The FBI Could Be Watching You on Facebook
At the dawn of the Internet, people used coded user names and cartoon avatars to represent themselves online. Today, most users post their real names and literally upload all their personal data and make it publicly available -- photos, videos, notes, even random thoughts now called "status updates."
No doubt about it, Internet 2.0 is a freer, more open place -- a place where people feel quite at ease as they share their lives on the Web with their entire social networks: best friends, family, people they hardly know, and even folks they've never even met.
Social-networking sites have driven this seemingly insatiable need to share, share, and share some more. But because it's all done online and not "in real life" (or IRL, in Web-speak), there remains a sense of anonymity even as we interact on the Internet, a very public place open to anyone with a computer.
But as social-networking grows (Facebook overtook Google in U.S. traffic for the first time ever last week) so do the ways law enforcement agencies use the information we voluntarily share with the online world.
Hardly any popular culture observer can forget the now-defunct but forever-notorious NBC show "To Catch a Predator," which featured law enforcement agents posing as children in order to catch online pedophiles. Policing chat-rooms and message boards catering to pedophiles hardly ruffled anyone's feathers (though broadcasting their misery on network television certainly did), but what if all the sites you used everyday were being closely observed by law enforcement agencies? What if people who weren't suspected of any illegal activity were being watched?
Internal documents released this week by the FBI, Dept. of Justice and the IRS -- all as a result of a Freedom of Information Act (FOIA) suit brought by the Electronic Frontier Foundation (EFF) -- show they are among the likely many other law enforcement agencies that have taken to using the personal data people freely share on social-networking sites to monitor location, investigate social circles and otherwise gather intelligence on individuals of interest. (The Dept. of Defense, CIA, Dept. of Homeland Security, Dept. of Treasury -- which includes the IRS -- and the Director of National Intelligence have not yet responded to EFF's FOIA.)
Investigators at these federal agencies even create false personas online in order to deceive social-networking users to consent to sharing personal data online -- a convenient way of circumventing legal process that would ordinarily have to involve proven probable cause and a warrant.
As law enforcement agents increasingly find reasons to use social-networking sites, questions regarding crime-fighting and privacy arise. The bad news is there are no real good answers regarding what users' rights really are, what social-networking companies are required to do (and not to do), and what regulations ought to govern the use of these sites in investigative law enforcement work given that there isn't really a legal system designed to supervise social-networking sites. It's a real legal gray area.
According to Mike German, policy counsel on national security, immigration and privacy at the ACLU, while you might expect the Electronic Communications Privacy Act (ECPA) to outline these issues, the law does not cover many of the services social-networking sites offer and the resulting data they store. A lot of this has to do with the fact that ECPA was written in 1986. It's been amended since then -- especially to accommodate the PATRIOT Act -- but it doesn't include references to a lot of the data people now upload onto social-networking sites, like videos, photos, public chats or "walls," and the like. (One social-networking service that is covered by ECPA is direct-messaging or personal messages, which under the law function a lot like e-mail.)
So while you would expect that the same laws that govern, say, another mode of conversation like your cell phone would apply to your use of Twitter or LinkedIn, the truth is they don't. And although most of these sites' terms of service (TOS) say that users must represent themselves accurately, or that your information is for-your-eyes-only, law enforcement agents work their way around this.
After all, says Nate Cardozo, an attorney at EFF, the TOS "don’t protect you. They protect Facebook or MySpace or whatever. It’s a violation of Facebook’s terms of service to do what the FBI is doing" -- deceiving users into sharing information with them by pretending to be someone else -- "but you as a user have no enforceable rights. There’s no indication that Facebook would go after the FBI for doing this. You’re not protected by the terms of service; the terms of service only protects the site."
If an FBI or IRS agent manages to trick you into sharing your profile and other personal data, it's legally viewed as consent on your part, says Cardozo. No warrant needed.
An internal PowerPoint presentation prepared by the Dept. of Justice, titled "Obtaining and Using Evidence from Social Networking Sites" further shows that major social-networking sites have ways of working with law enforcement agencies, allowing them to circumvent legal process (read: warrants) in other ways.
According to the presentation, Facebook is "often cooperative with emergency requests." What this means is that if a law enforcement agency sends Facebook a request for information and claims the data is needed urgently, the company may very well provide what the agency asks for, despite there being no legal proof of probable cause.
This especially concerns Mike German, the ACLU policy counsel, given certain agencies' track record in using emergency disclosure loopholes. "For example, the Attorney General's disclosures of FBI audits regarding the PATRIOT Act shows that the FBI has falsely claimed emergencies through letters to obtain information from telecommunications companies that are covered by ECPA," he said. "With that historical loophole abuse in mind, I'm worried by how the FBI is using emergency disclosure requests placed to social-networking sites."
The ECPA law states that complying with emergency information requests from law enforcement is voluntary. But because social-networking sites aren't covered by the law, there is no transparency on how government and these companies cooperate, German says. Agencies could be using the murky legal structure to simply monitor and obtain data on people who are not suspected of any crime -- as they have done in the past, he says. In other words: a real slippery slope in terms of privacy.
Besides Facebook, the Dept. of Justice presentation noted that MySpace required warrants for all information over six months old while the "bad news" is that Twitter required official warrants for just about any request. (The "good news" is that most data on Twitter is public anyway, the presentation adds.)
Additionally disturbing to German is the fact that the presentation lists social-networking sites as a way to investigate defense witnesses. "Normally, undercover operations are typically covered by undercover guidelines -- a fairly rigorous process," he says."But it's unclear when it’s online undercover activity. Particularly when they’re not actually investigating the crime but investigating witnesses to the crime. There's an intimidation factor there that seems a bit worrisome."
Cardozo, of the EFF, a non-profit digital rights advocacy group, says his organization sued these agencies in order to "make it clear to the public that law enforcement engages in these activities." He adds: "We were comforted to see that there were guidelines of some kind but shocked to see how pervasive these practices are."
And as German notes, with the exponential growth of social media, "it’s past time to clear up what our privacy rights are. The opportunity for abuse [by law enforcement] is great."
According to German, there is a movement brewing for ECPA reform, but there is also a need for greater transparency from the social-networking service providers -- and the government -- in how law enforcement requests are handled. And Cardozo says the EFF is pushing for law enforcement to maintain some sort of legal process.
But because oversight of these agencies requires monumental change, perhaps the most important thing to do in the short-term is be aware. "Most of what you put online is a lot more traceable to you than you think it is," says Cardozo.
Given that loopholes are very likely being used to collect information on even law-abiding citizens, everyone should give further consideration to the information they choose to share online. As IRL, on the Web, law enforcement abuse is real.
Resources: Electronic Frontier Foundation's social-networking FOIA case; ACLU's dotRIGHTS campaign's social-networking tips and take action center