But today a Manhattan judge ruled that the micro-blogging company must turn over Occupy Wall Street protester Malcolm Harris' tweets to prosecutors, who want to use them as evidence to prove their allegation that Harris knew of and disobeyed police orders to leave the Brooklyn Bridge on October 1, 2011, when he and about 700 other people were arrested. Protesters say the police allowed them onto the bridge only to surround them, trap them with orange netting, and systematically arrest them, one by one — a process euphemistically called 'kettling'. (Protesters are suing the city, alleging that they were not properly notified or given an opportunity to leave the area before they were trapped and cuffed.)
Twitter notified Harris of a district attorney subpoena for his account information and tweets in January 2012; the activist filed a motion to quash the subpoena and was later joined in the defense by Twitter itself. Today's ruling found that prosecutors have a legitimate reason to seek Harris' tweets, but interestingly, require that prosecutors produce a warrant for tweets from the last day of the time period for which they sought information.
The bigger picture: reform ECPA
Harris' case is another reminder that we must update our electronic communications privacy law, written and passed in 1986, before the internet practically existed. Under the law, the government argues that it get access to our stored communications, even our emails, without warrants. Email is not what it was in 1986, and electronic privacy law needs to take notice.
We also need to change the law to reflect the fact that our emails are pretty much universally held by third parties like Google, in the same way Twitter holds our logs data and direct messages.
If we can't defend against subpoenas or warrants for our private information, in most cases because we do not even know of such requests for our data, we lose nearly all our privacy rights online.
If police need a warrant to search my filing cabinet, why don't they need one to search my email? And if I get a chance to quash a subpoena or a warrant for my physical papers in court, why can't I do the same when the state wants to read my email?
Harris was right and courageous to challenge the subpoena for his account information, and Twitter did the right thing to join him. But we can't rely on the good will of companies like Twitter; after all, it stands alone among major technology companies in the United States in notifying and defending users.
The third party issue is not at all an esoteric problem — but it is a problem of which we likely can't grasp the enormity. Google alone reported receiving over 6,300 requests for user data from the US government between January and June 2011 (see above); the company complied with 93% of them, or about 5,878 in total.
A federal magistrate judge recently published an article warning us that somewhere in the neighborhood of 30,000 secret surveillance orders are issued every year in the US. In most of those cases, people do not have a chance to challenge the orders because they are submitted to third party content holders like Google or Twitter, not the targets themselves. Often enough the targets of the surveillance never find out that government agents were reading their emails because they are never prosecuted.
Today's ruling reminds us, yet again, that it is well past time to update electronic communications privacy law. Google knows it. Twitter knows it. Apple knows it. Tea party groups and the CATO Institute know it. AOL knows it. We know it. The list of groups and corporations that have joined together to fight for Digital Due Process is long, diverse and growing.
So what's Congress waiting for?
UPDATE: Twitter is now releasing numbers on government requests for user data. See the results of the first report here.