TorrentSpy Case Shows Privacy Policies and Practices Protect Companies, Too: ">A recent court ruling regarding the server logs of a torrent search engine makes it clear that privacy policies and privacy practices protect users and companies alike, a lesson that Google should have learned in its case against the government but has not.

TorrentSpy, a BitTorrent search and tracker hosting site, is being sued (.pdf) by Hollywood moviie studios for allegedly enabling and encouraging people to illegally trade copyrighted material.' Hollywood's lawyers wants the company to turn over its server logs as part of the discovery process, but the site says it doesn't keep logs.'

However the presiding federal district court judge ordered the company to begin saving their logs since the company's servers 'save' the logs in RAM memory for about 6 hours before the info is tossed or overwritten. Essentially the magistrate judge Jacqueline Chooljian of California's Central District is ordering the company'to hold onto information it normally decided to toss as part of its privacy policy promises to its users. The ruling is the first to say that temporary server logs count as electronic evidence under new court rules about electronic data that went into effect in 2006.

The site does not however have to log IP addresses and turn them over to the studios, which would have almost certainly'used them to launch a flotilla of lawsuits against downloaders, as the recording industry has done.

Server Log Data in this case is transmitted through and temporarily stored in RAM while the requests of defendants' website users for dot-torrent files are processed.[...] To the extent defendants' privacy policy may prohibit the disclosure of IP addresses, compliance with this order does not violate such policy because IP addresses are to be masked.

The court largely dismissed concerns that the logging would impact TorrentSpy's business due to its customers fear of being spied on:

The court recognizes that the preservation and production of the Server Log Data may negatively impact the way in which defendants' website is perceived by users and advertisers and result in a loss of business and good will. Notably, these concerns did not prevent the court in Gonzales vs. Google'from ordering a third party to disclose certain data to the United States Government.

Judge Choolijian is plainly misreading the Google decision (.pdf), which allowed the government to get a small portion of Google's index of web sites'but threw out the government's request for two months of search terms, EXACTLY because users might freak out about it.' The court decided to quash that part of the subpoena despite finding that Google's privacy policy didn't explicitly tell users that their search queries were protected.' In fact, if Google had had a stronger privacy policy and better privacy practices, the decision would have been even stronger:

Google's own privacy statement indicates that Google users could not reasonably expect Google to guard the query log from disclosure to the Government. Google's privacy statement states only that Google will protect 'personal information' of users. […] Neither Google's URLs nor the text of search strings with 'personal information' redacted, are reasonably 'personal information' under Google's stated policy.

'However, even if an expectation by Google users that Google would prevent disclosure to the Government of its users' search queries is not entirely reasonable, the statistic cite by Dr. Stark that over a quarter of all Internet searches are for pornography, indicates that at least some of Google's users expect some sort of privacy in their searches. […] Such an expectation does not rise to the level of an absolute privilege, but does indicate that there is a potential burden as to Google's loss of goodwill if Google is forced to disclose search queries to the Government.'

Now TorrentSpy is working on how to log data in the future to comply with the court order, since they were smart enough not to keep logs from the past.'The best thing they can do is to create logging software that writes logs of what people are requesting directly to disk without ever moving the IP address to disk.' Otherwise, Hollywood is going to either try to find a way to force the company to turn over IP addresses of downloaders OR if they see a file that potentially contains child pornography, they'll turn that info over to the government for prosecution.

A strong privacy policy won't keep a judge from ordering a company to log data, but it is'a strong deterrent to such an order since one can argue it will destroy your user's trust.' TorrentSpy included language which said that the privacy policy could change at any time.' A policy that included categorical language such as we will never turn IP address information over to anyone would have held up way better in court.

But most importantly, TorrentSpy's practice of not keeping server logs is the best protection they could have given their users.'

Google could easily do something similar.' For instance on the user sign-up page, instead of opting user's in to a Web tracking system, they could offer a range of options -- from 'Keep my data for 18 months' to 'Clean out my data weekly. I'm not interested in personalization.'' It's technically very simple for Google to implement via a series of scheduled comparisons of user preferences against logs, but they seem wholly uninterested in being a privacy leader.' For evidence of that, one need to look no farther than its unwillingness to tell the public how often it is subpoenaed and the fact that the company has no chief privacy officer.

(Read Original Article - Via Threat Level.)