Twitter, Wikileaks and the Broken Market for Consumer Privacy

Barton Gellman asked the companies how many times in 2010 they were served with government demands for non-public information about their customers, and whether they (1) try to narrow those demands; (2) insist on compulsory legal orders before complying; (3) ask courts to allow them to notify their customers; (4) tell customers who inquire, if legally permitted, whether their private data has been obtained by authorities; (5) follow stronger or weaker interpretations of their customers’ rights in areas of disputed law, such as the pro-privacy holdings in the Sixth Circuit and Ninth Circuit that do not bind other jurisdictions. I further asked them, if they declined to answer these questions, why they believed their customers did not deserve to know.



– Verizon Wireless, AT&T, Time Warner Cable, Google and MySpace simply ignored the questions. No response at all.

  • Microsoft said “we take our responsibility to protect our customers’ privacy very seriously, so have specific processes that we use when responding to law enforcement requests.” No hint on what those processes might be. As for the rest: “We appreciate your questions and, unfortunately, this statement is the extent of what Microsoft can provide at this time.”
  • Skype “does not comment on law enforcement matters” but “cooperates with law enforcement agencies where legally required… Though we’d like to help you with your story, I’m afraid we’re going to have to decline offering any further details.” Skype’s privacy policy is said to be “very transparent,” although it answers exactly none of my questions. The closest it comes is to say Skype “may” disclose your personal information “to respond to legal requirements, to protect Skype’s interests, to enforce our policies or to protect anyone’s rights, property, or safety.” That is the kind of language that lawyers write to justify almost any conceivable disclosure.
  • T-Mobile “complies with all relevant federal and state laws, including privacy laws. We take our customers’ privacy very seriously, and carefully control the circumstances under which we disclose customer information to any governmental or non-governmental entity.” How so? T-Mobile leaves itself even more wiggle room than Skype does. It hands over your private information “when compelled or permitted” by law,” and this includes, but is not limited to, circumstances under which there is a declaration from law enforcement of an exigent circumstance, as well as other valid legal process, such as subpoenas, search warrants, and court orders.”
  • Yahoo “responds to valid law enforcement demands.” Its lawyers “carefully review all incoming legal demands,” and “take very seriously our dual responsibilities to abide by US law and to protect our users’ privacy.” The company “is committed to protecting user data.” The privacy policy says disclosures come in response to “subpoenas, court orders,” or unspecified “legal process,” or “to establish or exercise our legal rights or defend against legal claims,” or when “we believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Yahoo!’s terms of use, or as otherwise required by law.”
  • Sprint manages to be the most responsive and the least reassuring. It gets “thousands of record requests a year” from authorities — other published hints have suggested tens of thousands — and requires a “valid legal request,” which is not the same thing as a compulsory request. “We act as good stewards of our customers’ personal information while also meeting our obligations to law enforcement agencies.” Sprint “usually” requires a subpoena or court order but in other cases “Sprint can provide information without requiring this supporting documentation.” Sprint notifies its customers only when “ordered buy a judge to do so,” which in practice is almost never, rather than as legally permitted, which would be often, because “we do not seek to interfere with the progress of law enforcement investigations.” Then comes the boilerplate that “we are  ardent about addressing privacy in our products and services and then clearly communicating those policies and practices to our customers.” On the whole, this answer is not terribly specific, but the company’s priorities are pretty clear. It values cooperation with authorities more than the privacy of its customers, and notifies them only when compelled to do so.
  • Comcast makes “every reasonable effort to protect subscriber privacy,” and the rest of the answers amount to “maybe.” Disclosures of personal information “may be made with or without the subscriber’s consent, and with or without notice, in compliance with the terms of valid legal process such as a subpoena, court order, or search warrant.” It gives the greatest protection to customer’s television viewing habits because the Cable Act requires notice and an opportunity for customers to contest release of their personal information. For internet customers, “we are usually prohibited from notifying the subscriber of any disclosure of personally identifiable information to a government entity by the terms of the subpoena, court order, or search warrant.” There is no mention of contesting gag orders, or of notifying customers when permitted to do so.
  • Facebook: “We have no comment at this time” on Wikileaks. On the policy questions, “Will get back to you.” I’m still waiting.

Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *