Internet Belatedly Notices How Much Spying Government Can Do Without a Warrant

I'm seeing a lot of technology news sites reporting,  in tones of shock and horror, on a recent court ruling holding that people generally waive their Fourth Amendment "expectation of privacy" in data collected on them by Internet sites, at least when the sites give some kind of notice (however buried in legalese) that they do collect that data.  That means, in this instance, that the government can obtain detailed connection records from Twitter about users associated with Wikileaks without a full-blown Fourth Amendment warrant based on probable cause: A subpoena or a court order based on a far weaker claim of "relevance" to an investigation will suffice.

But this isn't some shocking new precedent. It's been the status quo since 1986, when our increasingly outdated electronic privacy laws were written, and arguably for longer than that.

There are plenty of problems with this most recent decision, to be sure. For one, as security researcher Chris Soghoian notes, the court based its opinion on the current Twitter privacy policy, even though the policy in effect at the time the targets of the investigation signed up for the site was significantly more protective. In a way, though, this seems unnecessary: Under the misguided Supreme Court decisions that established our modern "third party doctrine," contractual promises of privacy don't matter.

In other words, users are held to "assume the risk" that any third party might turn their information over to the government, effectively waiving their Fourth Amendment rights over that data, even if the third party explicitly promises not to do this. The one reason the privacy policy might be relevant here is that the "third party doctrine" covers information knowingly conveyed to third parties, and while it's obvious that you "convey" a dialed phone number to the phone company when you make a call (for instance), it might not be as obvious that Web sites you visit are logging your Internet Protocol address.

Still, there's nothing fundamentally new here: The government routinely obtains "transactional" information or "metadata" (as opposed to the contents of communication) without bothering with a search warrant. Google received nearly 6,000 government requests for user data in January–June of this year (not counting national security requests, which the company is gagged from reporting), and most experts believe the volume of requests to Internet Service Providers like Comcast or Verizon is vastly higher.

But unlike wiretaps—which totaled just over 3,000 for all criminal investigations in 2010—there's no requirement that courts track and report aggregate numbers for such requests. That means a hugely more common form of government monitoring is effectively invisible. The only unusual thing about the demand for information from Twitter in the Wikileaks investigation is that the public has become aware of it.

A good first step toward a more sane policy—one that ought to be a no-brainer whatever one's position on the desirable level of online privacy—would be to require statistics on these user data requests to be compiled, just as they already are for wiretaps. Perhaps Americans will be comfortable with the current levels of government spying on Internet activities, and perhaps they'll demand change. Either way, though, citizens in a democracy surely have a right to be informed about the scope and scale of government spying on their digital activities—and the reactions to this court ruling make it obvious they aren't.