Communications privacy law is exceedingly complex, and unfortunately, none of the legal experts who actually specialize in this area (people like Orin Kerr, Paul Ohm, Jennifer Granick and Kevin Bankston) have yet to chime in with their thoughts. As such, many commentators and journalists are completely botching their analysis of this interesting event. While I'm not a lawyer, the topic of government requests to Internet companies is the focus of my dissertation, so I'm going to try to provide a bit of useful analysis. However, as always, I'm not a lawyer, so take this with a grain of salt.
A quick introduction to the law
On December 14, An Attorney in the US the Department of Justice obtained a court order compelling Twitter to reveal records associated with several of its users. The order, issued under 18 USC 2703(d) is not a subpoena (even though the AP, New York Times, Salon and many other outlets have reported that it is). Subpoenas are essentially letters written by law enforcement officers, on official agency letterhead, and have not been reviewed or signed by a judge. The 2703(d) order in question was issued by a magistrate judge.
Per the statute, a judge isn't supposed to issue a 2703(d) order unless the government "offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation". We don't know what these facts are though -- as it doesn't look as though the government's original request to the court has been made public. (It isn't clear if those records themselves remain sealed. I tried to find the case in PACER, and couldn't locate it, so this will have to wait until Monday, when someone can call up the Clerk's office to ask for the documents).
"d" orders can be used to obtain customer records (name, address, credit card info, IP addresses used to connect to the service), non-content data associated with individual communications (to/from and timestamps from emails, etc). They can also be used to obtain any saved, outbound communications (such as the "sent" mail folder), all communications that are more than 180 days old, as well as those that have been opened and viewed at least once (except in the 9th circuit). If the government wants access to unread messages that are 180 days old or newer, it must seek a rule 41 court order, which requires a showing of probable cause.
The order to twitter
The government's wikileaks "d" order, as the statute permits, requests the customer subscriber info associated with the account (essentially copying this language in full from the statute).
It is the second part of the order that is more interesting. Again, as the statute allows, the government is requesting non-content information associated with individual communications. What the government appears to be seeking in part 2 is the metadata associated with every Twitter communication to and from the users named in the order. What this means is up to debate. It could mean the name and timestamp of every user who has sent or received a private message to one of the named individuals. It might also mean the list of individuals who have publicly communicated, or mentioned the named individual, or who have been named in a tweet by those persons. It might even include a list of followers, although this information is public already, so it is unclear why the government would seek it through a court order.
The statute (and caselaw) permits the government to use a "d" order to get access to communications older than 180 days, those that have been read at least once (outside the 9th circuit), and saved outgoing messages. What isn't so clear to me though, is if the government has requested this information from Twitter or not when it asks for "correspondence and notes of records related to the accounts".
My initial impression is that this is not a request for communications content, but communications between the user and twitter itself (for example, customer service inquiries). However, I'm not really sure about this though... so I'll wait for the real experts to weigh in on this bit.
Reading between the lines
With that discussion of the law out of the way, lets get to the fun part: Speculation. Based on this order, and the events that followed, there are some interesting observations to be made.
1. Amateur Hour. The 2703(d) order misspelled the names of one of the targets, Rop Gonggrijp. It also requested credit card and bank account numbers of several Twitter users, even though Twitter is a free service and so doesn't have such information (presumably someone at DOJ knows a little about Twitter, since the agency has 350,000 followers of its official Twitter account).
The Department of Justice prosecutor named in the order, Tracy Doherty-McCormick, was prosecuting online child exploitation cases just five months before the Twitter order was issued. Given that the wikileaks investigation is the most high-profile national security investigation of the decade, and that the court order seeks records associated with an Icelandic member of parliament, you would think that DOJ would assign this case to someone more senior.
From my own experience, outside of the Computer Crime & Intellectual Property Section (CCIPS) and the National Security Division, most DOJ attorneys know very little about technology. As such, it may simply be that Doherty-McCormick, through her experience in prosecuting pedophiles caught in online stings, may be the most tech savvy prosecutor in her office, and thus could have been brought in to help with the investigation on that basis alone.
However, the technical knowledge involved in tricking a pedophile into meeting what he believes is a 13 year old girl isn't quite the same as is required by someone investigating a sophisticated organization run by skilled computer security researchers. Presumably, Doherty-McCormick is in regular communication with tech-savvy attorneys from CCIPS, who are likely assisting in this matter.
2. Three of the individuals named in the order, Jacob Appelbaum, Rop Gonggrijp, and Julian Assange are computer security experts - Appelbaum has worked with the Tor project, and has co-authored some pretty awesome encryption research, Assange co-authored a deniable encrypted filesystem, and Rop has worked for several years to create mobile phone encryption software. All three likely use strong encryption to store and transmit sensitive communications and use Tor to mask their IP addresses. As such, I'm not really sure what DOJ hopes to gain by asking Twitter for this data -- as it is doubtful that these individuals have entrusted Twitter with anything private.
3. Why the "d" order? For a case this high profile, it is quite shocking that the government is using a "d" order to try and gather information. At least for Assange and Manning, surely there is sufficient evidence already to demonstrate probable cause, and get a rule 41 warrant, which could be used to get full communications content and prospective location information? What is even more surprising though, is that criminal statutes are being used, and not foreign intelligence laws. To be perfectly frank, I would have bet money that DOJ had already obtained a FISA order to monitor Assange and any of his associates. I really don't know what to make of this.
4. Twitter. The bigger story here, IMHO, far more interesting than the government request for wikileaks related info, is the fact that Twitter has gone out of its way to fight for its users' privacy. The company went to court, and was successful in asking the judge to unseal the order (something it is not required to do), and then promptly notified its users, so that they could seek to quash the order. Twitter could have quite easily complied with the order, and would have had zero legal liability for doing so. In fact, many other Internet companies routinely hand over their users' data in response to government requests, and never take steps to either have the orders unsealed, or give their users notice and thus an opportunity to fight the order.
Alex Macgillivray, Twitter's general counsel is clearly behind this strong, pro-privacy move. Macgillivray was one of the first law students at Harvard's Berkman Center. Until he moved to Twitter, he worked on copyright and privacy issues at Google, where, he played a major role in getting the company to contribute takedown requests to chillingeffects.org. Not surprisingly, Twitter recently started sending copies of takedowns to chillingeffects too.
It is wonderful to see companies taking a strong stance, and fighting for their users' privacy. I am sure that this will pay long term PR dividends to Twitter, and is a refreshing change, compared to the actions by some other major telecommunications and internet application providers, who often bend over backwards to help law enforcement agencies. Simply put, the contrast between Amazon, Paypal (owned by eBay) and Twitter couldn't be clearer.
As one further example of this difference, consider Twitter's actions here in contrast with comments from eBay's director of compliance a few years back:
We do not require a subpoena except for very limited circumstances. We require a subpoena when we need the financial information from the site, credit card info or sometimes IP information.
5. Did the government seek the contents of private messages? As I wrote above, it's not clear if the government sought the content of private messages. Had they sought such information, I would have expected them to be clearer in describing that information. However, based on Twitter's actions in getting the court to unseal the 2703(d) order, had the government sought communications content, I would fully expect to see the company to fight that order, on 4th amendment grounds.
My guess is that the government opted to not ask for such information, purely as a strategic matter, as it probably feared that Twitter would lawyer up, refuse to disclose any communications content, and seek to have that part of 18 USC 2703 ruled unconstitutional. Over the past year or so, several courts have taken a dim view of the government's practice of obtaining various forms of private data without probable cause warrants. A 2703(d) request for content from Twitter would be an ideal opportunity for courts to examine this issue, and would likely have been very risky for the government.
What comes next
This case is extremely high profile -- it involves data privacy; Twitter, arguably the hottest communications service a hot communications tool; wikileaks; and a member of the Icelandic parliament. I fully expect this to go to court, and for absolutely everyone to try and get involved in this case -- privacy groups, communications providers, and perhaps even the Icelandic government will all likely file amicus briefs.
As a privacy advocate and researcher, I can't wait to see this situation develop.