Friday, March 11, 2011

Federal judge in Twitter/Wikileaks case rules that consumers read privacy policies

Earlier this afternoon, a federal magistrate judge issued an order in the much-hyped Twitter/Wikileaks case. While I will leave it to others in the media to analyze the order and its impact, I do want to focus on one specific issue.

The three individuals who objected to having their Twitter account records obtained by the government (referred to in the order as the petitioners) raised an interesting 4th amendment claim regarding their IP address information. Building on recent developments in the area of location privacy (where the 3rd circuit ruled that consumers do not knowingly transmit their location information to phone companies, because they generally don't understand the technical details of how phones work), the individuals here claimed that they didn't realize that they were conveying their IP addresses to Twitter, and thus maintained a privacy interest in this information.

The judge didn't buy this argument at all -- but rather than focusing on the fact that two of the individuals are skilled security experts who obviously understand how IP addresses work, she instead based her decision on Twitter's privacy policy. From page 13 of her order:
In an attempt to distinguish the reasoning of Smith v. Maryland and Bynum, petitioners content that Twitter users do not directly, visibly, or knowingly convey their IP addresses to the website, and thus maintain a legitimate privacy interest. This is inaccurate. Before creating a Twitter account, readers are notified that IP addresses are among the kinds of "Log Data" that Twitter collects, transfers and manipulates. See Warshak, 2010 recognizing that internet service provider's notice of intent to monitor subscribers' emails diminishes expectation of privacy). Thus, because petitioners voluntarily conveyed their IP addresses to Twitter as a condition of use, they have no legitimate Fourth Amendment privacy interest.
A footnote below the paragraph states further that:
At the hearing, petitioners suggested that they did not read or understand Twitter's Privacy Policy, such that any conveyance of IP addresses to Twitter was involuntary. This is unpersuasive. Internet users are bound by the terms of click-through agreements made online. A.V. ex rel. Vanderhye v. iParadigms, LLC, 544 F.Supp.2d 473,480 (E.D. Va. 2008) (finding a valid "clickwrap" contract where users clicked "I Agree" to acknowledge their acceptance of the terms) (aff'd A.V. ex rel v. iParadigms, LLC, F.3d 630,645 n.8 (4th Cir. 2009). By clicking on "create my account", petitioners consented to Twitter's terms of use in a binding "clickwrap" agreement to turn over to Twitter their IP addresses and more.
Twitter's privacy policy

The facts here are quite a bit different than the Vanderhye v. iParadigms case that the judge cites. I will leave it to legal scholars to pick apart and analyze those differences. Instead, I want to highlight the Twitter sign up process, and then a few other facts which make it clear that it is absolutely insane to assume that consumers have read privacy policies, when all available evidence (and statements by several senior government officials) suggests the opposite.

When you sign up for a Twitter account, you are shown a copy of the 200-line Terms of Service, in a text-box which displays 5 lines of text at a time. Users are not required to scroll to the bottom, or click a checkbox acknowledging that they have read the terms. Instead, right above the clickable "Create My Account" button, there is the following line of text:
By clicking on "Create my account" below, you are agreeing to the Terms of Service above and the Privacy Policy.
The Twitter terms of service do not actually include any mention of IP addresses. Instead, it is Twitter's privacy policy that includes the following section of text in its sixth paragraph:
Log Data: Our servers automatically record information ("Log Data") created by your use of the Services. Log Data may include information such as your IP address, browser type, the referring domain, pages visited, and search terms. Other actions, such as interactions with advertisements, may also be included in Log Data.
Although the judge states in her order that "[b]efore creating a Twitter account, readers are notified that IP addresses are among the kinds of 'Log Data' that Twitter collects, transfers and manipulates," that isn't entirely true.

It would be far more accurate to say that before creating a Twitter account, users are presented a link to a privacy policy, which includes a statement six paragraphs down about IP address collection. Users are further told that by clicking on a button to create the account, that they acknowledge that they read the linked privacy policy, although Twitter does not actually take any steps to make sure that users clicked on the link or scrolled through the content on that page.

Of course, it wouldn't really matter if Twitter forced people to click on the privacy policy, or scroll through the page, because everyone knows that consumers won't actually read through the text.

The FTC and Supreme Court discuss privacy policies

In introductory remarks at a privacy roundtable in December 2009, Federal Trade Commission Chairman Leibowitz told those assembled in the room that:
We all agree that consumers don’t read privacy policies – or EULAs, for that matter.
Similarly, in a August 2009 interview, David Vladeck, the head of the FTC's Bureau of Consumer Protection told the New York Times that:
Disclosures are now written by lawyers, they’re 17 pages long. I don’t think they’re written principally to communicate information; they’re written defensively. I’m a lawyer, I’ve been practicing law for 33 years. I can’t figure out what the hell these consents mean anymore. And I don’t believe that most consumers either read them, or, if they read them, really understand it. Second of all, consent in the face of these kinds of quote disclosures, I’m not sure that consent really reflects a volitional, knowing act.
Even the Chief Justice of the US Supreme Court has weighed in the issue, albeit only in a speech before students in Buffalo, NY last year. Answering a student question, Roberts admitted he doesn’t usually read the terms of service or privacy polices, according to the Associated Press:
It has "the smallest type you can imagine and you unfold it like a map," he said. "It is a problem," he added, "because the legal system obviously is to blame for that." Providing too much information defeats the purpose of disclosure, since no one reads it, he said. "What the answer is," he said, "I don’t know."

Academic research on privacy policies

Among 222 study participants of the 2007 Golden Bear Omnibus Survey, the Samuelson Clinic found that only 1.4% reported reading EULAs often and thoroughly, 66.2% admit to rarely reading or browsing the contents of EULAs, and 7.7% indicated that they have not noticed these agreements in the past or have never read them.

Similarly, a survey of more than 2000 people by Harris Interactive in 2001 found that more than 60 percent of consumers said they had either "spent little or no time looking at websites' privacy policies" or "glanced through websites' privacy policies, but . . . rarely read them in depth." Of those individuals surveyed, only 3 percent said that "most of the time, I carefully read the privacy policies of the websites I visit."

However, while the vast majority of consumers don't read privacy policies, some do seem to notice the presence of a privacy policy on a company's website. Unfortunately, most Americans incorrectly believe that the phrase privacy policy signifies that their information will be kept private. A 2003 survey by Annenberg found that 57% of 1,200 adults who were using the internet at home agreed or agreed strongly with the statement "When a web site has a privacy policy, I know that the site will not share my information with other websites or companies." In the 2005 survey, questioners asked 1,200 people whether that same statement is true or false. 59% answered it is true.

Even if consumers were interested in reading privacy policies -- doing so would likely consume a significant amount of their time. A research team at Carnegie Mellon University calculated the time to read the privacy policies of the sites used by the average consumer, and determined that:
[R]eading privacy policies carry costs in time of approximately 201 hours a year, worth about $2,949 annually per American Internet user. Nationally, if Americans were to read online privacy policies word–for–word, we estimate the value of time lost as about $652 billion annually.
Finally, even if consumers took the time to try and read privacy policies, it is quite likely that many would not be capable of understanding them. In 2004, a team of researchers analyzed the content of 64 popular website's privacy policies, and calculated the reading comprehension skills that a reader would need to understand them. Their research revealed that:
Of the 64 policies examined, only four (6%) were accessible to the 28.3% of the Internet population with less than or equal to a high school education. Thirty-five policies (54%) were beyond the grasp of 56.6% of the Internet population, requiring the equivalent of more than fourteen years of education. Eight policies (13%) were beyond the grasp of 85.4% of the Internet population, requiring the equivalent of a postgraduate education. Overall, a large segment of the population can only reasonably be expected to understand a small fragment of the policies posted.

I don't know the caselaw well enough to say if the judge was correct in stating that clickwraps that link to privacy policies are binding. However, even if there is caselaw supporting this decision, it is in no way supported by evidence of actual consumer behavior, or common sense. If the Chief Justice of the Supreme Court doesn't read privacy policies, how can we expect this of regular consumers?


Avery said...

Privacy policies are rarely ever policies in the sense of an offer to the user to make an agreement. They're simply legal disclaimers that mean something like, "we have no responsibility to protect your personal information, nor any other sort of obligation to you," which are meant to be pulled out in precisely this kind of legal context. Reasonable expectations of privacy should not be based on this cowardly defensive lawyering.

Anonymous said...

The lawyers turn out drivel which is literally incomprehensible -- even to themselves. This generates enormous, fee-producing lawsuits. Now that's something every lawyer can understand.

Anonymous said...

I am curious to know whether
1. the judge has a Twitter account
2. Whether she read the ToS and PP.

Ryan Radia said...

Privacy harms are so rare relative to instances of information being shared that users have little incentive to read privacy policies, and websites have little incentive to standardize or otherwise improve upon them. Media coverage of the Twitter subpoenas and of similar threats to privacy is precisely what's needed if privacy arrangements are to evolve.

Anonymous said...

Chris wrote: The judge didn't buy this argument at all -- but rather than focusing on the fact that two of the individuals are skilled security experts who obviously understand how IP addresses work, she instead based her decision on Twitter's privacy policy.

I don't disagree at all with Chris's analysis of whether consumers read privacy policies. However, I don't see how we can decide cases based on the actual knowledge of individual users. So either we assume they accepted the website's stated rules or we find another set of rules elsewhere.

If there isn't an applicable statute, then we find rules....where? Wish I had a better idea....