The Los Angeles Times today published a report informing us that Twitter stores users' IP addresses for 18 months. Worse, the company downloads users' entire phone and email address books when they use the mobile phone app and agree to let Twitter "find friends" to connect with via the social media service. This data is also retained for 18 months, the report says.
Some service, Twitter.
Given the lack of statutory protections in most states against government fishing expeditions into our online and mobile data, this news is especially disturbing. And it's not an idle threat to our liberties: here in Boston, we are fighting a Suffolk county district attorney subpoena to Twitter for our client @p0isAnon's account information, including his IP address, in an Occupy Boston related case.
The consequences of this kind of extensive data retention are clear. If our client ever used the "find friends" service, and the subpoena is allowed to proceed, the DA will get not only every IP address from which @p0isAnon has logged into Twitter for the period in question, but also the personally identifiable information of literally hundreds or thousands of people in our client's address book, who are likely unconnected to the case.
That's not right. We need third party holders of our data, like Twitter, and the government to radically change their tunes when it comes to collecting and accessing our personal data.
From Twitter and other third party content providers, we'd like to see a no logs policy wherever possible. Why retain this data at all, Twitter? If you don't retain it, you won't have to deal with either betraying your users' trust or any bad press surrounding possibly politically motivated government fishing expeditions.
From the government, we need clear rules that limit the kinds of information prosecutors and police can obtain from third party holders of our content when they don't have a warrant. Administrative subpoenas can be dangerous investigatory tools and easily abused.
If there isn't reason to suspect that we are engaged in criminal activity, the government should not be able to access our Twitter logs or any other private data about us. Police can't come into our homes to search our physical address books without warrants, so why should they have warrantless access to our electronic address books? We need to appropriately translate the Fourth Amendment in the digital world, yet unfortunately, ten years after 9/11, we have come up short.
That's got to change. Unless it does, any information that private companies gather about us can be routinely subpoenaed, without any court oversight. Let's restore our privacy and give investigators some clearer guidance, so they don't waste their time fishing around for something that doesn't exist, or abusing their power to subpoena our records willy-nilly.
Probable cause or reasonable suspicion for access to our private data should be a minimum. But we won't get it without a fight. Pass it on.