The Twitter-Wikileaks Decision: How the Corporate Model of Internet Privacy Serves the National Security State
Social media users of the world take note: according to a U.S. District Court‘s decision in the Twitter-Wikileaks case (November 9, 2011), you have no right to expect privacy online. The immediate result of the decision is that Twitter must hand over a substantial body of personal data for three of its users to the U.S. Department of Justice in relation to the latter’s ongoing Wikileaks investigation: Icelandic MP and Collateral Murder video co-producer, Birgitta Jonsdottir, Wikileak’s volunteer Jacob Appelbaum and Dutch hacker Rop Gongrijp.
The information sought is as expansive as it is intimate: subscriber registration pages, connection records, length of service, Internet device identification number, and more (see pp. 7-8). It’s reach is global, as is the opposition mounting against the the so-called Twitter Order. Besides putting fuel in the belly of hactivist groups such as Anonymous and LulzSec, the U.S. government’s efforts to shake-down Wikileaks has been condemned by Iceland, 85 members of a European parliamentary group and the Inter-Parliamentary Union.
The latter was especially sharp, stating that it “failed to see” how the Twitter Order could be squared with Article 19 of the Universal Declaration of Human Rights. It also worried aloud about the emergence of a “national and international legal framework concerning the use of . . . social media . . . [that] does not appear to provide sufficient guarantees to ensure respect for freedom of expression, access to information and the right to privacy”.
The case began last December 2010 when the U.S. Department of Justice obtained a court order requiring Twitter to turn over a slew of user account information for a list of people that were of interest in the ongoing Wikileaks investigation. To its credit, Twitter refused to do so without notifying the people targeted first and mounted a serious legal challenge to the ‘gag’ order (see the story by Declan McCullagh of CNET here).
Hope was dashed and important communication rights rolled back last week when a District Court in Eastern Virginia declared that Jonsdottir, Appelbaum and Gongrijp forfeited their right to privacy when they clicked to accept Twitter’s terms of service policy. As the court argued, by clicking on Twitter’s terms of service policy, they “voluntarily relinquished any reasonable expectation of privacy” (p. 28).
For good measure, the decision also curbed Jonsdottir, Appelbaum and Gongrijp’s First Amendment rights claims as well, declaring that they have no right to know if the DOJ has also approached Facebook, Google or any other Internet companies with similar requests and, if so, just what kinds of information about their lives online had been turned over (see p. 52). The case is also about the network free press too because Twitter has become an integral part of journalistic routines, and Josdottir is undoubtedly worthy of as much free speech as can be mustered, given her status as a video producer, MP and advocate of turning Iceland into a ‘digital media, free speech haven’.
The decision’s outstanding feature is the way in which it makes privacy rights a creature of social media companies’ business models rather than a function of constitutional values, law or social norms. Making Internet corporations’ business models the standard of online privacy, however, is outlandish because Twitter, Facebook and Google’s terms of service policies are all about maximizing the collection, use and commodification of personal data, not privacy.
The Twitter-Wikileaks decision is remarkably candid in its view that the standard of privacy on the Internet that we should expect is whatever Internet companies’ terms of service policies say it is. Social media users, according to the court, would have to be woefully naive to expect that privacy is a priority value for advertising-driven online media, given that almost the entire business model of major Internet companies is about collecting and selling as much information about audiences as possible.
Such a view reduces privacy to the logic of corporate business models and market transactions. Worse, by turning privacy into the plaything of corporate business models, the court essentially turned commercial Internet companies such as Twitter, Facebook and Google into the handmaidens of the national security state.
Christopher Soghoian captures the essence of the problem in relation to Google, but his comments are applicable to Internet companies in general:
Google’s services are not secure by default, and, because the company’s business model depends upon the monetizaton of user data, the company keeps as much data as possible about the activities of its users. These detailed records are not just useful to Google’s engineers and advertising teams, but are also a juicy target for law enforcement agencies.
Things don’t have to be this way. Instead, the Internet could be organized in ways that further communication rights and a democratic society by, amongst other things, minimizing the collection of personal information and retaining it for the shortest time possible, as the Electronic Frontier Foundation recommends and as some non-commercial websites such as IndyMedia centres do. The Virginia District Court, in sharp contrast, leverages the mass production and storage of personal data enabled by Google, Facebook, Twitter, and so forth as fully as possible and for the advantage of the state.
The idea that privacy rights turn on the terms of service policies offered by private companies rests upon a peculiarly squinty-eyed view of things. Even if we took the perspective of corporate behaviour as our guide, Twitter has sometimes distinguished itself in the Wikileaks and other cases by placing a higher premium on privacy values than Facebook and Google, for instance.
In contrast, to the latter, which have remained quiet in the case, and to Amazon, Apple, Paypal, Visa, Mastercard, everyDNS, and several webhosts in Europe that were only too eager to aid the U.S. government’s crackdown on Wikileaks by withholding critical resources — money, servers, domain names, webhosting, etc. — essential to Wikileaks’ survival (see here, here and here), Twitter refused to join the information blockade. Instead of buckling under intense government pressure, it refused to turn over account information for Josdottir, Applebaum and Gongrijp before notifying them first when a subpeona wielding US Department of Justice came knocking last December.
Twitter challenged the gag order in court as well, thus giving Jonsdottir, Applebaum and Gongrijp a heads-up about the events unfolding. It also directed them to the Electronic Frontier Foundation for legal advice, which, in turn, brought some of the best minds in the U.S. on privacy, social uses of the Internet, surveillance and security to mount their case (see here).
Twitter adopted a similar stance during the London riots this past August by refusing to comply with British government requests to shut-down its service and hand-over users’ information, while Facebook served eagerly on bended-knee. Thus, even by the narrow measures of corporate behaviour, it is not unreasonable to assume that Twitter’s behaviour could cultivate a higher sense of privacy amongst its users.
Of course, there’s no need to pretend that Twitter is the epitome of virtue in such matters, because it is not. To take just one instance, for example, while Google, WordPress and several other entities have all signed on to the broad statements of principles regarding privacy and online free speech rights set out in the Global Network Initiative, Twitter and Facebook have conspicuously refused to sign on to even these ‘market-friendly’ standards.
More important than all of this, however, is the fact that the relevant measuring rod of communication rights is not the market or corporate behaviour. Instead, we should look not to corporate business models and terms of service policies as a guide but to legal, political and international norms. Even more importantly, the focus should be on how social norms govern privacy and how we disclose personal information in complex, negotiated and contingent ways (see dayna boyd’s work on the point, for example).
People manage their identities and disclose personal information differently in the ‘online world’ versus the ‘real world’, but in both cases their expectations about privacy are contingent on time, place, contextual cues as well as the nature of the relationship involved. These issues as well as the fact that the vast majority of people do not even read online terms of service policies — and those that do more often than not do not fully understand what they mean — were all brought to the court’s attention, but quickly buried in a footnote and brushed aside (see here).
In the end, the Twitter-Wikileaks decision serves the U.S. government’s bid to drive Wikileaks out of business well. Even reluctant actors such as Twitter have been forced back into line. For the rest of us, the decision at least has the merit of making it clear that the hyper-commercialized ‘free lunch’ model of the Internet comes with a steep price: privacy rights and an entire industrial arrangement poised to serve as the handmaiden of the national security state.
Birgitta Jonsdottir has just published a new column, How the US Justice Department Legally Hacked My Twitter Account in The Guardian, here.