Cato Institute - I’m seeing a lot of technology news sites reporting, in tones of shock and horror, on a recent court ruling holding that people generally waive their Fourth Amendment “expectation of privacy” in data collected on them by Internet sites, at least when the sites give some kind of notice (however buried in legalese) that they do collect that data. That means, in this instance, that the government can obtain detailed connection records from Twitter about users associated with Wikileaks without a full-blown Fourth Amendment warrant based on probable cause: A subpoena or a court order based on a far weaker claim of “relevance” to an investigation will suffice.
But this isn’t some shocking new precedent. It’s been the status quo since 1986, when our increasingly outdated electronic privacy laws were written, and arguably for longer than that.
There are plenty of problems with this most recent decision, to be sure. For one, as security researcher Chris Soghoian notes, the court based its opinion on the current Twitter privacy policy, even though the policy in effect at the time the targets of the investigation signed up for the site was significantly more protective. In a way, though, this seems unnecessary: Under the misguided Supreme Court decisions that established our modern “third party doctrine,” contractual promises of privacy don’t matter.
In other words, users are held to “assume the risk” that any third party might turn their information over to the government, effectively waiving their Fourth Amendment rights over that data, even if the third party explicitly promises not to do this. The one reason the privacy policy might be relevant here is that the “third party doctrine” covers information knowingly conveyed to third parties, and while it’s obvious that you “convey” a dialed phone number to the phone company when you make a call (for instance), it might not be as obvious that Web sites you visit are logging your Internet Protocol address. More
