BendTech

Privacy is a hot-button issue on the internet.  ‘Always has been.  How it gets trampled by companies like the RIAA, or countries like China, makes headlines with depressing regularity. And today we have a local headline in the Bulletin, “TV station gives info on ‘anonymous’ comments to Sawyer” [bendbulletin.com paywall FAIL, sorry].  The article is about how KTVZ released personal information (IP addresses) of people who posted allegedly libelous anonymous comments about Tami and Kevin Sawyer on ktvz.com.  KTVZ gave these addresses to the Sawyers as part of a $5M libel lawsuit they have brought against the commenters in question.

I’m not going to get into the Sawyer’s saga here, which is all a bit distasteful.  Instead, I thought I’d offer a bit of analysis on the backstory of privacy issues and how they seem to be getting a bit of a rough treatment locally.  My little way of making sure we stay rigorous in protecting our freedoms around here, I guess.  So off we go …

Let’s start off with this excerpt from the article:

It is unclear whether the Sawyers, who were representing themselves in both cases, had legal standing to issue a subpoena. Nevertheless, News Channel 21 turned over the documents.

Unclear to whom? The Bulletin, or KTVZ?  If the Bulletin, than they really should have their facts straight before going to press with an article like this.   It paints an unflattering picture of one of their competitors in the news media market, and I’d hate to think they’d try to use this as the basis for a little hatchet job.  So hopefully I’m reading that wrong.

But if I am, than KTVZ seems to have been a bit too eager to give up information about the users posting on their site.  “Unclear legal standing” is hardly justification for outing people on the Intertubes.  And KTVZ doesn’t exactly sound confident of their position in the article:

Eric Bradley, News Channel 21’s general manager, refused to comment on why the station chose to hand over the information in Sawyer’s subpoena.

“We’re sticking with our policy that you’ve seen published,” he said. “We probably won’t disclose our approach to these things.”

Note to Mr. Bradley: If you’re going to expose the identity of people who have a not-unreasonable expectation of privacy, you should be prepared to defend your actions.  Simply referring to your privacy policy isn’t good enough.  The verbiage in your policy (which is predictably vague and all-encompassing) is not as important as how you interpret that policy.  And it’s that interpretation by which you’ll be judged in the court of public opinion.

So were the users in question in clear violation of KTVZ’s terms of use?  Which aspect of those terms?  And is that justification for outing them?  Or was there a legal, court-issued, subpoena in play?  Going silent seems an ill-considered strategy here.  If nothing else, the process of making sure you can defend your actions insures that you’ve considered the legal ramifications. (i.e. “Are we gonna get sued for violation of privacy?”)

Speaking of KTVZ’s privacy policy one paragraph it contains leaps out at me.  They, perhaps optimistically, list IP Addresses under the non-Personally Identifiable Information (PII) section:

(1) Non-personally identifiable information: When visitors come to the Web site, we collect and aggregate information indicating, among other things, which pages were visited, the order in which they were visited, and which hyperlinks were “clicked.” Collecting such information involves the logging of IP addresses, operating system and browser software used by each visitor to the Web site. Although such information is not personally identifiable, we can determine from the IP address a visitor’s Internet Service Provider and the geographic location of his or her point of connectivity.

That last bit, about the IP address providing limited information about users is technically correct; for example, you can bop over to whatsmyip.org to see the kinds of information a website can glean about you.  In my case, they know I use Bend Broadband as my Internet Service Provider(ISP), and that I live in Bend Oregon, but that’s about it.

But as benign and non-personal sounding as that may be, IP addresses are a critical piece of information if you want to know who someone on the Internet might be.  They provide the critical link to your ISP, and it’s your ISP who has a pretty good idea of who you are.  For example, Bend Broadband knows that the IP address, “67.204.147.234″, is currently assigned to my families billing account, and that account has my name, phone number, street address (and probably my favorite childhood pet).

Sooo… does that mean IPs are personal information then?  Well, that is very much up for debate.  American courts don’t consider them personal, but European courts do.  The reason they’re treated as non-personal here is that they can’t be used to reliably identify an actual person.  E.g. An IP may be assigned to the account of a coffee shop owner who provides his customers with free wi-fi access, all of whom share that IP address.  It’s neither feasible nor fair to hold the owner responsible for the actions of every person who uses her network – customers, the person at the bus stop outside with an iPhone, or the neighbor across the street – hence, they are not legally valid as personal identifiers.

But they can be pretty darn incriminating, as is the case where the Sawyers lawsuit is concerned.  At least one of the IP addresses in question led not to a coffee shop, but to a family that is suing the Sawyers:

Attached to the letter are nearly two dozen pages of account activity from an IP address belonging to a Middleton family member, as well as dozens of anonymous posts that mention the Sawyers and their business dealings.

Does this IP connection to the Middleton family incriminate them indisputably?  No, not necessarily.  There are scenarios where those posts may have come from someone unrelated to them, but they quickly go beyond any reasonable notion of plausibility.  And this connection is apparently good enough that the Sawyers felt comfortable in using it as justification for a lawsuit.  Thus, the legal definition of IPs as non-personal is probably of little consolation to the Middletons, who I’m guessing feel IP addresses are pretty darn personal right about now.

And if I were KTVZ, I’d be a little nervous about how pissed off the Middletons are likely to be about this.  Especially if KTVZ’s justification for turning over this “non-personal” information is less than solid.

But the big question I have, the one that is neither asked nor even hinted at in the Bulletin article, is this:

Which ISP were the Middletons using, and how did the Sawyers convince that ISP to cough up the Middleton’s billing information?

Because when it comes to protecting your privacy, it is the ISPs who should be held responsible.  They are the ones who know who you are, and the information they have access to goes well beyond simple billing information.  They know, or at least have the ability to know, what websites you visit, when you visited them, and much more.  Fortunately, they have privacy policies that describe what their responsibilities are (and aren’t).  But if you haven’t read your ISPs policy lately, you might want to do take a look; you may be surprised at what you find.

It’s not KTVZ that should be under the microscope here, it’s the Middleton’s ISP.