Mandatory Legal Process (ACTION-57, ISSUE-28)

Hi all,

Apologies for my lateness in responding to this issue - I am not on
the DNT list.

A few days ago, Amy Colando from Microsoft wrote the following to this list:

"As a very realistic example, not only are entities required to comply
with potentially differing breach notification laws, but in some cases
are subject to legal subpoenas (as for example in cases of child
pornography investigations) where disclosure to the subject is
expressly prohibited by the terms of the subpoena."

I know that several people involved in this W3C effort are not lawyers
(even though there appear to be quite a few involved), so I just want
to clarify the state of US law for those who might not be experts in
ECPA.

A subpoena cannot prohibit disclosure by the ISP to the user whose
data has been requested. If the government wishes to use a subpoena to
get user data and doesn't want the user to be told, they can seek an
order under 18 USC 2705 (b), but then, an independent judge will have
to issue this order (as compared to a subpoena, which often is not
issued by a judge).

With regard to legal process and DNT, I would like to see a situation
in which recipients of the DNT header are obligated to inform users
that they will not respect the DNT header due to some form of legal
process, unless they are also prohibited from telling the user due to
a court order of some kind.

The reason I propose this, is that just because companies are
_permitted_ to tell users when they receive a subpoena for their data,
they are under no obligation under US law to do so. Some companies,
like Twitter, choose to tell users. Many other firms, which, I
suspect, include Microsoft, as a matter of policy, do not tell users
about such requests.

Thanks,

Chris

Received on Tuesday, 31 January 2012 17:46:37 UTC