify whether the accounts were set to private, but I assume if any of them were, the court would have mentioned it.

Fourth Amendment Arguments:

Finally, the moving parties made a Fourth Amendment argument that the disclosure order should have been vacated because it amounted to a warrantless search in violation of the Fourth Amendment. In particular, the moving parties argued that they had a privacy interest in their IP address information, and argued that requiring Twitter to produce IP address details for specific dates and times would be “‘intensely revealing’ as to location, including the interior of a home.” The court is not sold on this argument. The court cites to a slew of federal appellate cases (including US v. Bynum, which was the subject of a brief post: “4th Cir.: No Expectation of Privacy in Internet and Phone Subscriber Info“) holding that there is no privacy interest in an ISP subscriber’s information. The moving parties argued that they never voluntarily conveyed their IP address to Twitter, but the court disagrees, and points to Twitter’s privacy policy:

[b]efore creating a Twitter account, readers are notified that IP addresses are among the kinds of “Log Data” that Twitter collects, transfers, and manipulates . . . . Thus, because petitioners voluntarily conveyed their IP addresses to Twitter as a condition of use, they have no legitimate Fourth Amendment privacy interest.

__

I had not followed the goings on closely, but the moving parties had an uphill battle given that the government did not seek the contents of any communications. This is a fact that is sometimes obscured in media reports, which often paint the picture of the government getting access to sensitive and private communications. That isn’t the case. The fact that the accounts in question were not set to private did not help either. (Also, in the consumer context, courts have held that IP addresses are not personally identifiable information. See “Court: IP Addresses Are Not ‘Personally Identifiable’ Information.”)

On the expectation of privacy issue, Chris Soghoian makes a good point that I’ve alluded to before – it’s awkward to measure the consumer’s expectation of privacy based on the language of a privacy policy because people rarely read the policies: “Federal judge in Twitter/Wikileaks case rules that consumers read privacy policies.” That said, most people would expect services like Twitter to collect and use IP addresses. It’s just a question of how long Twitter may retain this information for and under what circumstances it would turn this information over. On this issue, the privacy policy was of no help.

[As a side note, I think this may be somewhat indicative of how many of the Facebook privacy lawsuits may shake out. Those lawsuits are heavily dependent on federal statutes which grant protection to the contents of communications, and if all that’s being collected and used is the parameters of a person’s internet activity, the plaintiffs will have a tough time arguing that any statutory violations occurred.]

EFF & the ACLU plan to appeal, so this isn’t the last word.

Other coverage:

EFF: “Court Rules Against Privacy in Battle Over Twitter Records

cnet (Declan M.): “DOJ wins access to WikiLeaks-related Twitter accounts

Wired (Threat Level): “Judge Won’t Stop WikiLeaks Twitter-Records Request

Chris Soghoian: “Federal judge in Twitter/Wikileaks case rules that consumers read privacy policies

_______________

Eric’s comments: In my recap of top cyberlaw issues from 2010, I ranked Wikileaks as the #1 issue of the year and wrote:

Wikileaks finally forces us to confront many of the cyberspace governance issues we were debating in 1996. I’m sad to say that our government, and many private businesses, failed the test.

This ruling appears to be another datapoint in support of that assessment. The government’s request for Wikileaks-related information from Twitter very well may be lawless, but this judge–like so many others confronted with Wikileaks-related issues–is willing to roll with it using highly formalist reasoning. In this respect, Wikileaks may be the new Napster–whenever its name is invoked, the rule of law gets suspended in an overall effort to kick the unwanted enterprise out of the ecosystem; and everyone who touches Wikileaks gets tarred with the taint-by-association brush.

The court’s ruling on 2704 standing to challenge a 2703(c) request is a fine example of the problem. The court says that, based on the statutory wording, the affected subscribers lack standing to challenge the records request. OK, but when do the affected subscribers have standing to challenge a 2703(c) request? According to this ruling, the answer may be never. That can’t be right. Surely we as citizens have some way to fight back against overreaching government requests for non-public information about us…don’t we?

We encounter the same problem with the court’s discussion regarding IP addresses. The court makes a troubling categorical statement: “petitioners have no Fourth Amendment privacy interest in their IP addresses.” As with the 2703(c) records request, is there any circumstance where a subscriber could prevent his/her IP address from being disclosed to the government? According to this court, the answer may be no.

Overall, the court seems tone-deaf about the possible consequences of revealing the information to the government. We’ve made a lot of progress striking a balance regarding unmaskings in the civil context; here, the court doesn’t consider the possibility of balancing at all.

I’d like to think the Wikileaks participants used anonymizers for their IP addresses. If you are doing anything likely to incur the wrath of the US government, consider this a cautionary warning of the need to use good anonymizers for your activity.

For Twitter, there is a silver lining to the ruling. In a footnote, the court says “By clicking on “create my account”, petitioners consented to Twitter’s terms of use in a binding “clickwrap” agreement to turn over to Twitter their IP addresses and more.” Surely Twitter likes a judicial vote in favor of its online contract formation. However, the court’s citation of Twitter’s privacy policy reinforces that privacy policies are not just about the private arrangements between sites and their users. The government will trawl through a site’s privacy policy to cite terms against the site’s users as part of the government’s rapacious desire to know everything about its citizens. As drafters of privacy policies, we might consider how we balance our clients’ needs for information flexibility with the fact that the government will abuse that same flexibility for its own possibly lawless interests.

UPDATE: Jennifer Granick’s post on the opinion.