This weekend, we learned that the U.S. government last month demanded records associated with the Twitter accounts of several supporters of WikiLeaks—including American citizens and an elected member of Iceland’s parliament. As the New York Times observes, the only remarkable thing about the government’s request is that we’re learning about it, thanks to efforts by Twitter’s legal team to have the order unsealed. It seems a virtual certainty that companies like Facebook and Google have received similar demands.
Most news reports are misleadingly describing the order [PDF] as a “subpoena” when in actuality it’s a judicially-authorized order under 18 U.S.C §2703(d), colloquially known (to electronic surveillance geeks) as a “D-order.” Computer security researcher Chris Soghoian has a helpful rundown on the section and what it’s invocation entails, while those who really want to explore the legal labyrinth that is the Stored Communications Act should consult legal scholar Orin Kerr’s excellent 2004 paper on the topic.
As the Times argues in a news analysis today, this is one more reminder that our federal electronic surveillance laws, which date from 1986, are in dire need of an update. Most people assume their online communications enjoy the same Fourth Amendment protection as traditional dead-tree-based correspondence, but the statutory language allows the contents of “electronic communications” to be obtained using those D-orders if they’re older than 180 days or have already been “opened” by the recipient. Unlike traditional search warrants, which require investigators to establish “probable cause,” D-orders are issued on the mere basis of “specific facts” demonstrating that the information sought is “relevant” to a legitimate investigation. Fortunately, an appellate court has recently ruled that part of the law unconstitutional—making it clear that the Fourth Amendment does indeed apply to email… a mere 24 years after the original passage of the law.
The D-order disclosed this weekend does not appear to seek communications content—though some thorny questions might well arise if it had. (Do messages posted to a private or closed Twitter account get the same protection as e-mail?) But the various records and communications “metadata” demanded here can still be incredibly revealing. Unless the user is employing anonymizing technology—which, as Soghoian notes, is fairly likely when we’re talking about such tech-savvy targets—logs of IP addresses used to access a service like Twitter may help reveal the identity of the person posting to an anonymous account, as well as an approximate physical location. The government may also wish to analyze targets’ communication patterns in order to build a “social graph” of WikiLeaks supporters and identify new targets for investigation. (The use of a D-order, as opposed to even less restrictive mechanisms that can be used to obtain basic records, suggests they’re interested in who is talking to whom on the targeted services.) Given the degree of harassment to which known WikiLeaks supporters have been subject, easy access to such records also threatens to chill what the courts have called “expressive association.” But unlike traditional wiretaps, D-order requests for data aren’t even subject to mandatory reporting requirements—which means surveillance geeks may be confident this sort of thing is fairly routine, but the general public lacks any real sense of just how pervasive it is. Whatever your take on WikiLeaks, then, this rare peek behind the curtain is one more reminder that our digital privacy laws are long overdue for an upgrade.