Current data privacy laws undermine expressive freedoms

A recent court ruling has highlighted the need to update the Stored Communications Act (SCA), a federal statute, enacted in 1986, that circumscribes privacy rights in electronic communications. The protections afforded by the SCA do not reflect the breadth and depth of personal data that service providers such as cell phone carriers, email services, and social networks regularly collect and store. That the government can access so much data without a warrant creates a significant risk of chilling online free speech. (Note: the author is not a lawyer.)

On June 30, 2012, a Manhattan criminal court judge ruled that Twitter must provide to police the records of Malcolm Harris, a Twitter user charged with disorderly conduct during an Occupy Wall Street protest in October 2011. In a single ruling, Judge Sciarrino dismissed both Harris’s and Twitter’s motions to quash the subpoena. In so doing, the judge confirmed his prior ruling and held that under the SCA, the subpoena was properly requested. Judge Sciarrino’s decision is a reminder that although the Internet has augmented and amplified individual expression, it has also provided states with unprecedented tools for regulation, review, and punishment. As Judge Sciarrino himself acknowledges, the Internet’s central role in civic and private life has created a new privacy interest that is not yet explicitly protected by existing statutes. Adapting the law to safeguard these interests may be essential if the Internet is to remain a vibrant forum for free expression.

The Harris case concerns the government’s attempt to obtain a trove of wide-ranging data about an individual. On January 26, 2012, the New York County’s District Attorney’s office served Twitter with a subpoena for Harris’s account information and Tweets posted during a three-month interval surrounding his arrest, September 15, 2011 to December 31, 2011. Prosecutors asserted that the data could prove that Harris was aware of police orders against walking on the bridge roadway, which would contradict his anticipated defense. The subpoena demanded two types of information: Harris’s account information (non-content records) and Harris’s Tweets (content records).

Under the SCA, a subpoena is enforceable only if it violates neither the Fourth Amendment nor the SCA itself. Judge Sciarrino’s Fourth Amendment ruling was relatively uncontroversial. Under the Fourth Amendment, the government needs a warrant in order to seek communications in a physically intrusive manner or in violation of a reasonable expectation of privacy. Judge Sciarrino concluded that the government did not need a warrant because Harris had no reasonable expectation of privacy in his public Tweets, as the Fourth Amendment does not protect individual expression when it is offered to the public. Because Twitter is a platform for public speech, a user who Tweets is knowingly and irrevocably engaging in public discourse and can have no reasonable expectation of privacy regarding the contents of her posts at any subsequent point in time.

From a freedom of expression standpoint, the more concerning part of the opinion was the application of the SCA itself. Judge Sciarrino ruled that the subpoena for account information complied with the SCA because it requested only basic subscriber information. Under the SCA, which has remained largely unmodified since its enactment, authorities may compel disclosure of “basic subscriber and session information” with only a subpoena. According to Harris’s motion to quash, “basic subscriber and session information” potentially encompasses a wealth of data, including location information, log data, links accessed, and cookies.

Although Judge Sciarrino’s ruling appears to be consistent with legal precedent, it highlights the ease with which the government may obtain voluminous and highly personal data without a warrant. Innocuous-sounding “non-content data” can be used to construct an intimate portrait of a person’s thoughts and activities. As the ACLU, EFF, and Public Citizen point out, the information requested in the Harris case constituted a “comprehensive and detailed map of where Harris was when he was expressing certain thoughts or simply reading others’ tweets… regardless of whether there is any connection between those tweets and the pending prosecution… Technological advances have made possible government fishing expeditions into databases of information and communication that would have been impossible in the past.”

The drafters of the SCA simply could not have anticipated the dramatic evolution of the scope of “non-content data.” In 1986, “non-content” data–the email address of a message’s recipient, for example– may have been relatively impersonal. Today, however, it constitutes a rich array of highly personal, descriptive information that is constantly sent to and stored with third parties. As Justice Sotomayor recognized in her concurrence in United States v. Jones, the Supreme Court’s 2012 GPS-tracking case, warrantless access to this data may be inappropriately “amenable to misuse, especially in light of the Fourth Amendment’s goal to curb arbitrary exercises of police power to and prevent ‘a too permeating police surveillance.’” Warrantless disclosure may drive people from services such as Twitter and reduce the efficacy of once-powerful tools for free expression. Twitter itself seems to recognize that user rights are integral to the vitality of expressive platforms; on July 19, it announced its plan to appeal the Harris decision, which “doesn’t strike the right balance between the rights of users and the interests of law enforcement.”

The correct balance to strike would feature increased protections for session information and activity records. In United States v. Warshak, the Sixth Circuit ruled that the SCA’s provisions allowing warrantless access to contents of private communications violate the Fourth Amendment. Accordingly, if more types of data are considered to be private communications instead of non-content data, they would be given Fourth Amendment protection. In 2007, United States v. Forrester, one of the first cases to deal with warrantless disclosure of basic subscriber information, suggested that browsing history may be closer to content than non-content data. A similar assessment would apply to other types of data that can be used in intrusive ways, such as location data. Alternatively, Justice Sotomayor in her concurrence in United States v. Jones suggested that courts should revisit the assumption that “all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.” Instead, information shared with services like Twitter could be viewed as still protected and private to some degree.

Despite the ever-rising number of government requests for user data from third-parties–cell phone carriers alone reported over 1.3 million requests in the last year–an update to the SCA to address these problems seems unlikely. A recent editorial from the New York Times chastised Congress for its inattention to digital privacy protection and praised Senator Patrick Leahy’s proposed amendments to the SCA. Those amendments, however, would not make it more difficult to access subscriber and session information, and in United States v. Jones, the Supreme Court explicitly declined to address the “particularly vexing problems” posed by warrantless digital surveillance and searches.

Low barriers to government access to communication records contribute to an atmosphere of intimidation that chills online freedom of expression. Until greater legal protections are put in place, it falls to Internet users and service providers to use tools and enact policies that support privacy and the free flow of information. Service providers, for example, can put in place privacy-respecting data collection practices, such as storing data for only short, limited periods of time, anonymizing data, or collecting only as much data is necessary. These steps would help protect users from warrantless government searches and promote free expression online.

Footnote: In addition to addressing the SCA questions, Sciarrino also held that Harris did not have the standing object to the subpoena served on Twitter. This holding appears to be based on an incorrect reading of Twitter’s Terms of Service (ToS). Judge Sciarrino’s initial decision concluded that Harris did not have a proprietary interest in his Tweets because Twitter’s terms of service granted Twitter the right to use, alter, and distribute all of its users’ Tweeted content. In its response, Twitter claimed that its ToS “make absolutely clear that its users own their content… [They] expressly state: ‘You retain our rights to any Content you submit, post or display on or through the Services.’” Granting a license to Twitter for the purposes of providing a service, in other words, does not erode the user’s proprietary interest in his own content. Judge Sciarrino’s final ruling, however, concluded that those terms were not present in Twitter’s ToS during the relevant dates. That conclusion appears to be inaccurate as Twitter’s archive of previous versions of its ToS shows that the ToS has expressly provided for user ownership of content since September 10, 2009.

Chinese Censorship Aimed at Preventing Collective Action

Back in 2009 when President Obama paid his first visit to China, the President came out and stated that he was a “big supporter of non-censorship,” claiming that criticism helped him to better serve the needs of the American people. “The more freely information flows, the stronger society becomes as citizens can hold their governments accountable for their actions,” said Obama, adding that it allowed “people to think for themselves”.

It was clear for all to see that Obama was eluding to the belief that internet censors in China do everything they can to stem online criticism of the government and Communist Party leaders.  But are China’s censorship goals really that straightforward? Is it really their mission to remove any and all criticisms of the state?

A new study by researchers at Harvard University pours cold water on that supposition, revealing that China’s internet censorship policy is far more sophisticated than many believe. The study, led by Professor Gary King of Harvard’s Department of Government, describes ”Chinese censorship efforts as the most sophisticated attempt to censor human expression ever attempted”, but notes that China is not actually trying to suppress all criticism of the government or the Communist Party.

The systems China has in place are quite complex, with many censors actually allowing criticisms of the Beijing government and certain government officials. The study concludes that blog posts and comments that contain “negative, even vitriolic” criticisms of the government, its policies and its leaders, are often allowed. Negative posts, which were previously thought to have slipped through the net, were actually intentionally allowed to pass through.

Why does China sometimes allow criticism? Instead of trying to smother all dissent, the Chinese government’s goal is to remove comments that could incite collective action, even when those actions are not overtly political or directed against the Communist Party leaders.

Such a goal actually makes sense if you believe that political stability is Beijing’s top priority. This view is supported by the fact that China’s budget for internal security remains substantially larger than that of its defense budget. In 2010, the last year for which data is available, there were an estimated 180,000 ‘mass incidents’ in China. The Chinese government appears keen to keep these protests isolated and prevent activists from using the Internet to fan the flames of these protests. It is for this reason that Chinese censors were quick to a remove calls for a Chinese-style “Arab Spring”, a threat that many had considered to be pretty much non-existent.

China is so concerned about stability that even posts about non-political items may be censored or blocked. In the aftermath of the Fukushima crisis in Japan, rumors spread around China’s Zhejiang province that salt would be able to protect people from exposure to radiation, leading to a run on salt. Although the rumors were non-political, censors were concerned enough to step in and delete a vast number of related Internet posts.

Another finding of the study is that China believes it can benefit from allowing criticism of certain officials, especially local officials. During a highly publicized case about a high ranking Communist Party member and school official accused of the rape of 11 underage schoolgirls, Chinese censors allowed people to vent their frustrations online to prevent them taking to the streets in protest.

It’s become clear that the Chinese government has a nuanced approach to censorship, aimed at maintaining stability. Censors are willing to tolerate criticism in certain instances up until the point it could incite protests.

Jean-Loup Richet – Special Commentator to Herdict

BREIN battles WordPress proxy

With online freedom of expression under constant threat, some people help maintain an open Internet by using proxies or mirroring content.  However, creating new routes of access to blocked sites has traditionally been daunting for the less tech-savvy.  Several recent projects are aiming to making circumvention easier; in turn, they are becoming targets of censorship themselves.

Most recently, WordPress plug-in RePress, came under fire.  The software, developed by web hosting company Greenhost, makes it easy to turn any WordPress blog into a fully operational proxy, rerouting traffic through the RePress tool in order to evade URL-based filtering.   Once installed, the user can designate specific URLs they want rerouted through the RePress software.  For each of those URLs, the RePress tool creates an obfuscated link in order to circumvent certain forms of censorship.  According to RePress, the tool has been used to reroute traffic to Amnesty.org, Blogspot, Wikileaks, TorProject, and until recently, The Pirate Bay.

Because of RePress’s potential for evading court-ordered copyright related filtering, on July 6, the Court of the Hague issued an ex-parte court injunction ordering Greenhost to take its Pirate Bay proxy offline within 6 hours of the notice or face a fine of 1,000 euro a day.  The court order follows Dutch anti-piracy outfit BREIN’s June 25 formal complaint to Greenhost, in which they asked Greenhost to remove the entire RePress tool.  BREIN sees RePress as a threat to the progress it has recently made in litigation aimed at forcing ISPs to block access to the The Pirate Bay.  Greenhost responded that it would not remove the tool because RePress was created to proxy any site which may be censored, not solely The Pirate Bay.  Some legal critics had questioned the appropriateness of BREIN’s criminal complaint, especially because Dutch law explicitly protects hosting providers against criminal liability.  Thus, the Hague’s decision comes as somewhat of a surprise.

Since the injunction, Greenhost’s Pirate Bay proxy has redirected viewers to a page explaining that its proxy is offline.  However, because the court order was directed only at The Pirate Bay proxies that Greenhost maintained, the RePress proxies hosted by RePress users, including proxies to The Pirate Bay, still remain.  Greenhost is still considering its next steps with respect to its The Pirate Bay proxies.

Greenhost’s RePress isn’t the only project trying to protect online material from censorship.  Other applications, such as Mirror Party, use mirroring technology to create and cache exact copies of the linked-to website, allowing access even if the original site is taken down.  Proxy servers simply provide a different route to the destination state, and cannot help if the destination server is offline.  In contrast, mirroring services like Mirror Party clone the target site, making the content accessible regardless of what happens to the original destination site.  Mirror Party is designed to be resistant to most forms of web censorship, including DDoS attacks and hostname/IP filtering.  Once installed, the user can choose to mirror a particular site: Mirror Party downloads content from the target site, modifies and encrypts relevant content in the snapshot to make it suitable for mirroring, and distributes the content to peer servers around the world.  This can be done with or without close communication with the mirrored site and can involve multiple mirror host-sites.

But existing proxying and mirroring applications have limitations.  RePress is still in alpha release and can be unstable, providing minimal protection against cross-site scripting attacks and cookie hijacking.  Similarly, Mirror Party is also still in development.  In addition, the biggest limitation to web mirroring is that mirrors cannot be created after a site has been taken down, because mirroring must be done preemptively, before a site is inaccessible.

A forthcoming alternative is a Harvard University-based project spearheaded by Professor Jonathan Zittrain of Harvard’s Berkman Center.  The Internet Robustness project aims to support digital activists by developing, testing, and piloting a new counter-censorship technology.  The project is unique in its aim is to allow online communities, such as human rights groups or independent media sites, to mirror each other’s content.  In the case that any one participant fails to remain online, visitors will be able to access the content from other servers across the network.  The project’s target community is Iranian web users, and ultimately, the goal is to make the internet significantly more robust and resilient by protecting against various attacks.  Zittrain’s team is currently in the research stage of a 3-year process, which is being funded by a USAID grant.  More information regarding this new mirroring project can be found here.

It is inescapable that tools designed for one purpose may be used for others.  Teams working to strengthen internet robustness for activists through proxying and mirroring are creating tools that can also be used by software and content pirates.  Just because technology may have dual uses does not mean that governments should try to ban them.  In fact, that approach may be counterproductive.  Just a few days after BREIN’s victory over The Pirate Bay, Dutch internet provider XS4All revealed that traffic on BitTorrent had actually increased since the blockade, presumably due to all the media attention.