On April 27, two things happened with potentially significant ramifications for online privacy. First, a panel of the Ninth Circuit Court of Appeals issued an opinion that, if it stands, may grant private companies huge influence in determining how much digital privacy their users are entitled to expect from the government. Next, the world’s richest man said something on Twitter.
Of the two, it was of course Elon Musk who got more attention—nevermind the fact that what the Ninth Circuit says is binding law for nearly 62 million Americans. In what appeared to be an offhand comment amid his $44 billion quest to acquire Twitter, Musk declared that direct messages on the platform “should have end to end encryption like Signal, so no one can spy on or hack your messages.” Privacy activists have long advocated that Twitter roll out exactly such a feature, but the complexity of doing so has left the platform unable to deliver.
In the aftermath of the Ninth Circuit’s ruling that coincided with Musk’s tweet, providing an encrypted messaging solution for Twitter users has never looked more attractive. The ruling highlights the shortcomings of online privacy law in the United States and the influence that corporations exert in determining our rights online.
A blow to online privacy
On April 27, the Ninth Circuit handed down a long-awaited opinion in the criminal case United States v. Rosenow. The defendant, Carsten Igor Rosenow, challenged his conviction and sentence for possessing child sex abuse images and engaging in child sex tourism abroad, activities he arranged through messages on Yahoo and Facebook. Rosenow argued, among other things, that the government’s preservation requests to those companies to preserve his account data violated the Fourth Amendment, which prohibits unreasonable searches and seizures.
The Ninth Circuit rejected this argument, holding that the preservation requests were not unconstitutional seizures. Amidst an opinion that is dozens of pages long, the court’s analysis of this point consisted of a single paragraph with thin reasoning and no citations to supporting case law. Seemingly almost as an afterthought, the court threw in this sentence: “It also is worth noting that Rosenow consented to the [electronic service providers] honoring preservation requests from law enforcement under the ESPs’ terms of use.”
It’s not clear that the court understood how significant this paragraph was. It left leading Fourth Amendment scholar Orin Kerr deeply shook. “Holy crap,” he said in a Twitter thread about this paragraph. “This is basically the nightmare.”
Under typical terms of service (TOS), users grant sweeping rights to technology companies: to collect data about us, to force us to arbitrate claims against them instead of going to court, to terminate our account for any or no reason, and so on. Although nobody reads terms of service (we don’t have time to, even if we could comprehend the legalese), a court will hold that you’re bound by them so long as the user interface made you jump through enough hoops to support the legal fiction that you knew what you were signing up for.
In Rosenow, the Ninth Circuit appears to be saying that after clicking “Agree” to online terms of service, we are no longer entitled to any expectation that the data in our account—emails, chat histories, DMs, other sensitive files—will remain private, because the TOS told us what we were giving up. This case was only about Yahoo’s and Facebook’s terms in particular, but their language is not unusual. It’s standard for TOS to require users to agree to having their data preserved, searched, and handed over to law enforcement with appropriate legal process. It’s rare for a judge to conclude a TOS does not support user consent to searches for the particular purpose the company or the government is trying to justify, such as for targeted advertising or the company wearing the hat of law enforcement. More commonly, the TOS argument prevails.
Put another way, the Ninth Circuit seems to conclude that a private entity’s contract-drafting decisions can make your constitutional privacy rights online disappear. This decision is clearly wrong. As the Electronic Frontier Foundation’s Jen Lynch pointed out, many courts (including the Supreme Court) have held that “digital content you store with a third party is protected by the Fourth Amendment,” so a third party’s TOS “cannot vitiate your Fourth Amendment rights.”
As I wrote recently, “you have no Fourth Amendment rights online anyway” has sometimes been the position of the Justice Department and even members of Congress. Now, if Rosenow stands, it looks like that’s the law of the land in the Ninth Circuit—which, because it includes Silicon Valley, Los Angeles, and the Seattle area, covers many major tech and entertainment companies’ headquarters (i.e., the place where the government serves legal demands for user data). All thanks to a single flimsy paragraph. Kerr is right: The users of online services—i.e., basically everybody—should be freaked out by this ruling.
There are ways to undo this mistake. The panel could amend the opinion to remove that language, the case could be reheard en banc, or Rosenow could persuade the Supreme Court (which has been pretty digital privacy–friendly in recent years) to take the case. Congress could also update U.S. electronic surveillance statutes to address the privacy ramifications of the contractual agreements users enter into with their electronic service providers. But reforms to these statutes seem unlikely: Congress is notoriously gridlocked, child sex offenders like Rosenow would be the perceived beneficiaries of reform, and even a proposed amendment that’s been highly popular in the House keeps stalling out in the Senate.
Until then, there’s encryption.
Elon’s flirtations with encryption
In light of the Ninth Circuit’s ruling, Musk’s throwaway comment about encrypting Twitter DMs has taken on new significance. End-to-end encryption (E2EE) for Twitter DMs is not a new concept, and history shows there’s no guarantee that Musk’s suggestion will become reality. For years, Twitter has considered encrypting DMs and then backed off, in a pattern that dates back to at least 2014. That’s not surprising, as rolling out E2EE represents a major technical undertaking, poses difficult product tradeoffs, and raises thorny trust and safety issues. Facebook parent company Meta is on track to spend four years making E2EE the default across its messaging services. And that project is the result of an actual corporate commitment, not a casual tweet from a guy who followed it up by saying he’d put the cocaine back in Coca-Cola. In musing about what to do with his new toy, Musk probably hasn’t thought through the challenges of E2EE for DMs. In short, don’t hold your breath that encrypted DMs are imminent.
Nonetheless, recent history illustrates how vital E2EE could be to Twitter users. In 2020, Twitter suffered a hack affecting high-profile user accounts including Musk’s. The year before that, two Twitter employees were charged with spying on users for the government of Saudi Arabia. (Disclosure: I was outside counsel to Twitter for a few years during my stint at a large law firm, which ended in 2015; everything I say about Twitter here is public knowledge.) Musk and the other victims of those targeted schemes may well have wished there had been stronger measures in place to protect their private conversations from prying eyes, whether the threat came from inside or outside the company.
Privacy woes at other companies show that the urgency of improved security features isn’t unique to Twitter. Consider the shabby history of tech company employees and executives abusing their insider access to user data to harm and intimidate innocent users of services such as Yahoo and Uber. Or hackers stealing nude photos from women’s iCloud accounts (which aren’t E2EE). Or the current trend of malicious actors posing as law enforcement to send fake legal requests for user data to multiple major tech companies, then in some cases using the resulting information in sextortion schemes. (Why go to the trouble of hacking a company when you can simply fool it into handing over the information you want?)
These offenses are possible because storage is cheap and big tech companies typically collect tons of information about their users for their own business purposes. Those treasure troves are a ripe target for bad actors. When a company end-to-end encrypts the contents of your messages and files, however, it renders that information inaccessible to insiders and outsiders alike. Criminals, repressive foreign governments, and domestic law enforcement are on the same footing as the company itself: Its employees, executives, and owners can’t read your E2EE messages either.
When properly implemented, end-to-end encryption goes beyond company policies, internal controls, or legal regimes intended to prevent improper access to data. E2EE gives technical teeth to users’ privacy expectations in their digital conversations in a way that no policy document can. This is why E2EE is so crucial: It protects the privacy of our conversations where the law falls short. No wonder the Justice Department hates E2EE: It makes it harder for them to argue that you have no reasonable expectation of privacy in your messages. For one thing, you chose a communications medium that shields your conversations from outside access. For another, if a company can’t access your messages due to E2EE, its TOS won’t say that it may search your messages and disclose them to law enforcement. Whether the use of encryption creates a reasonable expectation of privacy is still unsettled in the courts. But when E2EE apps are involved, the Fourth Amendment analysis plays out differently than in cases involving unencrypted messaging services like in Rosenow.
Challenging corporate whims
The more messaging services are E2EE by default, the less relevant privacy-defeating legal arguments become. Even if the Ninth Circuit’s aberrant language is never corrected, it will do less harm in a world where Musk’s Twitter, Mark Zuckerberg’s Meta, and other communications platforms decide they want to make E2EE ubiquitous. The list of popular messaging services that are E2EE by default presently includes Signal, iMessage, and WhatsApp, and eventually Instagram DMs and Facebook Messenger too. If Musk succeeds in adding Twitter DMs to that list, that will put another big brick in the wall that strong encryption interposes between our private conversations and the searching gaze of governments, hackers, and corporations alike. But it will further underscore the enormous power we’ve placed in the hands of the private companies that run the communications platforms we rely on, and, by extension, of the wealthy individuals who lead them.
With online communication so prevalent, it makes no sense to condition our constitutional privacy rights on the changeable whims of companies’ TOS (or of their privileged, volatile owners). It’s shocking that a major court was so willing to decide otherwise with so little discussion. There’s a strange synchronicity in the Ninth Circuit’s making its blunder on user privacy the same day Musk pointed out a way for users to reclaim it. Hopefully the court will correct its mistake. And hey, maybe one day Twitter really will roll out E2EE for DMs. In the meantime, users who wish their private conversations to really stay private should choose their messaging services carefully.
Riana Pfefferkorn is a research scholar at the Stanford Internet Observatory.
Facebook provides financial support to the Brookings Institution, a nonprofit organization devoted to rigorous, independent, in-depth public policy research.
Commentary
An urgent task awaiting Elon Musk at Twitter: Encrypting direct messages
May 3, 2022