© Flickr user Alan Cleaver
Online services like Twitter and Facebook spend a lot of time on their privacy policies, and Facebook in particular has spent the past couple of years tweaking its settings, trying to find a balance between convincing users to share information and allowing them to keep some private. But a recent U.S. court decision involving the Twitter accounts of several WikiLeaks supporters shows when push comes to shove, users of social networks and most online services have virtually no expectation of privacy whatsoever - at least, not if the entity trying to get access to their personal information happens to be the U.S. Justice Department.

The case in question involves the Justice Department's repeated attempts to get personal account data from three WikiLeaks supporters, in order to bolster its espionage case against WikiLeaks founder Julian Assange for the release of diplomatic cables last year that were stolen (allegedly) by Army intelligence agent and whistleblower Bradley Manning. The three who were targeted are Icelandic MP Birgitta Jonsdottir - an early supporter of WikiLeaks who helped produce the Collateral Murder video that showed a U.S. military attack on civilians in Iraq - as well as computer-security expert Jacob Appelbaum and Dutch hacker Rop Gonggrijp.

Personal info released without the need for a warrant

The decision released on Thursday was the result of an appeal by the three targets of the Justice Department's case, after another judge earlier this year upheld the order compelling Twitter to release the information. What's particularly disturbing about this case is that the government didn't even have to file for a traditional warrant to get access to the personal data from Jonsdottir and the others - it used a special order called a 2703(d), and its attempt to get that information might never have even come to light if Twitter hadn't fought the order and won the right to alert Jonsdottir, Appelbaum and Gonggrijp.

In the latest ruling, Virginia judge Liam O'Grady said that the three had effectively given up any expectation of privacy when they signed up for Twitter, regardless of whether they had read the privacy policy or not (which the vast majority of users do not) and despite the fact that - as privacy advocate Chris Soghoian has pointed out - the privacy policy they agreed to when they joined was a different version than the one that is currently in effect. The judge in the latest decision said that:
Petitioners knew or should have known that their IP information was subject to examination by Twitter, so they had a lessened expectation of privacy in that information, particularly in light of their apparent consent to the Twitter terms of service and privacy policy.
Some - including David Gewirtz at ZDNet - have argued that this decision isn't something regular web users should be concerned about, since the Justice Department is only targeting "collaborators" of WikiLeaks, which is being investigated for espionage, and therefore it's a special case. But that defence isn't really all that comforting, at least not to me. As Jonsdottir has pointed out in a piece written for The Guardian as well as an interview, this action blows a pretty wide hole in whatever we thought we knew about our rights to privacy online. And it does so in the interest of pursing a case against WikiLeaks for doing something that media organizations such as the New York Times do routinely, which is a blatant attack on the First Amendment.

You are sharing publicly whether you know it or not

What is the rationale behind this request for information from the U.S. government? We don't know, and the judge in this case decided that the three targets of the court order didn't have a right to know either, since he declined to force the Justice Department to reveal the purpose of its request. All we know is that the government wanted personal data about their activity on Twitter - including their IP addresses, any "contact information" related to the account, as well as "records of session times and durations," and could even include the content of individual messages (including private messages). And it did this despite the fact that none of them have been charged with any kind of criminal offence in the U.S., and neither have WikiLeaks or Julian Assange.

As Soghoian has pointed out, most social networks and web services such as Twitter, Google+ and Facebook - and particularly the latter - are focused on getting their users to share more of their information, because doing this enhances the value of the network (and makes it more valuable to advertisers and marketers). Google has said that it wants to make its new network part of everything it does, and connect it to everything that its users do on any Google service as a kind of central "identity platform." Based on the decision in the Twitter case, any and all of that information could theoretically be available to someone, including the government.

That's a pretty dangerous precedent, as the Electronic Frontier Foundation (which is representing Jonsdottir in the case, along with the American Civil Liberties Union) notes in its response to the Twitter decision, saying it is "gravely worried by the court's conclusion that records about you that are collected by Internet services like Twitter, Facebook, Skype and Google are fair game for warrantless searches by the government." And it's a clear warning to anyone who joins a web service that their actions are effectively public.