You Probably Agreed to NSA Snooping When You Accepted That Website’s Terms of Service

Maybe we shouldn't be so shocked about PRISM, considering we grant companies like Facebook, Google and Apple incredible leverage to hand over our data to government agencies the moment we accept their terms of service agreements.

  • Share
  • Read Later

Everyone from Mark Zuckerberg down to the average Facebook user has expressed surprised outrage at the existence of PRISM, a top-secret government program that the National Security Agency uses to access user data from at least nine major Internet companies in order to target foreign threats. But maybe we all shouldn’t be shocked at all, considering we grant companies like Facebook, Google and Apple incredible leverage to hand over our data to government agencies the moment we accept their privacy policies and terms of service agreements.

Tucked away in those long paragraphs of legalese on pretty much every major Internet website (including Time.com) is a clause about how a business will handle your private data when the feds come knocking. In general, these companies grant themselves wide latitude. Yahoo says it might hand out your data to investigate or prevent “situations involving potential threats to the physical safety of any person.” Facebook will respond to a court order, search warrant or other legal request “if we have a good faith belief that the law requires us to do so.” Apple provides user data to government agencies if “for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate.”

 It’s unclear whether even this kind of vague legal verbiage opens the door for a program as sweeping as PRISM has been reported to be. The exact nature of the data collection program is still unclear. Initial reports in The Washington Post and The Guardian painted a picture of a Big Brother-esque surveillance apparatus with unfettered access to massive amounts of data. The Director of National Intelligence responded by saying that all data acquired through the program, which targets only terrorist suspects who are not in the U.S., was lawfully obtained but through secret court orders made possible under the Foreign Intelligence Surveillance Act. A New York Times report last week fell somewhere in the middle, describing a “locked mailbox” for the NSA on tech companies’ servers where the government could routinely ask for the data it sought in its investigations. All the companies steadfastly deny any involvement in the program and say the government doesn’t have direct access to their servers.

(MORE: PRISM by the Numbers: A Guide to the Government’s Secret Data Mining Program)

Whatever the case, the now-acknowledged program takes data collection to a scope beyond what many users likely expected and possibly beyond what some companies’ terms of service allow. There’s a fine distinction between providing government officials private data when compelled to by a legal document like a court order and helping them to circumvent traditional legal channels. “If they say [they] only ever give up your data when compelled to do so by the government, but then it turns out they actually turn over your data routinely whenever the government says hello, then there might be a claim you could bring under the [Federal Trade Commission] Act,” says Andy Sellars, a staff attorney for the Digital Media Law Project based at Harvard University.

Such a contradiction could qualify as a deceptive trade practice under FTC rules. Companies have gotten in trouble for violating their own privacy policies before. In 2011, Google was forced to revamp its privacy policy and face regular independent privacy audits for 20 years because of “deceptive tactics” used in the rollout of failed social network Google Buzz. The company was hit with a $22.5 million penalty last year for misrepresenting privacy assurances to users of the Safari Internet browser. Microsoft and Facebook have also run afoul of the FTC for making false promises in their privacy policies. Still, the FTC has never levied a punishment that truly impacted a tech giant’s bottom line—that $22.5 million Google fine, the largest ever obtained by the FTC, is equivalent to the revenue the company generates in about four hours.

(MORE: Snowden in Hong Kong: The Legal Complications of ‘One Country, Two Systems’)

Individual consumers might also take aim at the PRISM companies, but their chances of success are slim. In 2006 when similar revelations about widespread government surveillance of telecommunications data came to light, Verizon was sued for $50 billion in a class-action lawsuit. But in 2008 Congress granted retroactive immunity to the telecom companies that were involved in surveillance programs, freeing them from legal culpability. Similar measures could be taken to protect Internet companies so that details of the PRISM program aren’t brought to light in a public court. According to the original Washington Post story, in fact, these companies already have immunity.

Of course, all of this only applies to the U.S. legal system. Companies like Google and Facebook have huge international customer bases, and PRISM is targeted squarely at non-Americans. In the European Union, where laws regarding the use of people’s personal data are more stringent than in the U.S., experts say that these Internet companies could face lawsuits.

Even if they do avoid legal trouble, tech companies–whose entire business models hinge on convincing users that their data is safe and secure–have every reason to want the PRISM story to go away as fast as possible. Google is now asking the White House for permission to publish information about the number of secret national security data requests it receives in its annual transparency report about government demands for user information. Facebook, which has never published a transparency report, is suddenly excited by the idea and also wants to include information on national security data requests. Microsoft and Twitter are on board too.

(MORE: Joe Klein: The Civil Liberties Freakout)

Increased transparency from the government and the Internet giants would also help users to understand just how public their private online communications can quickly become. The clues are all right there in the fine print. “I’d be surprised to see an organization say that they simply never gave over your information to anyone at anytime,” Sellars says. “They simply can’t guarantee that.”

16 comments
Liekiller
Liekiller

NSA: "Our spying program has thwarted terrorist attacks."

Memo to NSA: Al Capone gave lots of money to charity. Didn't make the activities that allowed him to do that acceptable.

gingerromero1
gingerromero1

I don't care who hides what in their tiny print of 'agreements' it's still an invasion of privacy.  Every street corner, every building, every public place, even stupid google is spying on us.  They have no reason to drive by my house and video the path to my front door so that every nutjob that wants to break into my house now has a great pic with which to plan.  They have no reason or right to do that to you and your home either.  

It's an invasion of privacy and it bums me out that the younger people are the less they mind the invasion.  Whether it's monitoring phone records, email, facebook - whatever it is it comes down to the same thing.  Spying.  Boxes to spy on you in your car so you can pay 5 bucks less a month on insurance.  Cameras in the most desolate places to spy on people who are going over the speed limit on an endless stretch of flat, straight road.  "Security" cameras everywhere.  How long until they start putting them in bathrooms to guard against illegal activities in public restrooms?  Pretty soon there will be a box mounted in every home and car, and a chip in every one of us, to control our behavior.  That's not a far stretch.  Because the only thing that changes is what's considered an offense.  What happens when you try to cross the street in the middle of the block and you get a little jolt just as a reminder that it's against the law.  Driving over the speed limit?  Another little jolt.  Have half a beer too many?  Because it's certainly a lot more efficient to monitor potential offenders (and push a button when they step out of line) in an office behind a screen.  Costs much less, and besides - cops can't be everywhere at once so why not right?  All in the name of safety.  And what happens when the definitions of an 'offense' start to change.  What happens when simply speaking up is an offense to those in charge.  

We already have politicians trying to decide how much soda a person can buy at once.  We're no longer trusted with our own common sense and well-being.  How long until they have a database in New York like there is for sudafed - every time you want to buy some pop you get punched into the system.  If you don't have an ID they can do a fingerprint or facial analysis for comparison.  Retinal scan, all sorts of neat stuff.  Not.  Already bought a six-pack of pepsi down the block?  No more for you for a week, because more than one soda a day per person has been deemed inappropriate and illegal.  And it's all for your own good.  Because left to your own devices you might have more than one soda, and that's already been determined by one high ranking official to be unacceptable - but he doesn't trust you enough to allow you to make your decisions about your body.  Big Mike, large and in charge.  

And what happens when those who are in charge decide that not only will they sift through phone and web records for clue to heinous crimes and terrorism, but that they'll start monitoring all that information for those who are just speaking out against oppression.  Speaking out against invasions of privacy and censorship.  Better living through legislation is not a good thing.  And yes, depressingly so, this is nothing new.  We've been getting spied on for a long, long time.  

Woody_Brown
Woody_Brown

Hah!  These 'agreements' aren't even really legal...they're extra-legal and would be abolished by any decent court upon contractual challenge.  A contract is negotiable.  An agreement is made between two parties offering terms.

This isn't the case with these click 'yes' to unlock the produce you purchased or free service we offer.  Rather, they're transactions.  Completing a transaction to obtain a product or service does not mean that I agree with your unilateral extra-fee terms.

I also have consumer rights.  When you violate these, should I experience harm sufficient to seek damages in court, I sue you.  If you want to play an extra-free 'agreement' game before I can chat on your website--fine, but that's your trip...not mine.

When you turn-over my private information to pirates, black marketeers or priests, I still get to sue you for misuse of my data.  When you try to steal my words, we'll go to copyright court.  When you facilitate a 3rd party hacking into my information, we'll be seeing a judge.

Your one-sided terms are coercive and disproportionate to the service offered.  You offer a free chat, but only if I agree to give you the moon?  And you consider clicking to be a signature willing affixed with fully informed consent and equal rights of negotiation to create a legally binding contract?

Hah!  Take a flying leap.  I'll see you in court.

SteafanDubhuidhe
SteafanDubhuidhe

Hogwash!  This isn't merely about "the feds" asking websites for their user data, this is about ubiquitous surveillance from within our communications infrastructure.  It is 24/7 ubiquitous monitoring.  We are being watched on a level that was unimaginable by the founding fathers.  Anyone that would shrug their shoulders to this is an enemy of the people.

JohnDavidDeatherage
JohnDavidDeatherage

The 4th Amendment is our nation's privacy policy.  To get a warrant to intrude on my privacy, you must have probable cause. Oxford Companion to American Law defines probable cause as "information sufficient to warrant a prudent person's belief that the wanted individual had committed a crime (for an arrest warrant) or that evidence of a crime or contraband would be found in a search (for a search warrant)"

What is the Probable Cause that allows the government to seize and search the phone records of millions of Americans?  Unless the government thinks you've committed a crime, no probable cause exists. No probable cause means no warrant. A search without a warrant violates the 4th Amendment.

It's time for our leaders to respect the Constitution again!


Fla4Me
Fla4Me

I have to say I'm surprised by all the...surprise.  They passed the Patriot Act...we learned that the Bush folks where harvesting data from telecom trunk lines, they are building the largest data collection center in the world with the fastest super computers in the southwest desert....   Hasn't the idea that anything is private died years ago.   Where has everyone been?

internetfavs
internetfavs

are google and facebook any different? 

Personal data is the new gold!


internetfavs.com

max.o
max.o

Thanks, Victor, for a flimsy and unconvincing argument that nonetheless remains on topic. Your bosses at Time.com and their peers in the major corporate media outlets seem to have developed sudden and selective amnesia about this story, and are now telling us that the American public doesn't mind  at all living in a total surveillance state. Gosh, nobody ever abused that kind of power before, right? I'm sure we're all quite safe now! Anyway, let's bomb Syria!

Make no mistake, the public outrage continues, whether you report it or not. The corruption and complicity of TimeWarner and the like is now glaringly obvious. Happily, we don't need your deluded distractions anymore. We can get our news and opinions elsewhere. Here's a start: http://consortiumnews.com/2013/06/13/edward-snowdens-brave-choice/




JerzyKolodziej
JerzyKolodziej

  • Where is the "third party doctrine" now that the scale of government surveillance has been fully exposed?

    The third party doctrine was questionable even before these revelations. It was questionable because of the great many exceptions made to the idea that if you expose yourself to a third party you no longer have a reasonable expectation of privacy. Without a reasonable expectation of privacy you cannot rely on the provisions of the Fourth Amendment.

    Two well-known legal cases established the doctrine, United States v. Miller (1976) and Smith v. Maryland (1979).

    In Miller, the defendant attempted to suppress evidence that investigators had obtained from his bank, arguing that he had an expectation of privacy under the Fourth Amendment. The Supreme Court held that because checks and deposit slips sent to banks are freely circulated within the institution (the third party), Miller had no reasonable expectation of privacy, and that law enforcement did not need a search warrant to obtain the data.

    In Smith, Michael Smith had robbed Patricia McDonough and then phoned repeatedly to threaten her. The police secured a pen register at the phone company (third party) to trace the numbers of calls placed to McDonough. Smith appealed his conviction, asserting that the pen register had violated his Fourth Amendment rights. Justice Harry A. Blackmun wrote that when Smith voluntarily “conveyed numerical information to the phone company and . . . its equipment in the normal course of business, he assumed the risk that the company would reveal the information to the police.”

    However, the third party doctrine has found difficulty dealing with situations such as whether you still have rights of privacy when you are in a hotel (a third party) or you are renting business premises. In these cases the court has decided that you still have a qualified right to rely on the Fourth.

    In the current debate, the marked difference from all cases that have been decided to this point, is it appears that government is now obtaining information without the specific consent of the third party or without subpoena. It is also obtaining non specific and untargeted data.

    If that is true, and by all accounts it appears to be the case, it raises startling questions. Based on the above quoted cases the government could use the same premise to justify creating a database that contained every persons bank account records; both past and present. This is the conclusion that must be drawn from the Miller case.

    I do not think that there is a right thinking individual, or judge for that matter, that would accept that this is in the public interest or that it is the legitimate extension of the third party doctrine.

    While some people may be willing to accept that this kind of information may be given to government by banks if they are served with a subpoena for specific records. I do not think that anyone will be willing to accept that this information should be collected on every account without a specific request as a matter of course.

    It is obvious where this is going, the government through the NSA, is setting out on a path where it aims to hold current and historical databases that contain all of the third party data for every business and institution in the world.

    The justification is that the data is useful and it is lawful to obtain it. I remain skeptical as to whether either is true; at least to the extent that it is being contended. However, I am certain that this is a fundamental breach of the purpose and intention of the Fourth Amendment and a vile repugnancy to the First and Fourteenth Amendment.

chrishill1479
chrishill1479

Won't someone think of the children! What about all the paedonaziterrorists! Oh my God! Just take my money and my rights already!!!!!!!!!

sanitychecker
sanitychecker

Actually, NSA snooping goes back a lot farther than Google or Facebook. It precedes the birth of the Internet. Even the passage of the Patriot Act was little more than another step in a much longer path.

No one ever consented to any of this, because you cannot sign away your rights.

"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." -- Ben Franklin

JohnDavidDeatherage
JohnDavidDeatherage

Repeal FISA. Repeal the Patriot Act. Respect the Constitution!  The 4th Amendment is my privacy policy. 

JaySchuls
JaySchuls

@JohnDavidDeatherage The same probable cause that gives the authorities the right to install tracking devices on your car while parked on your driveway or in a garage if the door is open,  all without a warrant

JohnDavidDeatherage
JohnDavidDeatherage

@JaySchuls @JohnDavidDeatherage Wrong!  United States v. Pineda-Moreno was a 2010 Ninth Circuit Court of Appeals case regarding the use of GPS devices. The court ruled that a placing a GPS tracking device a personal vehicle without a warrant did not violate a suspect's Fourth Amendment rights, even if the vehicle was parked in the defendant's driveway at the time the device was placed. The case was reversed and remanded by theUnited States Supreme Court in light of United States v. Antoine Jones.