• by Wendy Davis , Staff Writer @wendyndavis, March 28, 2011

If every U.S. Web user read the privacy policy at every site visited, the amount of time spent reading privacy policies would total 44.3 billion hours per year, researchers at Carnegie Mellon University reported in 2008.

For all that time, Web users still wouldn't necessarily be left with any better understanding of their privacy protections, because many policies are so filled with loopholes that they don't convey all that much useful information, according to a 2009 report out of UC Berkeley School of Information.

Given that so many people are pressed for time, and that reading privacy policies often is a wasted effort, it really shouldn't surprise anyone that many Web users don't attempt to wade through the legalese. Yet some judges continue to issue rulings premised on the fiction that Web users read -- and implicitly agree to -- sites' privacy policies.

Last December, a federal judge ruled that an Internet service provider gave subscribers sufficient notice about NebuAd and the deployment of deep packet inspection technology -- which monitored users' Web surfing in order to serve targeted ads -- because the ISP disclosed the technology in a privacy policy. (In that case, the court dismissed claims relating to wiretap laws, but allowed computer fraud claims to proceed to trial.)

And two weeks ago, in a higher-profile case dealing with the government's attempt to discover information about Twitter users associated with Wikileaks, a different federal judge ruled that Twitter users have no reasonable expectation of privacy in their IP addresses because the site's privacy policy says it logs such addresses. When Twitter users create an account, they must check a box stating that they agree to the company's terms of service and its privacy policy.

In her ruling, U.S. District Court Judge Theresa Buchanan, in the Eastern District of Virginia, rejected a request by Twitter users, including Icelandic Parliament member Birgitta Jonsdottir, to vacate the government's order directing Twitter to turn over IP addresses and other information associated with their accounts. "Because petitioners voluntarily conveyed their IP addresses to Twitter as a condition of use, they have no legitimate Fourth Amendment privacy interest," Buchanan ruled.

Jonsdottir (and other Twitter users) appealed that ruling. Today, a coalition of Internet privacy experts led by former FTC staffer Chris Soghoian filed a friend-of-the-court brief arguing that the terms of a privacy policy shouldn't determine whether Web users are able to prevent the government from learning their IP addresses.

"Most consumers do not read privacy policies, and often would not understand them if they did. In fact, the mere presence of a privacy policy is often misunderstood by consumers to mean their privacy is protected," Soghoian writes. "While 'clickwrap' consent to a privacy policy may create a contract, it makes little sense to allow obscure boilerplate agreements to determine the existence of a reasonable expectation of privacy under the Fourth Amendment."