Wikileaks: Twitter's Privacy Policy & Reasonable Expectations of Privacy

(Image Author: Wikileaks)

On the 10th of November a federal judge, Liam O'Grady, upheld an order allowing federal prosecutors to access Twitter account information for Jacob Appelbaum, Rop Gonggrijp, and Birgitta Jonsdottir, due to their association with Wikileaks.  The three petitioners argued (1) that their IP addresses should be considered private, and (2) that the request for information was too broad and unrelated to the federal investigation of Wikileaks.

Interestingly, the judge looked to Twitter's privacy policy as evidence that users of Twitter reduce their expectation of privacy by consenting to the Twitter privacy policy because they should be aware that their IP address is subject to use by Twitter. Christopher Soghoian, a well known security and privacy researcher, read the opinion and noticed that the order cited Twitter's modern privacy policy, not the policy in place when the petitioners joined Twitter and agreed to it's privacy policy. The version of the privacy policy that the petitioners agreed to does state that a users IP address will be logged but it also says:

We do not associate your IP address with any other personally identifiable information to identify you personally, except in case of violation of the Terms of Service.

It would seem that the petitioners could then rely on this statement (had the court been aware of this difference in terms) to create an expectation of privacy on which they relied.  Unfortunately, citing the older Twitter privacy policy would probably not have made a substantial difference in the outcome of the order.  First, the policy included a provision that stated that it "may be updated from time to time for any reason."  Second, it doesn't matter whether the privacy policy would hold up as a contract with Twitter users because it was relied on as evidence of notice in determining a reasonable expectation of privacy.  Nancy Kim wrote an excellent post clarifying the way in which the judge relied on the privacy policy.  I think she is absolutely correct to direct our attention away from the information collection and use terms of the policy to the information sharing and disclosure section.  The older policy states that:

Twitter cooperates with government and law enforcement officials or private parties to enforce and comply with the law. We may disclose any information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate to respond to claims, legal process (including subpoenas), to protect the property and rights of Twitter or a third party, the safety of the public or any person, to prevent or stop any illegal, unethical, or legally actionable activity, or to comply with the law.

That provision, above all others in the policy, appears to be sufficient notice to remove a reasonable expectation of privacy in IP address information.