Current data privacy laws undermine expressive freedoms

A recent court ruling has highlighted the need to update the Stored Communications Act (SCA), a federal statute, enacted in 1986, that circumscribes privacy rights in electronic communications. The protections afforded by the SCA do not reflect the breadth and depth of personal data that service providers such as cell phone carriers, email services, and social networks regularly collect and store. That the government can access so much data without a warrant creates a significant risk of chilling online free speech. (Note: the author is not a lawyer.)

On June 30, 2012, a Manhattan criminal court judge ruled that Twitter must provide to police the records of Malcolm Harris, a Twitter user charged with disorderly conduct during an Occupy Wall Street protest in October 2011. In a single ruling, Judge Sciarrino dismissed both Harris’s and Twitter’s motions to quash the subpoena. In so doing, the judge confirmed his prior ruling and held that under the SCA, the subpoena was properly requested. Judge Sciarrino’s decision is a reminder that although the Internet has augmented and amplified individual expression, it has also provided states with unprecedented tools for regulation, review, and punishment. As Judge Sciarrino himself acknowledges, the Internet’s central role in civic and private life has created a new privacy interest that is not yet explicitly protected by existing statutes. Adapting the law to safeguard these interests may be essential if the Internet is to remain a vibrant forum for free expression.

The Harris case concerns the government’s attempt to obtain a trove of wide-ranging data about an individual. On January 26, 2012, the New York County’s District Attorney’s office served Twitter with a subpoena for Harris’s account information and Tweets posted during a three-month interval surrounding his arrest, September 15, 2011 to December 31, 2011. Prosecutors asserted that the data could prove that Harris was aware of police orders against walking on the bridge roadway, which would contradict his anticipated defense. The subpoena demanded two types of information: Harris’s account information (non-content records) and Harris’s Tweets (content records).

Under the SCA, a subpoena is enforceable only if it violates neither the Fourth Amendment nor the SCA itself. Judge Sciarrino’s Fourth Amendment ruling was relatively uncontroversial. Under the Fourth Amendment, the government needs a warrant in order to seek communications in a physically intrusive manner or in violation of a reasonable expectation of privacy. Judge Sciarrino concluded that the government did not need a warrant because Harris had no reasonable expectation of privacy in his public Tweets, as the Fourth Amendment does not protect individual expression when it is offered to the public. Because Twitter is a platform for public speech, a user who Tweets is knowingly and irrevocably engaging in public discourse and can have no reasonable expectation of privacy regarding the contents of her posts at any subsequent point in time.

From a freedom of expression standpoint, the more concerning part of the opinion was the application of the SCA itself. Judge Sciarrino ruled that the subpoena for account information complied with the SCA because it requested only basic subscriber information. Under the SCA, which has remained largely unmodified since its enactment, authorities may compel disclosure of “basic subscriber and session information” with only a subpoena. According to Harris’s motion to quash, “basic subscriber and session information” potentially encompasses a wealth of data, including location information, log data, links accessed, and cookies.

Although Judge Sciarrino’s ruling appears to be consistent with legal precedent, it highlights the ease with which the government may obtain voluminous and highly personal data without a warrant. Innocuous-sounding “non-content data” can be used to construct an intimate portrait of a person’s thoughts and activities. As the ACLU, EFF, and Public Citizen point out, the information requested in the Harris case constituted a “comprehensive and detailed map of where Harris was when he was expressing certain thoughts or simply reading others’ tweets… regardless of whether there is any connection between those tweets and the pending prosecution… Technological advances have made possible government fishing expeditions into databases of information and communication that would have been impossible in the past.”

The drafters of the SCA simply could not have anticipated the dramatic evolution of the scope of “non-content data.” In 1986, “non-content” data–the email address of a message’s recipient, for example– may have been relatively impersonal. Today, however, it constitutes a rich array of highly personal, descriptive information that is constantly sent to and stored with third parties. As Justice Sotomayor recognized in her concurrence in United States v. Jones, the Supreme Court’s 2012 GPS-tracking case, warrantless access to this data may be inappropriately “amenable to misuse, especially in light of the Fourth Amendment’s goal to curb arbitrary exercises of police power to and prevent ‘a too permeating police surveillance.’” Warrantless disclosure may drive people from services such as Twitter and reduce the efficacy of once-powerful tools for free expression. Twitter itself seems to recognize that user rights are integral to the vitality of expressive platforms; on July 19, it announced its plan to appeal the Harris decision, which “doesn’t strike the right balance between the rights of users and the interests of law enforcement.”

The correct balance to strike would feature increased protections for session information and activity records. In United States v. Warshak, the Sixth Circuit ruled that the SCA’s provisions allowing warrantless access to contents of private communications violate the Fourth Amendment. Accordingly, if more types of data are considered to be private communications instead of non-content data, they would be given Fourth Amendment protection. In 2007, United States v. Forrester, one of the first cases to deal with warrantless disclosure of basic subscriber information, suggested that browsing history may be closer to content than non-content data. A similar assessment would apply to other types of data that can be used in intrusive ways, such as location data. Alternatively, Justice Sotomayor in her concurrence in United States v. Jones suggested that courts should revisit the assumption that “all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.” Instead, information shared with services like Twitter could be viewed as still protected and private to some degree.

Despite the ever-rising number of government requests for user data from third-parties–cell phone carriers alone reported over 1.3 million requests in the last year–an update to the SCA to address these problems seems unlikely. A recent editorial from the New York Times chastised Congress for its inattention to digital privacy protection and praised Senator Patrick Leahy’s proposed amendments to the SCA. Those amendments, however, would not make it more difficult to access subscriber and session information, and in United States v. Jones, the Supreme Court explicitly declined to address the “particularly vexing problems” posed by warrantless digital surveillance and searches.

Low barriers to government access to communication records contribute to an atmosphere of intimidation that chills online freedom of expression. Until greater legal protections are put in place, it falls to Internet users and service providers to use tools and enact policies that support privacy and the free flow of information. Service providers, for example, can put in place privacy-respecting data collection practices, such as storing data for only short, limited periods of time, anonymizing data, or collecting only as much data is necessary. These steps would help protect users from warrantless government searches and promote free expression online.

Footnote: In addition to addressing the SCA questions, Sciarrino also held that Harris did not have the standing object to the subpoena served on Twitter. This holding appears to be based on an incorrect reading of Twitter’s Terms of Service (ToS). Judge Sciarrino’s initial decision concluded that Harris did not have a proprietary interest in his Tweets because Twitter’s terms of service granted Twitter the right to use, alter, and distribute all of its users’ Tweeted content. In its response, Twitter claimed that its ToS “make absolutely clear that its users own their content… [They] expressly state: ‘You retain our rights to any Content you submit, post or display on or through the Services.’” Granting a license to Twitter for the purposes of providing a service, in other words, does not erode the user’s proprietary interest in his own content. Judge Sciarrino’s final ruling, however, concluded that those terms were not present in Twitter’s ToS during the relevant dates. That conclusion appears to be inaccurate as Twitter’s archive of previous versions of its ToS shows that the ToS has expressly provided for user ownership of content since September 10, 2009.