The three individuals who objected to having their Twitter account records obtained by the government (referred to in the order as the petitioners) raised an interesting 4th amendment claim regarding their IP address information. Building on recent developments in the area of location privacy (where the 3rd circuit ruled that consumers do not knowingly transmit their location information to phone companies, because they generally don't understand the technical details of how phones work), the individuals here claimed that they didn't realize that they were conveying their IP addresses to Twitter, and thus maintained a privacy interest in this information.
In an attempt to distinguish the reasoning of Smith v. Maryland and Bynum, petitioners content that Twitter users do not directly, visibly, or knowingly convey their IP addresses to the website, and thus maintain a legitimate privacy interest. This is inaccurate. Before creating a Twitter account, readers are notified that IP addresses are among the kinds of "Log Data" that Twitter collects, transfers and manipulates. See Warshak, 2010 recognizing that internet service provider's notice of intent to monitor subscribers' emails diminishes expectation of privacy). Thus, because petitioners voluntarily conveyed their IP addresses to Twitter as a condition of use, they have no legitimate Fourth Amendment privacy interest.A footnote below the paragraph states further that:
The facts here are quite a bit different than the Vanderhye v. iParadigms case that the judge cites. I will leave it to legal scholars to pick apart and analyze those differences. Instead, I want to highlight the Twitter sign up process, and then a few other facts which make it clear that it is absolutely insane to assume that consumers have read privacy policies, when all available evidence (and statements by several senior government officials) suggests the opposite.
When you sign up for a Twitter account, you are shown a copy of the 200-line Terms of Service, in a text-box which displays 5 lines of text at a time. Users are not required to scroll to the bottom, or click a checkbox acknowledging that they have read the terms. Instead, right above the clickable "Create My Account" button, there is the following line of text:
Log Data: Our servers automatically record information ("Log Data") created by your use of the Services. Log Data may include information such as your IP address, browser type, the referring domain, pages visited, and search terms. Other actions, such as interactions with advertisements, may also be included in Log Data.Although the judge states in her order that "[b]efore creating a Twitter account, readers are notified that IP addresses are among the kinds of 'Log Data' that Twitter collects, transfers and manipulates," that isn't entirely true.
The FTC and Supreme Court discuss privacy policies
In introductory remarks at a privacy roundtable in December 2009, Federal Trade Commission Chairman Leibowitz told those assembled in the room that:
We all agree that consumers don’t read privacy policies – or EULAs, for that matter.Similarly, in a August 2009 interview, David Vladeck, the head of the FTC's Bureau of Consumer Protection told the New York Times that:
Disclosures are now written by lawyers, they’re 17 pages long. I don’t think they’re written principally to communicate information; they’re written defensively. I’m a lawyer, I’ve been practicing law for 33 years. I can’t figure out what the hell these consents mean anymore. And I don’t believe that most consumers either read them, or, if they read them, really understand it. Second of all, consent in the face of these kinds of quote disclosures, I’m not sure that consent really reflects a volitional, knowing act.Even the Chief Justice of the US Supreme Court has weighed in the issue, albeit only in a speech before students in Buffalo, NY last year. Answering a student question, Roberts admitted he doesn’t usually read the terms of service or privacy polices, according to the Associated Press:
It has "the smallest type you can imagine and you unfold it like a map," he said. "It is a problem," he added, "because the legal system obviously is to blame for that." Providing too much information defeats the purpose of disclosure, since no one reads it, he said. "What the answer is," he said, "I don’t know."
Academic research on privacy policies
Among 222 study participants of the 2007 Golden Bear Omnibus Survey, the Samuelson Clinic found that only 1.4% reported reading EULAs often and thoroughly, 66.2% admit to rarely reading or browsing the contents of EULAs, and 7.7% indicated that they have not noticed these agreements in the past or have never read them.
Similarly, a survey of more than 2000 people by Harris Interactive in 2001 found that more than 60 percent of consumers said they had either "spent little or no time looking at websites' privacy policies" or "glanced through websites' privacy policies, but . . . rarely read them in depth." Of those individuals surveyed, only 3 percent said that "most of the time, I carefully read the privacy policies of the websites I visit."
Even if consumers were interested in reading privacy policies -- doing so would likely consume a significant amount of their time. A research team at Carnegie Mellon University calculated the time to read the privacy policies of the sites used by the average consumer, and determined that:
[R]eading privacy policies carry costs in time of approximately 201 hours a year, worth about $2,949 annually per American Internet user. Nationally, if Americans were to read online privacy policies word–for–word, we estimate the value of time lost as about $652 billion annually.Finally, even if consumers took the time to try and read privacy policies, it is quite likely that many would not be capable of understanding them. In 2004, a team of researchers analyzed the content of 64 popular website's privacy policies, and calculated the reading comprehension skills that a reader would need to understand them. Their research revealed that:
Of the 64 policies examined, only four (6%) were accessible to the 28.3% of the Internet population with less than or equal to a high school education. Thirty-five policies (54%) were beyond the grasp of 56.6% of the Internet population, requiring the equivalent of more than fourteen years of education. Eight policies (13%) were beyond the grasp of 85.4% of the Internet population, requiring the equivalent of a postgraduate education. Overall, a large segment of the population can only reasonably be expected to understand a small fragment of the policies posted.Conclusion
I don't know the caselaw well enough to say if the judge was correct in stating that clickwraps that link to privacy policies are binding. However, even if there is caselaw supporting this decision, it is in no way supported by evidence of actual consumer behavior, or common sense. If the Chief Justice of the Supreme Court doesn't read privacy policies, how can we expect this of regular consumers?
Privacy policies are rarely ever policies in the sense of an offer to the user to make an agreement. They're simply legal disclaimers that mean something like, "we have no responsibility to protect your personal information, nor any other sort of obligation to you," which are meant to be pulled out in precisely this kind of legal context. Reasonable expectations of privacy should not be based on this cowardly defensive lawyering.
The lawyers turn out drivel which is literally incomprehensible -- even to themselves. This generates enormous, fee-producing lawsuits. Now that's something every lawyer can understand.
I am curious to know whether
1. the judge has a Twitter account
2. Whether she read the ToS and PP.
Privacy harms are so rare relative to instances of information being shared that users have little incentive to read privacy policies, and websites have little incentive to standardize or otherwise improve upon them. Media coverage of the Twitter subpoenas and of similar threats to privacy is precisely what's needed if privacy arrangements are to evolve.
I don't disagree at all with Chris's analysis of whether consumers read privacy policies. However, I don't see how we can decide cases based on the actual knowledge of individual users. So either we assume they accepted the website's stated rules or we find another set of rules elsewhere.
If there isn't an applicable statute, then we find rules....where? Wish I had a better idea....
Post a Comment