In the wake of the temporary suspension of journalist Guy Adams from Twitter, many observers have questioned whether Mr Adams breached Twitter's rules by Tweeting the corporate e-mail address of NBC Olympics executive Gary Zenkel.
The relevant part of the Twitter Rules state that “you may not publish or post other people’s private and confidential information”.
A support article providing further information on this Rule states that it covers “non-public, personal email addresses”.
The same document goes on to state that “If information was previously posted or displayed elsewhere on the Internet prior to being put on Twitter, it is not a violation of this policy.”
Although I agree with the apparently widespread view that Mr Adams cannot have breached this policy given the way that it is worded, the chief purpose of this article is to question the equally widespread assumptions that:
- a corporate e-mail address is self-evidently not a “non-public, personal e-mail address”; and
- information already available online should always be considered “fair game”
Is Gary Zenkel’s e-mail address a “personal email address”?
In my view Twitter can make a strong case that this is a “personal” address, despite being a work account. From a data protection perspective, a work email address containing an individual’s name can constitute their “personal data” not withstanding that it relates to them as an individual in their professional capacity. The term “personal email address” is also reflected in guidance published by the UK’s data protection watchdog (the ICO) on e-mail marketing rules, which describes individuals’ corporate e-mail addresses as “personal corporate email addresses”.
Is Gary Zenkel’s e-mail address “non-public”?
Adams noted that Zenkel’s address was already locatable via a Google search prior to his Tweet, having been previously published on an unrelated campaign’s website.
I’d be willing to make the case that an e-mail address having been published somewhere on the Internet without the consent of the individual/organisation in question does not necessarily mean that it is a “public” address. I’d also argue that the address following a predictable pattern (first name/last name/ domain) does not necessarily make it a public address.
I would argue that in assessing whether an e-mail address is public, it is more relevant to look at whether or not the organisation or individual has chosen to place it in the public domain (for example by publishing it on their website) and whether or not the individual has a public facing role.
In this case, Mr Zenkel’s high profile public facing role is arguably enough to make the e-mail address public: in the sense that Mr Zenkel can have no reasonable expectation of privacy. However, for lower ranking employees of organisations without public facing roles, I can see a stronger argument that their addresses could be non-public, even if they could be guessed by virtue of a common address pattern or happened to be posted online by a disgruntled third party.
Does it matter, given the information has been posted online?
Twitter has rendered all of the above arguments academic with its blanket statement that information already published or displayed elsewhere on the Internet does not breach its private information rules. On this basis it is clear that the Tweet in question did not breach Twitter’s rules, as the e-mail address had already been published online. Although many would argue that this rule produces the right outcome in this case, it strikes me as worryingly broad in its implications.
What about cases where an individual’s phone or e-mail address is hacked and private photos are posted online? Or cases where a password and e-mail database from a website is hacked and leaked onto the web? Twitter’s rules imply that such information ceases to be private when posted online and becomes fair game for subsequent Tweets, even if the individual concerned has not consented to their information being published. Indeed, this rule seems broad enough that there would be nothing to prevent an individual from leaking private information onto the internet and then Tweeting it round with impunity.
- Some work e-mail addresses might be fairly described as “non-public, personal email addresses”, although Gary Zenkel’s address is probably not one of them; and
- Twitter should really consider revising its Privacy Rules to state that information previously published online only becomes fair game if it was published with the consent or knowledge of the individual concerned.