Friday, November 11, 2011

Twitter's privacy policy and the Wikileaks case

Summary: The federal judge in the Wikileaks case cited in his order a version of Twitter's privacy policy from 2010, rather than the very different policy that existed when Appelbaum, Gonggrijp and Jonsdottir created their Twitter accounts back in 2008. That older policy actually promised users that Twitter would keep their data private unless they violated the company's terms of service. It is unclear how the judge managed to miss this important detail.

Earlier this week, a federal judge in Virginia handed down an order in the high-profile Twitter/Wikileaks case. That order has already been widely covered by the media, so I won't summarize it here.

In ruling that Appelbaum, Gonggrijp and Jonsdottir did not have a reasonable expectation of privacy in the IP addresses that Twitter had collected, the judge specifically highlighted the existence of statements about IP address collection in Twitter's privacy policy.

(from page 3 of the order)

The judge noted that Twitter reveals in its privacy policy that it collects "many types of usage information, including physical location, IP address, browser type, the referring domain ..." To support this claim, the judge cited the "Bringola declaration" (pdf), which is a collection of screenshots from Twitter's website produced by a paralegal working for Appelbaum's lawyer.

The privacy policy reproduced in the Bringola declaration and cited by the judge was effective as of November 16, 2010, and appears to have been the current privacy policy in March of 2011 when the paralegal made the screenshots. That privacy policy included the following "Log Data" section:

Our servers automatically record information ("Log Data") created by your use of the Services. Log Data may include information such as your IP address, browser type, the referring domain, pages visited, your mobile carrier, device and application IDs, and search terms. Other actions, such as interactions with our website, applications and advertisements, may also be included in Log Data. If we haven’t already deleted the Log Data earlier, we will either delete it or remove any common account identifiers, such as your username, full IP address, or email address, after 18 months.

There is a slight problem with relying on a privacy policy created on November 16, 2010 to decide the reasonable expectation of privacy of these three individuals: They created their Twitter accounts several years before the document was written.

According to the useful website, Appelbaum's Twitter account was created on February 23, 2008, Gonggrijp created his on September 26, 2008, and Jonsdottir created hers on November 14, 2008.

Thankfully, Twitter seems to archive all the old versions of their privacy policy. It would appear that all three individuals would have "agreed to" (ignoring the fact that none of them likely read the thing in the first place) Version 1 of the privacy policy, dated May 14, 2007. The "Log data" section of that policy reads as follows:

When you visit the Site, our servers automatically record information that your browser sends whenever you visit a website ("Log Data" ). This Log Data may include information such as your IP address, browser type or the domain from which you are visiting, the web-pages you visit, the search terms you use, and any advertisements on which you click. For most users accessing the Internet from an Internet service provider the IP address will be different every time you log on. We use Log Data to monitor the use of the Site and of our Service, and for the Site's technical administration. We do not associate your IP address with any other personally identifiable information to identify you personally, except in case of violation of the Terms of Service.

There are a few things worth noting here:

  1. The term "referring domain" appears in privacy policy cited by the judge in his court order, but not in Version 1 of the Twitter privacy policy. This strongly suggests that the judge is citing a newer version of the Twitter policy. The term appears to have been added in Version 2 of the privacy policy, dated November 18, 2009.
  2. In Version 1 of its policy, Twitter promised its users that it would not associate their IP addresses with any other personally identifiable information sufficient to identify them personally, unless they violated the Twitter terms of service. This pro-user sentence was removed in Version 2 of Twitter's privacy policy, one year later.
  3. The government has not alleged that any of the 3 individuals violated Twitter's terms of service. As such, it would appear that they could reasonably rely on Twitter's claims that it wouldn't associate their retained IP address information with their existing account records or any other personally identifiable information.

This is very interesting.

The old version of Twitter's policy that the three individuals "agreed" to also includes the following paragraph about updates to the document:

This Privacy Policy may be updated from time to time for any reason; each version will apply to information collected while it was in place. We will notify you of any material changes to our Privacy Policy by posting the new Privacy Policy on our Site. You are advised to consult this Privacy Policy regularly for any changes.

Note, Twitter didn't say that it would send out emails to users when it updated its privacy policy, instead, it advised users to revisit the site on a regular basis to see if the policy had changed. How this sentence passed the laugh test at Twitter's HQ, I do not know.

In subsequent edits to the policy, Twitter reworded this section, so that it now reads:

We may revise this Privacy Policy from time to time. The most current version of the policy will govern our use of your information and will always be at If we make a change to this policy that, in our sole discretion, is material, we will notify you via an @Twitter update or e-mail to the email associated with your account. By continuing to access or use the Services after those changes become effective, you agree to be bound by the revised Privacy Policy.

Got that? As of Version 2 of Twitter's privacy policy, merely by continuing to use Twitter, you agree to be bound by whatever the company adds to the policy. Oh, and it is up to the company to decide if the changes to the policy are important enough to justify telling users.

I know that I am not the first researcher to point out how stupid privacy policies are, or that no one reads them. Many others have done it, and done so far more eloquently than me. My goal in writing this blog post is simple: Not only is a federal judge ruling that 3 individuals have no reasonable expectation of privacy with regard to the government getting some of their Internet transaction data, but the judge isn't even citing the right version of a widely ignored privacy policy to do so. If the judge were to examine the privacy policy that existed when these three targets signed up for a Twitter account, he might decide that they do in fact have a reasonable expectation of privacy and that the government needs a warrant to get the data.


Jan Smith said...

hear hear...well said. It is time that 'big brother' was hauled in and made to stop bullying everyone.

Personally, I'm so sick of what's happening all around the world today and it all comes down to "those who have money fearing the loss of it"

Read this:

So who are these new dictators who make the TOS (or the terms of life ..TOL) we all must live by? Frankly, I'm finding the TOLL to be beyond my debt-riddden capabilities.

Anonymous said...

It's great to say all this. I want to note that you've done a bang-up job of putting everything in context and your in-depth review of the case.

One problem.

I have little doubt that even the correct policy and wording would have saved them. This case was never about what's right, it's about politics.

This case was doomed from the start.

gregory said...

the government insists on backdoors to every service there is .. all we need to comprehend

government has one purpose, to continue ... whatever fuels continuance, wins.

that it is a corporatocracy rather than an authoritarian government is just a difference in appearance

Ruby said...

Let me state first of all that I too think Privacy Policies and Terms of Service are a joke. Why companies think they have the right to change the terms of the contract between themselves and their users after the fact is beyond me. No other legally binding contract can be changed further down the road by one party in this manner. Practically every company does this too, and frequently without notifying users. I hope that one day soon this practice will be challenged in court.

However, to play devil's advocate, rightly or wrongly Twitter's updated Policy does state that if users continue to make use of Twitter's service, they have in fact agreed to the new contract. And Twitter has allowed itself the right to update its Privacy Policy "for any reason". Therefore does it really make a difference if the judge is now citing the latest Policy? By logging in and tweeting, users have tacitly agreed to be bound by the terms of the latest Privacy Policy.

I think there could be a case to withhold certain data from when the first Privacy Policy was in place (i.e. from whenever they signed up until 18th November, 2009), but after that, the terms of the second and third policies would apply. Unless it can be proven that companies do not have the right to arbitrarily change their Terms of Service without consent from users, I don't believe in this case that they can argue over judge's decision. Unfortunately.

Roukia ELBOUBRAHIMI said...

That widely passed the laugh test!
And yes the case was convicted since the outset.

cori said...

Ruby, doesn't it depend on what data's being used in the case? I'm not that familiar with the particulars, but if the case is relying on data submitted to Twitter before November 2009 wouldn't that be subject to v1 of the privacy policy?

Ruby said...

Cori, I'm not 100% sure what period the court was interested in either. I had assumed it would be from around the time Collateral Murder was released which was Spring 2010. However, they may well be interested in events prior to that, in which case, yes, I would have thought they have a case (though I am not a lawyer). I hope they appeal this awful decision.

Anonymous said...

I agree with Ruby. If the tweets at issue were posted following the posting of the Twitter policy relied upon by the Judge, then the Judge should not need to look back at the original policy. (A harder question might be presented if the tweeters had stopped using the service some time back: would the onus be on them to delete their tweets, or would the service continue to be bound by the TOS and policies in place at the time they withdrew their "consent from continuing use?")

@_Inteligencia said...

I haven't read all the entry, but I think that Twitter's Privacy Policy has a clause that says that the newest version revokes all the previous ones.

Brock said...

Chris - I don't think that any version of the TOS would have protected the user's privacy under the 4th Amendment. This is because the Third Party Doctrine renders anything shared with a "third party" discoverable. For a sympathetic overview, see - Orrin Kerr, The case for the Third Party Doctrine (
For a couple of reasons they also miss the statutory protections in ECPA (18 U.S.C. 2701 and following).
Not saying such information shouldn't be protected, just that the older TOC probably wouldn't have helped.

Steffen Glomb said...

Excellent posting!

For a while I have been wondering what status a Privacy Policy/ Notice as hin terms contractual agreement.

If it is part of a contract how can it be changed by one side? How can one agree to something like that?

Is there an aspect of competition law here as well? A social network is more or less dominating the market because of its user base, therefore can require you to agree such contracts?

Anonymous said...

Chris, thanks for all of your work on this, including the amicus. What happens next? Is there an appeal?