March 31, 2011 5:06PM

Contracts and ‘Reasonable Expectations of Privacy’

Chris Soghoian looks at a recent ruling related to the ongoing investigation of Wikileaks, in which a judge rejected a challenge from several users whose Twitter account information had been obtained by the government. Thanks to a shortsighted Supreme Court ruling from the 1970s, people are presumed to waive their "reasonable expectation of privacy" in data voluntarily conveyed to third parties, which means many types of sensitive records can routinely be obtained by the government without the need for a full-blown Fourth Amendment search warrant based on probable cause. In some cases, a mere subpoena, or even a government agency's certification that the records are "relevant" to an investigation, will suffice.

Recently, however, some courts have sought to rein in the scope of this "third party doctrine" on the grounds that the logic of the ruling that established it doesn't apply to many types of data generated and recorded in the modern technological context. So, for instance, the Third Circuit recently held that while some cell phone companies keep relatively detailed records of the locations of the phones they serve—information automatically generated when the phone is turned on and getting service—the "cell phone customer has not 'voluntarily' shared his location information with a cellular provider in any meaningful way" and, moreover, "it is unlikely that cell phone customers are aware that their cell phone providers collect and store historical location information." The targets of the government's request here—not a search warrant but a court order based on a showing of mere "relevance" to an investigation—argue that IP addresses logged by Twitter when users connect to the service should be treated in the same way.

The judge in the Wikileaks/Twitter case was unmoved by this sort of argument, observing that Twitter users signify via click that they "agree" to a lengthy series of terms of service, and that those terms include a link to a privacy policy, which indicates that such information maybe stored. Many privacy advocates object that it is unreasonable to infer the waiver of constitutional rights from clickwrap agreement to legal boilerplate terms that, as studies consistently show, nobody actually reads. That's a fair enough point, but I'd like to point out a little asymmetry here.

Perhaps the most objectionable aspect of the original third-party doctrine rulings was that they refused to take any account of the context of disclosure to that third party—including explicit promises of confidentiality:

This Court has held repeatedly that the Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities, even if the information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third party will not be betrayed.

Drawing on precedent from cases involving criminals who disclosed their plans to government informants, the Court essentially held that people "assume the risk" that sensitive records conveyed to financial institutions or phone companies will be revealed to the government, even if those companies secure the trust of customers only by explicitly promising to safeguard the confidentiality of that data. There's no sign of this "assumption of risk" doctrine in the recent FTC settlement with Google over the ill-conceived launch of the search giant's "Buzz" service, I note. In that context, everyone—including Google!—seems to agree that when a company promises not to share your data in certain ways, people are entitled to form the perfectly reasonable expectation that they won't do so! But the Supreme Court thought this was irrelevant: Once the data is knowingly shared, no reasonable expectation, and no Fourth Amendment protection.

But if promises of confidentiality aren't enough to retain your Fourth Amendment "reasonable expectation of privacy," a company's privacy policy is a perfectly adequate basis for surrendering your constitutional rights, regardless of whether or not the overwhelming majority of Internet users ever read the policies that are supposed to be the grounds for their "reasonable expectation."

Does this seem backwards to anyone else? When there's a disconnect between what most ordinary people actually expect in practice—and it seems like as an almost definitional matter, an expectation actually shared by huge majorities of people has to be regarded as "reasonable" in most circumstances—you'd think one would, by default, lean against the assumption that a constitutional right has been waived. The standard we've evolved now seems to make just the opposite assumption. If the stated policy of a company would cut against your expectation of privacy, then it counts in the Fourth Amendment analysis, even if the evidence suggests people don't actually read the policy or form their expectations on that basis. When the company policy might seem to create an expectation of privacy—even in cases where it seems plausible that people do rely on such representations in deciding whether to use a service—it doesn't count, because you "assume the risk" your trust will be betrayed. It looks an awful lot like the only expectation that genuinely counts here is the government's expectation that it can get most kinds of information without a warrant. Unfortunately, that expectation looks pretty "reasonable" under current law.