[Infowarrior] - One Subpoena Is All It Takes to Reveal Your Online Life

Richard Forno rforno at infowarrior.org
Tue Jul 8 20:51:54 UTC 2008 

One Subpoena Is All It Takes to Reveal Your Online Life

By Saul Hansell
http://bits.blogs.nytimes.com/2008/07/07/the-privacy-risk-from-the-courts/index.html

Whenever questions are raised about privacy, big online companies talk  
about how benign their plans are for using data about their customers:  
Much data is anonymous, they say, and even the information that is  
linked to individuals is only meant to offer users a more personal  
experience tailored to their interests.

They never talk about subpoenas.

Yet in the United States, one of the biggest privacy issues is what  
information about people can be revealed through a court process,  
either as part of a criminal investigation or in some sort of civil  
dispute. This article I wrote in 2006 gives some examples.

The issue came up again last week when Google was ordered by a court  
to turn over records of activity on YouTube, including the user names  
and Internet Protocol (IP) addresses of people who watched videos. A  
judge agreed with Viacom that the records could assist its case  
arguing that YouTube has infringed on its copyrights.

There is nothing special about the way the law treats the Internet  
here. All sorts of records, from your health club dues to your auto  
repair history, can be drawn into all manner of legal proceedings, and  
the records of Internet companies are generally no different.

There is a higher standard for the disclosure of the content of e-mail  
messages under the Electronic Communications Privacy Act, but there  
are many ways for investigators to get access to e-mail as well,  
particularly if the user has already read it. (The law has  
traditionally given greater protection to a sealed envelope in a post  
office than to an opened letter sitting on a person’s desk.)

But Internet companies are different from other businesses that keep  
records about their customers. A person’s activity online represents  
an unusually broad picture of his or her interests, transactions and  
social relationships. Moreover, it is the nature of computers to keep  
records of all of the bits of data they process.

Much of this data is spread among various different companies and  
their servers. But these puzzle pieces can be put together. This is  
the key fact that so much of the discussion about I.P. addresses skips  
past.

The way the Internet is set up now, an I.P. address, by itself,  
doesn’t identify an individual user. But an I.P. address can be traced  
to a specific Internet service provider, and with a subpoena, the  
Internet provider can be forced to identify which of their customers  
was assigned a particular I.P. address at a particular time. That is  
how the recording industry has been identifying and suing people who  
use file sharing programs.

Viacom says that it isn’t going to use the information from Google to  
sue individual YouTube users for copyright infringement, but there is  
nothing under the law to stop it from doing so.

It’s easy to skip past this part of the privacy debate. After all, the  
overwhelming majority of log files at Internet companies are boring  
and meaningless. But every now and then there is a tidbit that has  
meaning to someone: It could be a clue to solve a horrible crime. It  
could be a fact that could tip the balance in a dispute over, say,  
child custody or an employment contract. Or it could be a salacious  
detail that could embarrass — rightly or wrongly — a public figure.

All this raises questions that I think Internet companies, privacy  
regulators and Congress would be wise to take stock of:

     * How much data should be retained by Internet companies and for  
how long?
     * What should Internet users be told about what sort of  
information could be disclosed about them in response to a legal  
action or government request?
     * Should there be new laws that define more clearly what the  
standards are for disclosing online surfing and searching activity?

There is certainly a history of laws that create special privacy  
regimes for various domains, such as financial and medical records.  
Congress even protected records about what movies you rent and  
television channels you watch.

Aren’t the records of where you surf, and for that matter, the videos  
you choose to upload to YouTube, worth at least as much protection?

More information about the Infowarrior mailing list