The most interesting things about the DoJ’s Twitter subpoena aren’t about Twitter
One of the more interesting things about the subpoena served on Twitter by the US Department of Justice, demanding information about the accounts of various people connected to WikiLeaks (which Twitter commendably fought to have unsealed, so they could warn the users and give them a chance to challenge it before handing over any data) is that significant parts of it don’t seem to apply to Twitter at all.
It’s always possible that the DoJ’s subpoena is just incompetently written, or that the DoJ has little understanding of how Twitter works (it certainly seems sloppily put together; Dutch hacker Rop Gonggrijp’s name is spelled wrong; the request specifies a combination of real names and Twitter usernames for no apparent reason; Gonggrijp and Icelandic MP Brigitta Jonsdottir are both named twice, under their real names and usernames.) But it also raises the possibility that it’s a boilerplate request, giving some credence to the widely-floated theory that Twitter isn’t the only recipient of such a subpoena.
The first section asks for, among other account information:
6. means and source of payment for such service (including any credit card or bank account number) and billing records
Twitter, of course, is a free service, so it makes no sense for the DoJ to ask for this non-existent information. Google & Facebook, who WikiLeaks have publicly suggested may have also been subpoena’d, also don’t charge for their basic services (Google of course do offer paid-for Apps for Business accounts) – does this suggest that other sites and services, which do offer paid-for individual accounts, have been targeted?
The second section then asks for:
1. records of user activity for any connections made to or from the Account, including the date, time, length and method of connections, data transfer volume, user name and source and destination Internet Protocol address(es)
2. non-content information associated with the contents of any communication or file stored by or for the account(s), such as the source and destination email addresses and IP addresses
Some people seem to be interpreting “any connections made to or from the Account” as a demand for information on people who follow the Twitter account, but I’m not sure that’s correct – surely that would have been more clearly specified if that was the case? (And would a court have allowed such a wide-ranging request?) And other parts of this section, once again, don’t seem to apply to Twitter at all – “data transfer volume”, “file stored by or for the account”. These make a lot more sense if they’re actually talking about online file storage and sharing – services something like Dropbox, YouSendIt, and so on. (And “destination email addresses” suggests email providers are also likely on the DoJ’s radar.)
As far as I can tell, in Twitter’s case the only non-public information that the DoJ could get from this request would be IP addresses, phone numbers and a record of who users sent direct messages to (from my non-expert reading, this wouldn’t give them the actual content of the DMs – it’s “non-content information” they want). Potentially useful for investigators, certainly, but not exactly smoking gun stuff. Given the nature of the case revolves quite heavily around the transfer of files – something Twitter doesn’t do at all – we should probably be asking email and cloud storage companies what their policies are complying with legal demands for user data.