An essay by
Barton Gellman of Times magazine presents the current state of what we consumers can expect from companies who we give our ‘permission’ to just by simply using their services.
The federal governments loose interpretation of the
Fourth Amendment allows them to consider anything American citizens put onto the internet via websites, blogs, and emails are considered public.
Christopher Soghoian, describes the available legal and technical tools in rich detail. In general, the companies could keep fewer records that could be subpoenaed, insist that data requests be narrowly tailored to the asserted purpose and ask courts to life restrictions on customer notice.
When it comes to protecting your right to privacy or ensuring they stay in business, companies will give you up in a heart beat. As long as we all know this truth, we can edit what we say and do on the internet. What the Founding Fathers envisioned protecting with the Fourth Amendment was our “houses, papers, and effects”. Clearly, they did not have the benefit of a crystal ball that would have undoubtedly lead them to include cyber-sphere in their list of protections. Too bad our current leadership does not see things they same way. Surveillance-happy authorities have effectively legally squashed that argument.
Mr Gellman tells of directing “carefully framed questions” to Verizon Wireless, Sprint, AT&T, T-Mobile, Comcast, Time Warner Cable, Google, Yahoo, Microsoft, Facebook, MySpace and Skype. What I find particularly troublesome, but not surprising, is the responses he received, and did not receive. According to Mr. Gellman, none replied to most of the questions. Partial answers, when given, “were mostly homilies about how seriously they take privacy and how carefully they review each request.”
I like his analogy of how consumer laws force companies to reveal ingredients in our food but don’t force the privacy market to fully disclose their position.
Here’s the questions Mr Gellman asked of the above named companies:
How many times in 2010 they were served with government demands for non-public information about their customers, and whether they (1) try to narrow those demands; (2) insist on compulsory legal orders before complying; (3) ask courts to allow them to notify their customers; (4) tell customers who inquire, if legally permitted, whether their private data has been obtained by authorities; (5) follow stronger or weaker interpretations of their customers' rights in areas of disputed law, such as the pro-privacy holdings in the
Sixth Circuit and
Ninth Circuit that do not bind other jurisdictions. I further asked them, if they declined to answer these questions, why they believed their customers did not deserve to know.
Here are their responses:
Verizon Wireless, AT&T, Time Warner Cable, Google and MySpace simply ignored the questions. No response at all.
Microsoft said "we take our responsibility to protect our customers' privacy very seriously, so have specific processes that we use when responding to law enforcement requests.” No hint on what those processes might be. As for the rest: "We appreciate your questions and, unfortunately, this statement is the extent of what Microsoft can provide at this time."
Skype “does not comment on law enforcement matters" but "cooperates with law enforcement agencies where legally required... Though we'd like to help you with your story, I'm afraid we're going to have to decline offering any further details." Skype's
privacy policy is said to be "very transparent," although it answers exactly none of my questions. The closest it comes is to say Skype "may" disclose your personal information "to respond to legal requirements, to protect Skype's interests, to enforce our policies or to protect anyone's rights, property, or safety." That is the kind of language that lawyers write to justify almost any conceivable disclosure.
T-Mobile "complies with all relevant federal and state laws, including privacy laws. We take our customers' privacy very seriously, and carefully control the circumstances under which we disclose customer information to any governmental or non-governmental entity." How so? T-Mobile leaves itself even more wiggle room than Skype does. It hands over your private information "when compelled or permitted" by law," and this includes, but is not limited to, circumstances under which there is a declaration from law enforcement of an exigent circumstance, as well as other valid legal process, such as subpoenas, search warrants, and court orders."
Yahoo "responds to valid law enforcement demands." Its lawyers "carefully review all incoming legal demands," and "take very seriously our dual responsibilities to abide by US law and to protect our users' privacy." The company "is committed to protecting user data." The
privacy policy says disclosures come in response to "subpoenas, court orders," or unspecified "legal process," or "to establish or exercise our legal rights or defend against legal claims," or when "we believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Yahoo!'s terms of use, or as otherwise required by law."
Sprint manages to be the most responsive and the least reassuring. It gets "thousands of record requests a year" from authorities -- other published hints have suggested tens of thousands -- and requires a "valid legal request," which is not the same thing as a compulsory request. “We act as good stewards of our customers' personal information while also meeting our obligations to law enforcement agencies." Sprint "usually" requires a subpoena or court order but in other cases "Sprint can provide information without requiring this supporting documentation." Sprint notifies its customers only when "ordered buy a judge to do so," which in practice is almost never, rather than as legally permitted, which would be often, because "we do not seek to interfere with the progress of law enforcement investigations." Then comes the boilerplate that "we are ardent about addressing privacy in our products and services and then clearly communicating those policies and practices to our customers." On the whole, this answer is not terribly specific, but the company's priorities are pretty clear. It values cooperation with authorities more than the privacy of its customers, and notifies them only when compelled to do so.
Comcast makes "every reasonable effort to protect subscriber privacy," and the rest of the answers amount to "maybe." Disclosures of personal information "may be made with or without the subscriber's consent, and with or without notice, in compliance with the terms of valid legal process such as a subpoena, court order, or search warrant." It gives the greatest protection to customer's television viewing habits because the Cable Act requires notice and an opportunity for customers to contest release of their personal information. For internet customers, "we are usually prohibited from notifying the subscriber of any disclosure of personally identifiable information to a government entity by the terms of the subpoena, court order, or search warrant." There is no mention of contesting gag orders, or of notifying customers when permitted to do so.
Facebook: "We have no comment at this time" on Wikileaks. On the policy questions, "Will get back to you." I'm still waiting.
It is in our best privacy interest to know exactly how our right to privacy is viewed by companies we do business with. Just because the internet has proven to be a handy tool for connecting with others and as a source of entertainment, to share videos of ourselves and our loved ones, to share information about our daily lives, to share our most intimate personal information to others through emails that we think no one else will ever see, does not mean that information will not be used either against us or someone we know. The federal government has already exhibited its ability to access anything it wants and these companies have already exhibited their willingness to go along with them.
The companies listed here are in effect privacy-information storehouses containing anything and everything we have ever put out in cyberspace. How much trust do you have in the people who are monitoring the intelligence-gathering network we are unintentionally building?