Privacy Policies Don't Trump Expectation of Privacy
Federal prosecutors recently filed a new brief in the litigation over access to Twitter records concerning three people who provided assistance to the WikiLeaks project. Most notably, the Justice Department wants Twitter to disclose the IP addresses from which the WikiLeaks volunteers accessed Twitter. In its new brief, the DOJ argues that there is no Fourth Amendment privacy interest in IP addresses transmitted to a destination website, such as Twitter.
If the test for privacy is "reasonable expectation," one has to conclude that most users--whether they read privacy policies or not--reasonably expect that technical data collected as part of the process of using Internet services will be protected against indiscriminate disclosure to the government.
DOJ Claim Makes Little Legal Sense
The debate in the Twitter case turns on the Supreme Court's definition of what the Fourth Amendment protects. Under the Court's two-part test, articulated in 1967, the Fourth Amendment applies when, first, a person has exhibited an actual (subjective) expectation of privacy and, second, that expectation is one that society is (objectively) prepared to recognize as "reasonable."
Back in the late 1970's, before the days of modern privacy laws and privacy policies, the Supreme Court applied this test to hold that, when people disclose telephone dialing information to the telephone company in the course of making calls or disclose financial data to banks in the course of writing checks, they lose all Constitutional privacy interest in that data because the telephone companies or the banks could redisclose the information to whomever they wanted.
Other components of the federal government have recognized the shift in consumer expectations and have embraced it. The Commerce Department, in its recent "Green Paper" on privacy, p. 18, noted that consumers do have an expectation of privacy with respect to information they disclose to businesses in the course of online transactions:
Moreover, the Commerce Department made it clear, p. 15, that this subjective expectation (however wrongly premised) is one that society is prepared to honor as reasonable:
"This sense of consumer trust—the expectation that personal information that is collected will be used consistently with clearly stated purposes and protected from misuse is fundamental to commercial activities on the Internet."
Indeed, a major theme of both the DOC report and the recent FTC staff report on privacy is that corporate and public policy, rather than dismissing these expectations, should be developing ways to better align products and services, business practices and laws with them. For example, the FTC report, in urging companies to adopt the practice of "Privacy by Design," p. 51, noted that conscious attention to privacy at the design stage was desirable precisely because it would better align products and services with consumer expectations:
"A more thorough privacy review before product launch at the research and development stage may have better aligned these products and services with consumer expectations and avoided public backlash."
For these reasons, policymakers have already concluded outside the Fourth Amendment context that service provider agreements and privacy policies are not to be read as contracts for purposes of reducing consumer expectations of privacy. Rather, as noted above, the Commerce Department accepts consumers' misreading of privacy policies as a fact and is now supporting legislation to honor those expectations. And the FTC has concluded, in the Sears case and others, that the privacy rights of an individual should not be defined by the strict language of a service agreement but by the overall net impression created by a company's assurances.
The courts too have refused to allow terms of service, even if binding between users and service provider in other ways, to wipe out a privacy expectation as against the government. In United States v. Heckenkamp, 482 F.3d 1142 (9th Cir. 2007), cited by the Twitters users in their brief, the court found that a university's Internet monitoring policy was not sufficient to alter a student's reasonable expectation of privacy in his use of his personal computer to access the university network. And directly addressing the impact of commercial terms of service, the court in United States v. Warshak, 631 F.3d 266 (6th Cir. 2010) found that "the degree of access granted to [Warshak's email service provider] does not diminish the reasonableness of Warshak's trust" in the privacy of his communications. This approach parallels that taken in non-Internet cases, where courts have held, as Patricia Bellia points out, that one may retain an expectation of privacy against government inspection of the contents of a sealed package transported by common carrier, even though such carriers generally claim an unfettered right to inspect the packages they carry.
DOJ Approach Undermines Other Policies
Not only is it legally dubious to interpret privacy policies as destroying the expectation of privacy, it's also bad policy. For many valid societal reasons, including reasons directly related to cybersecurity and online fraud, we want providers to make various uses of consumer data without those uses constituting a blanket surrender of privacy rights.
First, of course, much of the content and many of the most popular services online today are supported by advertising, which in turn is based on the analysis of data collected about users as they surf the Web. It is highly desirable that Internet users have access to the free services that are supported by online advertising. Advertising-supported Internet services contribute hundreds of billions of dollars to the American economy. It is equally desirable, as both the Department of Commerce and the FTC recently reiterated, that this advertising-based system not result in a destruction of consumer privacy. A determination, sought by the DOJ, that the use of information for advertising represents a total surrender of privacy would jeopardize the advertising-based business models that have driven the growth of online services over the past decade.
Moreover, terms of service often contain privacy exceptions for service provider actions that help prevent crime and enhance security interests that we surely want to promote without the total surrender of privacy against other types of disclosures or uses. For example, many providers reserve the right in their terms of service to automatically scan traffic for spam email or malicious code and to filter out that information. If the use of such services also opens communications up to government access, users might be less likely to acquiesce to those terms, or might gravitate towards services that do not monitor traffic for security and anti-fraud purposes. If that were to happen, computer networks would be less secure and online crime might increase.
For all these reasons, the DOJ is wrong to rely on terms of service or privacy policies to argue that Internet users have no reasonable expectation of privacy.