Government Demands Growing for Twitter User Data

In its first ever transparency report, Twitter reported Monday that the United States leads the pack when it comes to government demands for user data, having filed 679 requests in the first half of the year.

Twitter Transparency Report

Worldwide, Twitter said it has received more government demands for data in the first six months of this year than all of last year.

In Twitter’s Transparency Report, it said it has complied with 75 percent of user-data disclosure demands by producing “some or all information” requested by U.S. authorities. Globally, the average was 63 percent.

Data previous to 2012 was not available. Twitter said it notifies its users of government demands “unless prohibited by law.”

The closest country behind the United States was Japan, which lodged 98 requests with a 20 percent Twitter compliance rate. The United Kingdom and Canada came in with 11 requests, with an 18 percent compliance rate. All of the other countries in the 23-nation Twitter report registered with less than 10 government demands.

“We’ve received more government requests in the first half of 2012, as outlined in this initial dataset, than in the entirety of 2011,” Twitter said on its blog.

The disclosure follows Google’s lead — nearly two years ago, when the search giant turned heads by publishing a treasure trove of data surrounding government demands for user data, in addition to information on the number of takedown notices connected to copyright infringement.

“Wednesday marks Independence Day here in the United States. Beyond the fireworks and barbecue, July 4th serves as an important reminder of the need to hold governments accountable, especially on behalf of those who may not have a chance to do so themselves,” Twitter said.

The Twitter report came the same day a New York state judge ordered the San Francisco-based microblogging site to divulge the tweets and account information allegedly connected to an Occupy protester.

Twitter did not say whether, at least in the United States, the authorities presented probable-cause warrants for user data. Manhattan Criminal Court Judge Matthew A. Sciarrino Jr.’s ruling Monday did not require local prosecutors to have probable cause to get the tweets and accompanying account information of an Occupy protester.

The company, however, listed a few reasons why it does not acquiesce to all government-issued, user-data requests.

“We do not comply with requests that fail to identify a Twitter user account. We may seek to narrow requests that are overly broad. In other cases, users may have challenged the requests after we’ve notified them,” Twitter said. Most famously, Twitter successfully fought to allow individuals being investigated for their connections to WikiLeaks to challenge requests for their Twitter data.

In a separate reporting category, Twitter said it received 3,378 requests to remove copyrighted material from Twitter in the United States for the first half of the year. The Digital Millennium Copyright Act requires internet service providers to remove works, at the copyright holder’s request, to avoid legal liability.

Overall, Twitter said it removed 38 percent of the material specified in the takedown requests. Among other reasons, Twitter said it does not comply with all requests because sometimes they “fail to provide sufficient information” or were “misfiled.”

Twitter also reported that it did not comply with any of the handful of requests from France, Greece, Pakistan, Turkey and the United Kingdom to remove content that is illegal in those nations.

Twitter’s not the first to follow Google’s transparency lead – Dropbox, LinkedIn, SpiderOak and SonicNet beat Twitter to it.

Among those who ought to be next: Facebook, AT&T, Verizon, Sprint, Yahoo, Comcast, Time Warner Cable, and Microsoft.

Twitter Ordered to Cough Up Occupy User Data

Photo: bogieharmond/Flickr

A New York judge has ordered Twitter to divulge the tweets and account information allegedly connected to an Occupy protester.

The case, which the judge called one of “first impression,” concerns Malcolm Harris, who was among hundreds arrested Oct. 1 in an Occupy movement march along the Brooklyn Bridge.

Prosecutors sought tweets made to Harris’ account “to refute the defendant’s anticipated defense, that the police either led or escorted the defendant into stepping onto the roadway of the Brooklyn Bridge.”

While the outcome was expected, the case was being closely watched as the authorities increasingly monitor and move to access material posted on social networks. And the decision comes as Twitter reported that, for the first six months of the year, the United States sought information on Twitter user accounts 679 times, and Twitter produced some or all of the information 75 percent of the time.

Prosecutors sought Harris’ Twitter information using a 2703 order, which allows authorities to obtain data without a warrant.

Manhattan Criminal Court Judge Matthew A. Sciarrino Jr. said in a filing released Monday that Harris has no expectation of privacy in his public tweets:

If you post a tweet, just like if you scream it out the window, there is no reasonable
expectation of privacy. There is no proprietary interest in your tweets, which you have now gifted to the world. This is not the same as a private email, a private direct message, a private chat, or any of the other readily available ways to have a private conversation via the internet that now exist. Those private dialogues would require a warrant based on probable cause in order to access the relevant information.

The judge said he would read the tweets privately before allowing any into the case. In a bid to corroborate that the tweets were posted by Harris, the judge authorized Twitter to turn over the account information connected to the account of @destructuremal, including any information Twitter had about the owner of the account, including his e-mail address. The authorities believe that account belongs to Harris.

Manhattan prosecutors were elated with the decision.

“We look forward to Twitter’s complying and to moving forward with the trial,” Chief Assistant District Attorney Daniel R. Alonso said in a statement.

It was the second time the judge had ruled on the Harris matter.

On April 20, Sciarrino denied Harris’ motion to quash the subpoena, saying he had no standing to fight the order because Harris had “no proprietary interests” in the account holder’s information or in the tweets. To back this assertion, the judge quoted from Twitter’s terms of service, which has subsequently been modified, stating that account holders granted Twitter “worldwide, non-exclusive” right to use use, copy, or display the content.

Since the defendant granted this license to Twitter by agreeing to the terms of service, this “demonstrates a lack of proprietary interests in his Tweets,” the judge wrote.

In response, Twitter stepped in and moved to quash the subpoena, (.pdf) which the judge denied:

While the U.S. Constitution clearly did not take into consideration any tweets by our founding fathers, it is probably safe to assume that Samuel Adams, Benjamin Franklin, Alexander Hamilton and Thomas Jefferson would have loved to tweet their opinions as much as they loved to write for the newspapers of their day (sometimes under anonymous pseudonyms similar to today’s twitter user names). Those men, and countless soldiers in service to this nation, have risked their lives for our right to tweet or to post an article on Facebook; but that is not the same as arguing that those public tweets are protected. The Constitution gives you the right to post, but as numerous people have learned, there are still consequences for your public posts. What you give to the public belongs to the
public. What you keep to yourself belongs only to you.

The American Civil Liberties Union blasted the outcome.

“The United States Supreme Court and courts around the country have repeatedly made clear that individuals whose constitutional rights are implicated by government requests for information to third parties have standing to challenge those third-party requests, and there’s no reason for the result to be different when Internet activities are at issue, regardless of whether individuals ‘own’ their Internet speech or whether the Internet companies ‘own’ it,” ACLU attorney Adam Fine said.

Twitter pointed out that prosecutors could have saved everyone the trouble of dealing with this in court if they had simply printed or downloaded the publicly available tweets themselves.

“To the extent the desired content is publicly available, the district attorney could presumably have an investigator print or download it without further burdening Twitter or the court,” Twitter wrote in its motion.

However, without the account information connected to the tweets, those messages might not be admissible in court.

Wiretap Stats Decrease, But Don’t Go Celebrating Yet

Photo: The Library of Virginia/Flickr

The number of criminal wiretaps authorized by federal and state judges in 2011 decreased 14 percent from the year prior to 2,732, according to the latest figures available.

The vast majority of the wiretaps covered in the government report are for drug investigations and nearly all of them target mobile phones.

Don’t go thinking, however, that the government’s love for electronic snooping has faded.

The data, which the government is required to publish annually, covers just a small part of the nation’s ever-growing surveillance society. The government has at its disposal a variety of methods to capture Americans’ communications and data without warrants or with super-secret national security wiretap warrants that aren’t covered in this report.

Forbes noted that the latest figures, published Friday, are the fifth time in two decades “the count of wiretaps has fallen year-over-year.”

And while there was a decrease from 3,194 approved wiretaps from 2010, we might expect their use, or at least requests for them, to edge back up in the wake of a Supreme Court decision in January that said the authorities need a warrant to affix a GPS device to a vehicle to track its every movement.

The government has many other tools to tap Americans’ communications, meaning the decrease in wiretaps could just be a statistical blip, or it could mean that court-ordered wiretaps are taking a back seat to other methods of warrantless, data extraction.

Foremost, let’s not forget allegations from the Electronic Frontier Foundation claiming the National Security Agency is siphoning American’s electronic communications to giant data farms without warrants. A federal appeals court reinstated that lawsuit in December.

What’s more, the Justice Department employs a covert internet and telephone surveillance method known as pen register and trap-and-trace capturing. Judges sign off on these telco orders when the authorities say the information is relevant to an investigation. No probable cause that the target committed a crime — the warrant standard — is necessary.

Pen registers obtain non-content information of outbound telephone and internet communications, such as phone numbers dialed, and the sender and recipient (and sometimes subject line) of an e-mail message. A trap-and-trace acquires the same information, but for inbound communications to a target.

From 2004 to 2009, the number of those have more than doubled to 23,895. The Justice Department has failed to report figures for 2010 and 2011. The American Civil Liberties Union has sued the Justice Department, seeking the records.

What’s more, the government asserts, and judges are agreeing, that no warrant is required to obtain so-called cell-site data which identifies the cell tower to which the customer was connected at the beginning of a call and at the end of the call.

And Google announced last month that the United States sought user data from Google 6,321 times for the six months ending December 2011, up from 5,950 the six months prior.

Google’s transparency data is also limited as it does not include requests under the Patriot Act, which can include National Security Letters with gag orders attached. Nor does the data include anti-terrorism eavesdropping court orders known as FISA orders or any dragnet surveillance programs legalized in 2008, as those are secret, too.

The data Google is coughing up includes e-mail communications, documents and, among other things, browsing activity, and even IP addresses used to create an account. And we suspect that an alarming amount of the data is being turned over without a probable-cause warrant. Google isn’t saying.

In the United States, the law is so antiquated that a warrant is often not required to get Americans’ emails, and proposals to fix that have been met with silence in Congress.

So while it may be nice to see a significant drop in criminal wiretap orders last year, only the foolish would think there’s 14 percent less snooping going on.

 

Should WordPress Alert for Installed Plugins With Known Vulnerabilities?

Currently when a WordPress plugin is reported to have a security vulnerability it is removed from the WordPress.org Plugin Directory until the vulnerability has been resolved, but no warning is provided to anyone who already installed it. While many plugins are promptly fixed, there are quite a few that remain vulnerable for a long time or are never fixed. We think that WordPress should alert on the Installed Plugins page in WordPress if an installed plugin has been removed from the directory and provide at least a general reason it has been removed, as many are removed for reasons other than security vulnerabilities, so that appropriate action can be taken by admins. If you would also like to see that happen you can help by voting for our idea on the Ideas section of WordPress.org. To vote you will first need to create a WordPress.org Forum account (or log in if you already have account) and then you can rate the idea by clicking on one of the stars under the heading Rate This (click the right most star for the highest rating for the idea). You can also add your own comments on how the issue should be handled.

Until an alert is added in WordPress itself, you can get a more limited version of this functionality using our No Longer in Directory plugin (we just released our beginning of the month update for the plugin).

While we are discussing the issue of plugin vulnerabilities, we should say that since our last post about this we have been seeing that plugins with Secunia advisories for outstanding issues are being promptly removed from the Plugin Directory until those are resolved. This is great improvement from earlier this year when we found that vulnerable plugins had remained in the directory for years. With that happening we are now looking to make sure that they maintainers of the Plugin Directory are aware of any vulnerabilities which haven’t received Secunia advisories. We just reported a plugin that was found to have a fairly serious information disclosure vulnerability to them and they promptly took action (we alerted the developer of the plugin a week ago and had not received any response). For anyone that finds a vulnerability in a plugin available in the Plugin Directory and is unable to get a response from the developer, you can find directions for contacting the Plugin Directory here.