Reading the Fine Print: WikiLeaks, Twitter, and Website Terms of Service/Privacy Policies

Last week, Judge Liam O’Grady of the U.S. District Court for the Eastern District of Virginia issued a ruling denying three individuals’ objections to an order permitting the U.S. Government to access information about internet protocol (IP) addresses and other non-content data related to their use of Twitter. The Government procured the order as part of a criminal investigation.  In substantial part, the individuals argued that they had a reasonable expectation of privacy when using the Twitter service–at least as to the computers they used to access it and pages visited. Both the magistrate judge that originally issued the order and Judge O’Grady who reviewed the petition to quash the order pointed out that the individuals had explicitly agreed to Twitter’s terms of service and privacy policy when they created their Twitter accounts. These terms expressly permitted Twitter to disclose the IP addresses and other non-content data upon an appropriate court order.

Counsel for the individuals entered into a verbal exchange in the magistrate hearing that was quoted verbatim in Judge O’Grady’s opinion and has now been reprinted around the web. Essentially, the attorney argued that no one reads these terms–even if they click “I agree” saying that they have. Further, these terms are “jammed down their throat” and that his clients, and most other users, never expected that the IP addresses and other data were being collected by Twitter.

Privacy advocates, including ACLU and Electronic Frontier Foundation (EFF) who filed the brief on behalf of the individuals, oppose the order for Twitter to release the data and other issues in the proceeding relating to sealed court records.

The arguments used by counsel may seem reasonable at first blush. The attorney admitted that he himself rarely read terms of service or other click-through agreements he accepted. And I’ll admit here that I have gotten out of the habit of reading them all as well (although I often still click and save them on my computer to read “later” and as an archive copy of what I agreed to). Those with some knowledge of law might immediately think “contract of adhesion” and jump the usually wrong conclusion that they are unenforceable.

But I’ll take two stands here:

1 These click-through agreements need to be enforceable for the contemporary Web to work; and

2. These sorts of carve-outs of privacy and non-disclosure rules in the event of government or court order are necessary and standard for most businesses to offer their services

On (1), the Web is, like it or not, largely a commercial platform–especially in the .com gTLD space. After all, that’s why the latter is “.com” (commercial), as opposed to “.edu” (educational), “.mil” (military), etc. A myriad of commercial service providers have created businesses on this platform, and in some cases got quite wealthy doing so. Others, not so much. It is true that the Web also in part is, and can be, a free public space where people engage in noncommercial activities. Nothing in this court order upends the ability of individuals and organizations on the Web to refuse to turn over data they have collected on others to the government or anyone else. They may have to suffer the legal consequences of this action, but that is a separate matter from what is being debated here.

Instead, what is at issue is whether commercial service providers can require users to agree to reasonable terms of use before using the services. We will consider whether the court order exception to Twitter’s normal rule of nondisclosure of IP addresses and non-content data in a moment. But the sole point here is that commercial service providers have to be able to put out their terms of business and require users to explicitly agree to them  before allowing use of the service if they so choose. Real space businesses do it all the time, and in fact many of these terms are for the general welfare of other users of the service. Plus, the fact that many of us choose to ignore something we are choosing to sign–and representing that we’ve read and agreed to–just doesn’t work as an excuse. And it is no answer to say that we “have to” be able to use Twitter, et al and so we have no choice but to sign objectionable agreements. We don’t “have to” use Twitter.

The alternative is to make these click-wrap agreements unenforceable. I believe that many businesses would not be able to continue offering their services under that condition and the commercial Web as we know it would change dramatically. And what kind of bizarre situation would that be for prospective businesses? It would be tantamount to saying that no matter how the business tries to establish what users can do with the service and even if users explicit say they are agreeing to these terms, a court can later find the terms unenforceable if the individual then asserts that they lied and hadn’t read the terms and didn’t really intend to be bound by them. What if we extended this argument to legal relationships you as an individual tried to enter into with others?

Now, disregarding these sorts of click-wrap agreements might wind up transforming the Web into the public forum/community utopian dream that many early netizens hoped it would be (because businesses would find it untenable to conduct any serious ventures there). And that could be a very good thing. But it will not be the Facebook/Twitter/Amazon/iTunes etc. commercial ecosystem that millions of users appear to value quite highly. So, choose your model. I am not personally arguing for one or the other. I am just pointing out that I think a lot of people really like the commercial Web model that developed.

On (2), a carve out for disclosing sensitive information upon a legitimate government or court order is standard in confidentiality/non-disclosure clauses in the business world. This is true in both business-to-business agreements, employment agreements, and contractor agreements. These carve outs are important because the entity promising confidentiality does not want–or need–to put itself in legal jeopardy by contractually obligating itself to act as a shield in what might be someone else’s legal battle. It is one thing for journalists and news organizations to protect the identity of sources even at the risk of going to jail for that. They do this because they need to do so to continue to obtain sensitive information from those sources and because they have willingly taken that on as a credo. Other businesses may choose to do something similar–in this case Twitter could have established a business model that said it would never disclose IP addresses etc.–and nothing in this order precludes that. But Twitter did not choose to do so. In fact, it chose something quite different. It said that it would keep the data confidential except for cases of court orders (and likely some other standard carve-outs). At the same time, this carve-out is so standard that I am surprised that many people would not know it and expect that Twitter’s terms might contain it, even if they did not read them. But that could be my conditioning based on working as counsel for tech start-ups for over ten years.

So, I find nothing unexpected nor objectionable in Twitter’s terms in this regard (I have not reviewed their full terms–even as a Twitter user!–to see if there might be something else that is problematic). And I don’t find either the judge magistrate’s or Judge O’Grady’s ruling in this regard as problematic. To the contrary, I would be highly concerned for start-ups and online commercial service providers if the rulings had come out differently.

There is one additional wrinkle however. Christopher Soghoian, a privacy researcher and advocate, found that the court seemed to be relying on Twitter’s current privacy policy and not the one that was in place when the individuals clicked “I agree” to start their Twitter accounts. This is a serious issue that warrants further review. However, the earlier Twitter policy appears to have had a clause that required users to check back for updates to the terms and that those terms would continue to be binding if the user kept using the service. This is also a very standard clause for Web business’ terms of service. But I do have some discomfort with this one. I prefer that the business push out a formal notice of any changes to the terms and that users then must click through the changed terms on their next visit to the site. But, the version of updating the terms that Twitter appears to have relied on is to my knowledge fully legal at this point in time.

Mr. Soghoian also found it concerning that the earlier terms contained the follow relevant clause: “We do not associate your IP address with any other personally identifiable information to identify you personally, except in case of violation of the Terms of Service.” This makes it seem as if Twitter does not even have the capacity to associate your IP address with personally identifiable information until and unless you have violated the Terms of Service. But how does it know this, and does it then start associating the data from there on in? Is Twitter then also claiming that the individuals in this case had violated the Terms of Service and so Twitter then started associating their information? But it sounds more like Twitter is trying to say that some automated function is associating the data, but that association is never produced or generated for any human to look at (or for disclosure of any kind) unless the individual has violated the Terms of Service. My analogy would be to surveillance footage in a store where management says it won’t ever look at it, or let others look at it, unless a crime has occurred.

But in the end, while I don’t think this earlier clause was well drafted, and I generally don’t like the “auto-update” terms practice, I think that the judge’s ruling was correct. Twitter indicated clearly enough that it was reserving the right to disclose this kind of information, and that it would be collecting it in some circumstances even under the earlier policy, and the individuals had agreed to the policy and represented that they had read and agreed to it (even if now they say they were lying then and hadn’t actually read it, and didn’t intend to agree to anything, or some things, or who knows what).

About Sean O'Connor

Sean O’Connor is Professor of Law at George Mason University, Antonin Scalia Law School. He is also Founding Director of the Innovation Law Clinic and Executive Director of the Center for the Protection of Intellectual Property (CPIP). With a diverse background in music, technology, philosophy, history, business, and law, he specializes in legal issues and strategies for entrepreneurship and the commercialization of innovation in biotechnology, information technology, and new media/digital arts.
This entry was posted in Commerce, Commercial/Contract Law, Information Technology, Law, Services. Bookmark the permalink.

Comments are closed.