Privacy Policies Don't Trump Expectation of Privacy

Federal prosecutors recently filed a new brief in the litigation over access to Twitter records concerning three people who provided assistance to the WikiLeaks project.  Most notably, the Justice Department dwants Twitter to disclose the IP addresses from which the WikiLeaks volunteers accessed Twitter.  In its new brief, the DOJ argues that there is no Fourth Amendment privacy interest in IP addresses transmitted to a destination website, such as Twitter.

The DOJ bolsters this argument by citing Twitter’s Privacy Policy, which states that Twitter automatically records “Log Data” that may include IP addresses.  Because of this policy, the government claims, subscribers to Twitter are “on notice” that IP addresses will be collected.  From there, the DOJ leaps to the conclusion that users have no reasonable expectation of privacy in those addresses and therefore no Fourth Amendment rights regarding them.  

Independent of the merits of the rest of the DOJ’s argument regarding the application of the Fourth Amendment to IP addresses, this particular argument  that the mere statement of fact in a Privacy Policy about what data a service collects automatically destroys a user’s reasonable expectation of privacy in that data in terms of government access  is both legally flawed and practically misguided.   Moreover, probing the argument reveals broader flaws with the DOJ’s ongoing reliance on the “third party doctrine.”

There are a lot of problems with corporate privacy policies, but, even still, taking such policies seriously would suggest the exact opposite of the DOJ’s position.  It is well documented (and accepted by government officials) that most users do not read privacy policies (which may be why the DOJ did not try to argue that the Twitter users had read the policy in this case).  However, it is also documented and accepted by government officials (see below) that a majority of users assume that the existence of a privacy policy means their data is protected.  And, in fact, most privacy policies are carefully crafted to suggest (sometimes despite their fine print) that companies are careful about user data and do not disclose it except in limited circumstances.  That’s exactly what Twitter’s policy says.  Moreover, in its recent case against Sears, the Federal Trade Commission made it clear that privacy policies must be read broadly in favor of a privacy expectation, based on their overall net impression, and should not be treated as contracts to be strictly construed.  And, finally, if Twitter’s actions deserve any weight in defining user expectations, those actions serve to reinforce the presumption of privacy: in this case, after all, and in earlier ones, Twitter did not readily disclose subscriber data to the government, but rather worked hard to ensure that its users had an opportunity to block disclosure. 

If the test for privacy is “reasonable expectation,” one has to conclude that most users–whether they read privacy policies or not–reasonably expect that technical data collected as part of the process of using Internet services will be protected against indiscriminate disclosure to the government.

 Makes Little Legal Sense

The debate in the Twitter case turns on the Supreme Court’s definition of what the Fourth Amendment protects.  Under the Court’s two-part test, articulated in 1967, the Fourth Amendment applies when, first, a person has exhibited an actual (subjective) expectation of privacy and, second, that expectation is one that society is (objectively) prepared to recognize as “reasonable.”

Back in the late 1970′s, before the days of modern privacy laws and privacy policies, the Supreme Court applied this test to hold that, when people disclose telephone dialing information to the telephone company in the course of making calls or disclose financial data to banks in the course of writing checks, they lose all Constitutional privacy interest in that data because the telephone companies or the banks could redisclose the information to whomever they wanted.  

While CDT joins other consumer advocates in complaining that consumer privacy laws are still too weak, it is undeniable that there has been a revolution since the 1970′s in the way telephone companies, banks and other service providers handle customer data.  Today, no major company, online or off, claims the right to disclose customer data to whomever it wants.  Essentially every major online company has a “Privacy Policy,” promising to protect consumer data, at least to some degree.  (Under California law, California companies operating a commercial website must post a conspicuous privacy policy.)  And, contrary to the law in the 1970s when the Supreme Court decided its third party cases, it is now illegal in the view of the FTC, to violate a stated privacy assurance.  

The DOJ pretends that none of this has happened.  It relies on the third party doctrine as if there were still no limits on the ability of companies to disclose customer data whenever and to whomever they wanted.  Moreover, the Justice Department argues that the mere description in a privacy policy of the data collection practices of a company reduces consumers’ privacy rights to zero, even when the privacy policy makes promises to the contrary.

Other components of the federal government have recognized the shift in consumer expectations and have embraced it.  The Commerce Department, in its recent “Green Paper” on privacy, p. 18, noted that consumers do have an expectation of privacy with respect to information they disclose to businesses in the course of online transactions:

There is also evidence that consumers generallyand incorrectlybelieve that a company’s posting of a privacy policy sets categorical limits on the company’s sharing of personal information. It is reasonable to conclude that this misunderstanding of the law leads consumers to expect that commercial and non-commercial organizations will use their personal information with care and protect it from misuse.

Moreover, the Commerce Department made it clear, p. 15, that this subjective expectation (however wrongly premised) is one that society is prepared to honor as reasonable:

“This sense of consumer trustthe expectation that personal information that is collected will be used consistently with clearly stated purposes and protected from misuse — is fundamental to commercial activities on the Internet.”

Indeed, a major theme of both the DOC report and the recent FTC staff report on privacy is that corporate and public policy, rather than dismissing these expectations, should be developing ways to better align products and services, business practices and laws with them.  For example, the FTC report, in urging companies to adopt the practice of “Privacy by Design,” p. 51, noted that conscious attention to privacy at the design stage was desirable precisely because it would better align products and services with consumer expectations:
 

A more thorough privacy review before product launch  at the research and development stage  may have better aligned these products and services with consumer expectations and avoided public backlash.

There’s a separate question, which the Justice Department ignores in the Twitter case, and that is whether a privacy policy is binding upon a user, such that the user, by agreeing to the terms of service and accepting the details of the privacy policy, may have consented to the disclosure of his data to the government (or give the service provider the discretion to consent to disclosure).  This approach, however, would yield chaos for users, the government, the courts and service providers, for it would turn every privacy case into a contracts case and would hinge privacy expectations on interpretations of the specific language of privacy policies that vary from service to service and, with respect to particular services, from time to time. Written both to reassure customers and give companies maximum flexibility, the policies often send mixed signals.  The Twitter policy, for example, states on the one hand that “We do not disclose your private information except in the limited circumstances described here,” and on the other hand “We may disclose your information if we believe that it is reasonably necessary to comply with a law, regulation or legal request… .”

For these reasons, policymakers have already concluded outside the Fourth Amendment context that service provider agreements and privacy policies are not to be read as contracts for purposes of reducing consumer expectations of privacy.  Rather, as noted above, the Commerce Department accepts consumers’ misreading of privacy policies as a fact and is now supporting legislation to honor those expectations.  And the FTC has concluded, in the Sears case and others, that the privacy rights of an individual should not be defined by the strict language of a service agreement but by the overall net impression created by a company’s assurances.

The courts too have refused to allow terms of service, even if binding between users and service provider in other ways, to wipe out a privacy expectation as against the government.  In United States v. Heckenkamp, 482 F.3d 1142 (9th Cir. 2007), cited by the Twitters users in their brief, the court found that a university’s Internet monitoring policy was not sufficient to alter a student’s reasonable expectation of privacy in his use of his personal computer to access the university network.  And directly addressing the impact of commercial terms of service, the court in United States v. Warshak, 631 F.3d 266 (6th Cir. 2010) found that “the degree of access granted to [Warshak's email service provider] does not diminish the reasonableness of Warshak’s trust” in the privacy of his communications.  This approach parallels that taken in non-Internet cases, where courts have held, as Patricia Bellia points out, that one may retain an expectation of privacy against government inspection of the contents of a sealed package transported by common carrier, even though such carriers generally claim an unfettered right to inspect the packages they carry.

Legally Dubious

Not only is it legally dubious to interpret privacy policies as destroying the expectation of privacy, it’s also bad policy.  For many valid societal reasons, including reasons directly related to cybersecurity and online fraud, we want providers to make various uses of consumer data without those uses constituting a blanket surrender of privacy rights.

First, of course, much of the content and many of the most popular services online today are supported by advertising, which in turn is based on the analysis of data collected about users as they surf the Web.  It is highly desirable that Internet users have access to the free services that are supported by online advertising.  Advertising-supported Internet services contribute hundreds of billions of dollars to the American economy.  It is equally desirable, as both the Department of Commerce and the FTC recently reiterated, that this advertising-based system not result in a destruction of consumer privacy.  A determination, sought by the DOJ, that the use of information for advertising represents a total surrender of privacy would jeopardize the advertising-based business models that have driven the growth of online services over the past decade.

Moreover, terms of service often contain privacy exceptions for service provider actions that help prevent crime and enhance security interests that we surely want to promote without the total surrender of privacy against other types of disclosures or uses.  For example, many providers reserve the right in their terms of service to automatically scan traffic for spam email or malicious code and to filter out that information.  If the use of such services also opens communications up to government access, users might be less likely to acquiesce to those terms, or might gravitate towards services that do not monitor traffic for security and anti-fraud purposes.  If that were to happen, computer networks would be less secure and online crime might increase.   

For all these reasons, the DOJ is wrong to rely on terms of service or privacy policies to argue that Internet users have no reasonable expectation of privacy.

Read more at Center for Democracy and Technology – Blog